Edit tour

Windows Analysis Report
SoftWare.exe

Overview

General Information

Sample name:	SoftWare.exe
Analysis ID:	1532891
MD5:	495601808baae79851b57369668830dd
SHA1:	f5fdb29cfcb3425474f5e0e128c1f11d3288e5ce
SHA256:	0c90aff3de13a06790b2a690b4f5dcd00ab44e6ed4cb76a0b40829cff4d80471
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SoftWare.exe (PID: 2032 cmdline: "C:\Users\user\Desktop\SoftWare.exe" MD5: 495601808BAAE79851B57369668830DD)

SoftWare.exe (PID: 4900 cmdline: "C:\Users\user\Desktop\SoftWare.exe" MD5: 495601808BAAE79851B57369668830DD)

SoftWare.exe (PID: 3452 cmdline: "C:\Users\user\Desktop\SoftWare.exe" MD5: 495601808BAAE79851B57369668830DD)

WerFault.exe (PID: 4476 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1652 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 308 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["ehticsprocw.sbs", "allocatinow.sbs", "drawwyobstacw.sbs", "resinedyw.sbs", "mathcucom.sbs", "vennurviot.sbs", "widdensmoywi.sbs", "condifendteu.sbs", "enlargkiw.sbs"], "Build id": "yau6Na--1285025705"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:00.768182+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	172.67.156.197	443	TCP
2024-10-14T05:11:01.739729+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	188.114.96.3	443	TCP
2024-10-14T05:11:02.769670+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.33.249	443	TCP
2024-10-14T05:11:03.743429+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49740	172.67.205.156	443	TCP
2024-10-14T05:11:04.676848+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49742	172.67.140.193	443	TCP
2024-10-14T05:11:05.659472+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49744	172.67.173.224	443	TCP
2024-10-14T05:11:06.657691+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49745	104.21.79.35	443	TCP
2024-10-14T05:11:07.617096+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49746	188.114.96.3	443	TCP
2024-10-14T05:11:09.684794+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T05:11:10.695109+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49750	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:00.768182+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	172.67.156.197	443	TCP
2024-10-14T05:11:01.739729+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	188.114.96.3	443	TCP
2024-10-14T05:11:02.769670+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.33.249	443	TCP
2024-10-14T05:11:03.743429+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49740	172.67.205.156	443	TCP
2024-10-14T05:11:04.676848+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49742	172.67.140.193	443	TCP
2024-10-14T05:11:05.659472+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49744	172.67.173.224	443	TCP
2024-10-14T05:11:06.657691+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49745	104.21.79.35	443	TCP
2024-10-14T05:11:07.617096+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49746	188.114.96.3	443	TCP
2024-10-14T05:11:09.684794+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49749	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:10.695109+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49750	104.21.53.8	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:06.212916+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	104.21.79.35	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:07.169602+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.4	49746	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:05.172901+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	172.67.173.224	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:02.261781+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.33.249	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:01.271809+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:03.313522+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	172.67.205.156	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:04.249297+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	172.67.140.193	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:00.295911+0200	2056573	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	172.67.156.197	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:01.746698+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.4	54416	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:05.686620+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.4	61248	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:06.664813+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.4	56986	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:04.678520+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.4	51215	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:01.757026+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.4	58864	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:00.774581+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.4	54534	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:02.773458+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.4	65407	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:03.745002+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.4	59950	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:10:59.689482+0200	2056572	1	Domain Observed Used for C2 Detected	192.168.2.4	61399	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:11:08.918467+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49747	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.SoftWare.exe.2a0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["ehticsprocw.sbs", "allocatinow.sbs", "drawwyobstacw.sbs", "resinedyw.sbs", "mathcucom.sbs", "vennurviot.sbs", "widdensmoywi.sbs", "condifendteu.sbs", "enlargkiw.sbs"], "Build id": "yau6Na--1285025705"}

Multi AV Scanner detection for domain / URL

Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: vennurviot.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: resinedyw.sbs	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: widdensmoywi.sbs	Virustotal: Detection: 11%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://widdensmoywi.sbs/api	Virustotal: Detection: 11%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: https://vennurviot.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://ehticsprocw.sbs/	Virustotal: Detection: 15%	Perma Link
Source: https://sergei-esenin.com:443/api	Virustotal: Detection: 18%	Perma Link
Source: https://drawwyobstacw.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: widdensmoywi.sbs	Virustotal: Detection: 11%	Perma Link
Source: https://resinedyw.sbs/	Virustotal: Detection: 17%	Perma Link
Source: https://sergei-esenin.com/apiD	Virustotal: Detection: 16%	Perma Link
Source: https://mathcucom.sbs/api	Virustotal: Detection: 20%	Perma Link
Source: resinedyw.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://resinedyw.sbs/api	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: SoftWare.exe	ReversingLabs: Detection: 42%
Source: SoftWare.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SoftWare.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: widdensmoywi.sbs
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--1285025705

Source: SoftWare.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.156.197:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: SoftWare.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B7C3B FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_002B7C3B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B7B87 FindFirstFileExW,		1_2_002B7B87

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F9FE973h]	0_2_002F2100
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_002DC185
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	0_2_002CC215
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_002FA261
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	0_2_002D8280
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	0_2_002F2290
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+27DA70DAh]	0_2_002F62F8
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	0_2_002F8481
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp-21358888h]	0_2_002D84F0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edi, esi	0_2_002D84F0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_003025E0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+00000404h]	0_2_002FA631
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	0_2_0030E616
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov eax, ebx	0_2_002F2610
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_002FA6B6
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_002D07C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	0_2_002F4861
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_002FA91B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+48h]	0_2_002EE910
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_002FA911
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_002F89C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	0_2_00308AD0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_002F0AC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp ecx	0_2_0030CB60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-3EFFFBA8h]	0_2_002F2C23
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_0030CD90
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-2Fh]	0_2_00304F30
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp eax	0_2_002EEF70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_002F8F70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edi, ecx	0_2_002FAFC8
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov eax, ebx	0_2_00305000
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [0044EA1Ch], esi	0_2_002D9044
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx]	0_2_0030D100
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0030F160
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push 754C8FBDh	0_2_002D9199
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_002F73C6
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00307480
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, eax	0_2_002F14D7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp al, 2Eh	0_2_002F550F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then lea eax, dword ptr [esp+70h]	0_2_00305500
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+3Ch]	0_2_002DB5ED
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, ecx	0_2_002F366C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_002EB6A0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_002EB6A0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-48088AD6h]	0_2_0030B69B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp eax	0_2_002F7751
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push ebx	0_2_003057A5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], dl	0_2_002F9790
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push ebx	0_2_002E9833
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_002D9859
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3402AD93h]	0_2_0030B93C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h	0_2_0030B93C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h	0_2_0030B9CB
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_002EBA50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_002F3A90
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dl, 01h	0_2_002F3B13
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	0_2_00305B60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000093h]	0_2_0030FB50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	0_2_002D1BC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	0_2_002FBC41
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	0_2_002F5CF8
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C274D4CAh	0_2_0030BD1C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, eax	0_2_002F14D7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_002F9D11
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+ebx-5Ah]	0_2_0030DD45
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	0_2_002FBDC7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-62528225h]	0_2_002D7DC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp ecx	0_2_0030DDC4
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+373A3ECEh]	0_2_002E9E20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp di, 005Ch	0_2_002E9E20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	0_2_002E9E20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push edi	0_2_0030BE23
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]	0_2_002F1E60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, ecx	0_2_002F5F1F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	0_2_002CBF40
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	0_2_002CBF40
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then lea eax, dword ptr [esp+70h]	2_2_0043A429
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push ebx	2_2_0043A429
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp ecx	2_2_0044162C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-48088AD6h]	2_2_00440730
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3402AD93h]	2_2_004409FC
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h	2_2_004409FC
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h	2_2_00440A8B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C274D4CAh	2_2_00440DDC
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-62528225h]	2_2_0040CE80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [eax], bl	2_2_00411048
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	2_2_00401000
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	2_2_00401000
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp eax	2_2_00424030
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042E030
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov eax, ebx	2_2_0043A0C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00443090
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dword ptr [0044EA1Ch], esi	2_2_0040E104
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx]	2_2_004421C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push 754C8FBDh	2_2_0040E259
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00444220
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	2_2_004012D5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	2_2_0040D340
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	2_2_00429467
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00443430
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, eax	2_2_004264CB
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0042C486
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0042D541
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0043C540
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+27DA70DAh]	2_2_0042B525
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp-21358888h]	2_2_0040D5B0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edi, esi	2_2_0040D5B0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0042C486
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov eax, ebx	2_2_004276D0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0042A68D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_004376A0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+3Ch]	2_2_004106AD
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_0042074A
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042074A
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0042F776
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042F776
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edi, ecx	2_2_0042F776
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, ecx	2_2_0042872C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edi, ecx	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp eax	2_2_0042C811
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push ebx	2_2_0041E8F3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405880
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0040E919
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+48h]	2_2_004239D0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042DA80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	2_2_0042AB6E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	2_2_00420B10
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00425B80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+ebx-5Ah]	2_2_00442B80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then jmp ecx	2_2_00442B80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00442B80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	2_2_0043DB90
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000093h]	2_2_00444C10
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	2_2_0043AC20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-3EFFFBA8h]	2_2_00427CE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	2_2_00427CE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov dl, 01h	2_2_00427CE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, ecx	2_2_00427CE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	2_2_00406C80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00430D01
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00441E50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+373A3ECEh]	2_2_0041EEE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp di, 005Ch	2_2_0041EEE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	2_2_0041EEE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then push edi	2_2_00440EE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00430E87
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00442EA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]	2_2_00426F20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F9FE973h]	2_2_00426F20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov ecx, eax	2_2_00426F20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00430FD0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then mov edx, ecx	2_2_0042AFE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-2Fh]	2_2_00439FF0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00442F90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:54416 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs) : 192.168.2.4:61399 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:51215 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:54534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:65407 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:59950 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49744 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2056573 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI) : 192.168.2.4:49733 -> 172.67.156.197:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49737 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49745 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49742 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49740 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:61248 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:58864 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:56986 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49747 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49749 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 172.67.156.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.156.197:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 104.21.79.35:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 172.67.140.193:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: widdensmoywi.sbs
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.21.33.249 104.21.33.249
Source: Joe Sandbox View	IP Address: 172.67.173.224 172.67.173.224
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=eJkD7fdghkY3w75yfrMhybLOU1CqWngT3X8rRbNEPUI-1728875469-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: widdensmoywi.sbs
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: widdensmoywi.sbs

Source: SoftWare.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: SoftWare.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SoftWare.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SoftWare.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: SoftWare.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: SoftWare.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SoftWare.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SoftWare.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SoftWare.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SoftWare.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: SoftWare.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: SoftWare.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SoftWare.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstaticmmD
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.stea
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=eng
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/apiA
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/piLV
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/piTV
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowe
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiD
Source: SoftWare.exe, 00000002.00000002.2277888784.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/q
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/y
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/=m
Source: SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api
Source: SoftWare.exe, 00000002.00000002.2277888784.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://widdensmoywi.sbs/api
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882349252.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-man
Source: SoftWare.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.156.197:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 2_2_00434BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434BE0

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 2_2_00434BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434BE0

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 2_2_00434D70 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00434D70

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D6030	0_2_002D6030
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002AE190	0_2_002AE190
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CC215	0_2_002CC215
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CC268	0_2_002CC268
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002EC2A0	0_2_002EC2A0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F054E	0_2_002F054E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F2610	0_2_002F2610
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_00304760	0_2_00304760
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CE820	0_2_002CE820
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D2920	0_2_002D2920
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FA91B	0_2_002FA91B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002EE910	0_2_002EE910
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FA911	0_2_002FA911
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F6A90	0_2_002F6A90
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D6B40	0_2_002D6B40
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F2C23	0_2_002F2C23
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002ECCB0	0_2_002ECCB0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F4CE0	0_2_002F4CE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B2D9D	0_2_002B2D9D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B6E51	0_2_002B6E51
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D4F00	0_2_002D4F00
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002F8F70	0_2_002F8F70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FAFC8	0_2_002FAFC8
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030D100	0_2_0030D100
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030310E	0_2_0030310E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FB266	0_2_002FB266
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002AB25E	0_2_002AB25E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030F280	0_2_0030F280
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002ED3C0	0_2_002ED3C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030F540	0_2_0030F540
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002BB551	0_2_002BB551
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030D620	0_2_0030D620
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FB668	0_2_002FB668
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_00309840	0_2_00309840
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030F840	0_2_0030F840
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D7890	0_2_002D7890
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A58F5	0_2_002A58F5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_00303AA7	0_2_00303AA7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A1AC2	0_2_002A1AC2
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_0030FB50	0_2_0030FB50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D5BA0	0_2_002D5BA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FDBB0	0_2_002FDBB0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D9BE0	0_2_002D9BE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_00305CA0	0_2_00305CA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A1D0A	0_2_002A1D0A
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FBDC7	0_2_002FBDC7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D7DC0	0_2_002D7DC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002FDDC0	0_2_002FDDC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002E9E20	0_2_002E9E20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002DFE4C	0_2_002DFE4C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CFF30	0_2_002CFF30
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002D1F00	0_2_002D1F00
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CBF40	0_2_002CBF40
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002CFFCA	0_2_002CFFCA
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A58F5	1_2_002A58F5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002AE190	1_2_002AE190
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002AB25E	1_2_002AB25E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A1AC2	1_2_002A1AC2
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B9BCD	1_2_002B9BCD
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A1D0A	1_2_002A1D0A
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002BB551	1_2_002BB551
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B2D9D	1_2_002B2D9D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B6E51	1_2_002B6E51
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0043A429	2_2_0043A429
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0044162C	2_2_0044162C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00410B70	2_2_00410B70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040ECA0	2_2_0040ECA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0043AD60	2_2_0043AD60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040CE80	2_2_0040CE80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00411048	2_2_00411048
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042E030	2_2_0042E030
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040B0F0	2_2_0040B0F0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00443090	2_2_00443090
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004421C0	2_2_004421C0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004381CE	2_2_004381CE
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004012D5	2_2_004012D5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00444340	2_2_00444340
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00421360	2_2_00421360
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0041E323	2_2_0041E323
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00401328	2_2_00401328
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00429467	2_2_00429467
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00443430	2_2_00443430
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004264CB	2_2_004264CB
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00422480	2_2_00422480
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042B525	2_2_0042B525
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00444600	2_2_00444600
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042560E	2_2_0042560E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004276D0	2_2_004276D0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004426E0	2_2_004426E0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042A68D	2_2_0042A68D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042F776	2_2_0042F776
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00430728	2_2_00430728
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042E850	2_2_0042E850
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00439820	2_2_00439820
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042C8D7	2_2_0042C8D7
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004098DE	2_2_004098DE
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004038E0	2_2_004038E0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040C950	2_2_0040C950
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0043E900	2_2_0043E900
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00444900	2_2_00444900
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004239D0	2_2_004239D0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004079E0	2_2_004079E0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0043A9E0	2_2_0043A9E0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042BB50	2_2_0042BB50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00438B67	2_2_00438B67
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042AB6E	2_2_0042AB6E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00442B80	2_2_00442B80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040AC60	2_2_0040AC60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00432C70	2_2_00432C70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0040BC00	2_2_0040BC00
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00444C10	2_2_00444C10
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00427CE3	2_2_00427CE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00409C8C	2_2_00409C8C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0041DC9E	2_2_0041DC9E
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042CD60	2_2_0042CD60
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00421D70	2_2_00421D70
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00426D28	2_2_00426D28
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00408DC0	2_2_00408DC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00429DA0	2_2_00429DA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0041EEE0	2_2_0041EEE0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00432E80	2_2_00432E80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00430E87	2_2_00430E87
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00442EA0	2_2_00442EA0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00414F0C	2_2_00414F0C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00426F20	2_2_00426F20
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00406FC0	2_2_00406FC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00409FC0	2_2_00409FC0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00430FD0	2_2_00430FD0
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0042AFE3	2_2_0042AFE3
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00442F90	2_2_00442F90
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00404FA0	2_2_00404FA0

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 0040C740 appears 62 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 002B1CFA appears 40 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 002A61F0 appears 104 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 0040DF80 appears 217 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 002AC1A5 appears 42 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 002D8EC0 appears 217 times
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: String function: 002D7680 appears 100 times

Source: C:\Users\user\Desktop\SoftWare.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 308

Source: SoftWare.exe

Static PE information: invalid certificate

Source: SoftWare.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare.exe

Static PE information: Section: .data ZLIB complexity 0.9908951192250373

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/13@11/9

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 2_2_0043A260 CoCreateInstance,

2_2_0043A260

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2032
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3452

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ba35e7c1-66fe-4144-beb0-0fd26fb97b22

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe

Command line argument: @1

1_2_002A1FEA

Source: SoftWare.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare.exe	ReversingLabs: Detection: 42%
Source: SoftWare.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\SoftWare.exe

File read: C:\Users\user\Desktop\SoftWare.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 308
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1652
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1724
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1656
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SoftWare.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002E4222 push esp; retf	0_2_002E4225
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A570F push ecx; ret	0_2_002A5722
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A1F88 push eax; ret	0_2_002A1FE4
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A570F push ecx; ret	1_2_002A5722
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A1F88 push eax; ret	1_2_002A1FE4
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_0044906E push eax; ret	2_2_00449091
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00449092 push eax; ret	2_2_00449099
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004490A8 push eax; ret	2_2_004490A9
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_004192E2 push esp; retf	2_2_004192E5
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 2_2_00446DF6 push esp; iretd	2_2_00446DF7

Source: C:\Users\user\Desktop\SoftWare.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\SoftWare.exe TID: 4248

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B7C3B FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_002B7C3B
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B7B87 FindFirstFileExW,		1_2_002B7B87

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SoftWare.exe, 00000002.00000002.2277888784.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000002.2277888784.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SoftWare.exe

API call chain: ExitProcess graph end node

graph_2-19952

Source: C:\Users\user\Desktop\SoftWare.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 2_2_004407F0 LdrInitializeThunk,

2_2_004407F0

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 0_2_002ABE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002ABE0F

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B2B19 mov eax, dword ptr fs:[00000030h]	0_2_002B2B19
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A1FEA mov edi, dword ptr fs:[00000030h]	0_2_002A1FEA
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002B2B5D mov eax, dword ptr fs:[00000030h]	0_2_002B2B5D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002AF4C6 mov ecx, dword ptr fs:[00000030h]	0_2_002AF4C6
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B2B19 mov eax, dword ptr fs:[00000030h]	1_2_002B2B19
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002B2B5D mov eax, dword ptr fs:[00000030h]	1_2_002B2B5D
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002AF4C6 mov ecx, dword ptr fs:[00000030h]	1_2_002AF4C6
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A1FEA mov edi, dword ptr fs:[00000030h]	1_2_002A1FEA

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 0_2_002BACE2 GetProcessHeap,

0_2_002BACE2

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A6120 SetUnhandledExceptionFilter,	0_2_002A6120
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A5C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002A5C64
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002ABE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002ABE0F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 0_2_002A5F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002A5F93
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A6120 SetUnhandledExceptionFilter,	1_2_002A6120
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A5C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_002A5C64
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002ABE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_002ABE0F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: 1_2_002A5F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_002A5F93

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare.exe

Memory written: C:\Users\user\Desktop\SoftWare.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SoftWare.exe	String found in binary or memory: drawwyobstacw.sbs
Source: SoftWare.exe	String found in binary or memory: condifendteu.sbs
Source: SoftWare.exe	String found in binary or memory: ehticsprocw.sbs
Source: SoftWare.exe	String found in binary or memory: vennurviot.sbs
Source: SoftWare.exe	String found in binary or memory: resinedyw.sbs
Source: SoftWare.exe	String found in binary or memory: enlargkiw.sbs
Source: SoftWare.exe	String found in binary or memory: allocatinow.sbs
Source: SoftWare.exe	String found in binary or memory: mathcucom.sbs
Source: SoftWare.exe	String found in binary or memory: widdensmoywi.sbs

Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe	Process created: C:\Users\user\Desktop\SoftWare.exe "C:\Users\user\Desktop\SoftWare.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	0_2_002BA3BE
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	0_2_002BA409
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	0_2_002BA4A4
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_002BA52F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	0_2_002BA782
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_002BA8AB
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	0_2_002BA9B1
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_002BAA80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	0_2_002B1A66
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	0_2_002B1F50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_002BA8AB
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_002BA11C
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	1_2_002BA9B1
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	1_2_002B1A66
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_002BAA80
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	1_2_002BA3BE
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	1_2_002BA409
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: EnumSystemLocalesW,	1_2_002BA4A4
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_002BA52F
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	1_2_002B1F50
Source: C:\Users\user\Desktop\SoftWare.exe	Code function: GetLocaleInfoW,	1_2_002BA782

Source: C:\Users\user\Desktop\SoftWare.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe

Code function: 0_2_002A51AF GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_002A51AF

Source: C:\Users\user\Desktop\SoftWare.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SoftWare.exe	42%	ReversingLabs	Win32.Trojan.Lumma
SoftWare.exe	44%	Virustotal		Browse
SoftWare.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
condifendteu.sbs	18%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
vennurviot.sbs	18%	Virustotal	Browse
drawwyobstacw.sbs	18%	Virustotal	Browse
mathcucom.sbs	21%	Virustotal	Browse
ehticsprocw.sbs	16%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
resinedyw.sbs	18%	Virustotal	Browse
allocatinow.sbs	20%	Virustotal	Browse
widdensmoywi.sbs	11%	Virustotal	Browse
enlargkiw.sbs	18%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://avatars.akamai.steamstatic	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
allocatinow.sbs	20%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
enlargkiw.sbs	18%	Virustotal		Browse
https://widdensmoywi.sbs/api	11%	Virustotal		Browse
mathcucom.sbs	21%	Virustotal		Browse
drawwyobstacw.sbs	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
ehticsprocw.sbs	16%	Virustotal		Browse
https://steamcommunity.com/q	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
https://vennurviot.sbs/api	18%	Virustotal		Browse
condifendteu.sbs	18%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://ehticsprocw.sbs/	16%	Virustotal		Browse
https://sergei-esenin.com:443/api	19%	Virustotal		Browse
https://drawwyobstacw.sbs/api	18%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://steamcommunity.com/y	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
widdensmoywi.sbs	11%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://resinedyw.sbs/	18%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://sergei-esenin.com/apiD	17%	Virustotal		Browse
https://mathcucom.sbs/api	21%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
resinedyw.sbs	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	0%	Virustotal		Browse
https://resinedyw.sbs/api	18%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	104.21.79.35	true	true	18%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	172.67.140.193	true	true	18%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.96.3	true	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.96.3	true	true	21%, Virustotal, Browse	unknown
widdensmoywi.sbs	172.67.156.197	true	true	11%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	172.67.173.224	true	true	16%, Virustotal, Browse	unknown
resinedyw.sbs	172.67.205.156	true	true	18%, Virustotal, Browse	unknown
enlargkiw.sbs	104.21.33.249	true	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	true	20%, Virustotal, Browse	unknown
drawwyobstacw.sbs	true	18%, Virustotal, Browse	unknown
https://widdensmoywi.sbs/api	true	11%, Virustotal, Browse	unknown
mathcucom.sbs	true	21%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	true	16%, Virustotal, Browse	unknown
condifendteu.sbs	true	18%, Virustotal, Browse	unknown
https://drawwyobstacw.sbs/api	true	18%, Virustotal, Browse	unknown
widdensmoywi.sbs	true	11%, Virustotal, Browse	unknown
https://resinedyw.sbs/api	true	18%, Virustotal, Browse	unknown
https://mathcucom.sbs/api	true	21%, Virustotal, Browse	unknown
resinedyw.sbs	true	18%, Virustotal, Browse	unknown
vennurviot.sbs	true		unknown
https://condifendteu.sbs/api	true		unknown
https://enlargkiw.sbs/api	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/=m	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/apiA	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/q	SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.entrust.net/rpa03	SoftWare.exe	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstaticmmD	SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.cloudflare.com/learning/access-man	SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D45000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882349252.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	SoftWare.exe, 00000002.00000002.2277888784.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	SoftWare.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	SoftWare.exe	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/y	SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/my/wishlist/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	SoftWare.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	SoftWare.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=eng	SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowe	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.stea	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/discussions/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiD	SoftWare.exe, 00000002.00000003.1882230031.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.entrust.net/ts1ca.crl0	SoftWare.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/legal/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/piLV	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://aia.entrust.net/ts1-chain256.cer01	SoftWare.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/piTV	SoftWare.exe, 00000002.00000003.1842017775.0000000000D56000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882230031.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe, 00000002.00000003.1882333613.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	SoftWare.exe, 00000002.00000003.1882206888.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
172.67.156.197	widdensmoywi.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.33.249	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.173.224	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.205.156	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.79.35	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532891
Start date and time:	2024-10-14 05:09:55 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/13@11/9
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 75% Number of executed functions: 17 Number of non-executed functions: 186
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SoftWare.exe, PID 4900 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
172.67.156.197	b4314faa0cd6ed058e05ee8c040c40fe.jpg	Get hash	malicious	Phisher	Browse
172.67.156.197	https://ber-subscriptionmmbership.pages.app.br/	Get hash	malicious	Unknown	Browse
104.21.33.249	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse
172.67.173.224	Setup.exe	Get hash	malicious	LummaC	Browse
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
188.114.96.3	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sirr/five/fre.php
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	www.airgame.store/ojib/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	bX8NyyjOFz.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2uvi/
	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/71nl/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/VO2TX
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
vennurviot.sbs	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
steamcommunity.com	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
mathcucom.sbs	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
condifendteu.sbs	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.141.136

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
CLOUDFLARENETUS	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	20Listen.eml	Get hash	malicious	HTMLPhisher	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 172.67.156.197 104.21.33.249 172.67.173.224 188.114.96.3 104.102.49.254 172.67.205.156 172.67.140.193 104.21.79.35

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_221e44084ae96beb4141c7a593e67d6c924a1a6_7a5e3dd0_4959676f-5a9c-498b-bc13-91cb6d451dae\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.010011035041963
Encrypted:	false
SSDEEP:	192:icehv2MF05RLJjGm+5zuiFWZ24IO8C5H:JMm5RLJjIzuiFWY4IO8C5H
MD5:	C72111F0D9BC67D25F421560BFCC05D0
SHA1:	FB664DC508344BBC5A519D87B87E7E150671104E
SHA-256:	08962130091EC9153FA1B1CF0E00D9441D1026398E1F00BD8971C2106BF79FE4
SHA-512:	AFBDCA588256E41C677A4F621224678B068F6626D20AD6381BB15AEB74F8918FB34103ED5977A722BFEC64A9205AD6D50C3902F1427C75A5905FAF3D5B9860DB
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.9.0.7.5.9.3.9.1.7.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.9.0.7.6.3.2.9.8.0.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.5.9.6.7.6.f.-.5.a.9.c.-.4.9.8.b.-.b.c.1.3.-.9.1.c.b.6.d.4.5.1.d.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.7.0.d.7.9.b.-.4.b.f.c.-.4.6.5.1.-.9.9.5.b.-.9.4.3.7.5.a.d.0.5.9.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.7.c.-.0.0.0.1.-.0.0.1.4.-.0.c.0.4.-.c.9.b.0.e.6.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.f.a.1.2.7.4.4.3.4.f.b.6.0.5.f.1.9.9.c.8.2.c.a.c.5.b.8.9.6.a.e.0.0.0.0.f.f.f.f.!.0.0.0.0.f.5.f.d.b.2.9.c.f.c.b.3.4.2.5.4.7.4.f.5.e.0.e.1.2.8.c.1.f.1.1.d.3.2.8.8.e.5.c.e.!.S.o.f.t.W.a.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_317646f4c0a3fe5f926530b7a18fc2652ea2_488e1332_88ecd21f-daf3-448f-9220-068fce0f2031\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7184705834848535
Encrypted:	false
SSDEEP:	96:iZkYCFyk+Sos6h6oI7RT6tQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3Oy1H3a9/ZV:iKYC7oe0BU/AjuGzuiFWZ24IO8C
MD5:	30C1015FE55290B09EB147CC64F6E717
SHA1:	E409EEB732C5394DE340C57C84899811B32B389D
SHA-256:	665093B2FD74243A295C38DFB41310DB3D9741615B16BBCB583BA454E6D1C19D
SHA-512:	345D5A9D0F59323407A6BECB8B7D05D42A1A519DD2A377D6135968E90782C27601132A2A3B5C16610F80CF1A035164D5E0C538C4E715D58498A49D72F4913D81
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.9.0.5.9.0.2.4.6.3.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.9.0.5.9.3.6.8.3.8.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.e.c.d.2.1.f.-.d.a.f.3.-.4.4.8.f.-.9.2.2.0.-.0.6.8.f.c.e.0.f.2.0.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.5.e.b.9.7.c.-.e.4.b.4.-.4.6.8.1.-.9.a.4.0.-.5.0.f.a.7.4.6.9.9.e.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.f.0.-.0.0.0.1.-.0.0.1.4.-.2.8.b.b.-.c.8.a.f.e.6.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.f.a.1.2.7.4.4.3.4.f.b.6.0.5.f.1.9.9.c.8.2.c.a.c.5.b.8.9.6.a.e.0.0.0.0.f.f.f.f.!.0.0.0.0.f.5.f.d.b.2.9.c.f.c.b.3.4.2.5.4.7.4.f.5.e.0.e.1.2.8.c.1.f.1.1.d.3.2.8.8.e.5.c.e.!.S.o.f.t.W.a.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_df20711a399579ea28ba2fbb49341fd87bf_7a5e3dd0_7c617227-d5ee-429f-92ad-86185f46aecb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0047719620980575
Encrypted:	false
SSDEEP:	96:Pik5FUk+SZs6hRbaSf1QXIDcQzc6rcEqcw3MH+HbHggggS/Yy2rLhOyRxDfQLPFf:Ph5hZw0Nvw4MjGm+5zuiFWZ24IO8/5H
MD5:	43C62C6B7A5A824F00CCBB2927E76817
SHA1:	8655451508BDA2CD7FF0154D3F7C74A3615102FF
SHA-256:	5302771AB96A112A520339BD3E9E573543FA72E1A1F3AD1C444DAFA47CD17754
SHA-512:	0AB378470F86B8608DEC3CB0BDE726A5B0645CC45301E846655D6CC7EB8B560A585CE7A35F6DCDBD57946E601EB899570934A361824BCFEB041C3CE7E9FCE733
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.9.0.7.0.0.5.5.1.5.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.9.0.7.0.6.0.2.0.3.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.6.1.7.2.2.7.-.d.5.e.e.-.4.2.9.f.-.9.2.a.d.-.8.6.1.8.5.f.4.6.a.e.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.0.f.a.c.9.3.-.c.5.a.b.-.4.1.c.b.-.9.5.e.5.-.f.7.e.5.5.8.5.f.0.a.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.o.f.t.W.a.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.7.c.-.0.0.0.1.-.0.0.1.4.-.0.c.0.4.-.c.9.b.0.e.6.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.f.a.1.2.7.4.4.3.4.f.b.6.0.5.f.1.9.9.c.8.2.c.a.c.5.b.8.9.6.a.e.0.0.0.0.f.f.f.f.!.0.0.0.0.f.5.f.d.b.2.9.c.f.c.b.3.4.2.5.4.7.4.f.5.e.0.e.1.2.8.c.1.f.1.1.d.3.2.8.8.e.5.c.e.!.S.o.f.t.W.a.r.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB729.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 14 03:10:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42648
Entropy (8bit):	1.7119274872798222
Encrypted:	false
SSDEEP:	96:5g8DFlvfg6XVkFrz36d+daecs0i7X9BT8dqCmVJg1ilqBm6wwJCYn+WIkWIjIIGB:FDbfRS36leaOrSmVJgwlqJS6fn7/M
MD5:	1D945345E53F8A3677B79B9CC2192AC7
SHA1:	67F03F0C5D27DBDB2735D203BC86FC0004CF448D
SHA-256:	40E768310F9D8CD6D4E05448780A850A996D4754033B39B5DD7FDD39DB7D73D8
SHA-512:	C63EC0AC91933F012ABBBEA73D8C9884DAD83A2E53188D17D07D47AD2CCC1A5B4897655F6B9A454242D0083A52690DD3DD6489CDF959A18FBBE4EAD030AB7EB3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g........................0...........4...n!..........T.......8...........T...........h...0.......................................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB798.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6909729659467057
Encrypted:	false
SSDEEP:	192:R6l7wVeJFb6Tou6Y9gSU9syVGgmfgvprt89bM2sf7Em:R6lXJ56l6YqSU9syVGgmfgIMVfd
MD5:	C598FD3D45AA1C33EFE9725352752679
SHA1:	7C5340A7E4F3863A27FF38591B481D2A0150A52E
SHA-256:	4923BED6F6D9F1A192F95E1714224B2CE850E9541C3FFD0B7C78B88CF23C8019
SHA-512:	27DF9CFEB8619A7F22A037A460AC9AD042A13DAD76B1A5EB23D0610C35629C40A052AF5E2D7F4C6684EF91DED9C66260D36AE92EA6788381DE0ED6C938C53143
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7E7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4710
Entropy (8bit):	4.466332770612539
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9lSWpW8VYfYm8M4J0SHFfN+q8vp/SNC7Rd:uIjfSI77z7VPJ0cKdMC7Rd
MD5:	4B6DD79A4F4DD81A17EA6E296B250054
SHA1:	45DD97E5E22ACC066C6AA3E6D068AAAB9E184282
SHA-256:	50E8F323D8295D0C268807F5138BBFB418B49EB06D9E07B571A311AA74E96928
SHA-512:	F629DB2066826789CDBD307076EE87A0BDD7A3CD4FEA982F1A82CD30ABF68025F7B489BB66A7674D3D4701D68A33969F3DB6C4B0E6226B9F5B5EB917D0D4E6D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542533" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE240.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 03:11:10 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131294
Entropy (8bit):	1.99039537169292
Encrypted:	false
SSDEEP:	384:of2gZINckBaJyTZS+5t3UvqFiKfUZou5NL1rht0Ve8jL2l9TFCQyjchjZCNwXxV3:oVZ4ckBaJ+UvqFersV1roCWB
MD5:	180BEA255B93163BC412BE68297B1EE5
SHA1:	D072661D167CE2F506395409120429C83B6CD5D6
SHA-256:	7073CAD83E4445AD11AAA64C30FCF9B88B65180AD4336532B1533FBA8D2BF7A0
SHA-512:	A77D7182C8157D3D1F03CD27E60887356CDCCDFD6503FDBE733DBDACFD37792CE00122CE6DA3E45FBBCEFFD73878F136EB81359D4727BF71FE2ED9933083F63A
Malicious:	false
Preview:	MDMP..a..... .........g............................(............"......$...tO..........`.......8...........T...........hC..v............"...........$..............................................................................eJ......`%......GenuineIntel............T.......\|.....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE399.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6908680376425105
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2v6E6Y1R6jQ+gmfKiCQDpry89bo7sf94m:R6lXJW6E6YT6tgmfKpCoAfn
MD5:	2558F1532A54A7A2A676F943FAF7DCDA
SHA1:	AB500B7682BCAC49F6C086E5C0FC1EFEFA3F4A53
SHA-256:	309D927B8DCCFF468F74E51C1D42B07DD8FB2CCEF8379605A5C32386E9A588C2
SHA-512:	F9844FBFF664905CE3B699045DC9ECAEF85905CB630BF66D4BBCA3FF37BEE3C8A43DE9A7E22D51CD29FA23214BF48EFBB4446590A47C31E7875EA46EA2DF67F3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3C9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.449441467403038
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9lSWpW8VYSYm8M4J0FkFdRb+q8OCSNC7rd:uIjfSI77z7VSJ0AbYMC7rd
MD5:	AF937487E9E0CEF192C9FFFC1A438CB3
SHA1:	1952520FB735C86B31F974DCC7123E6ABFF44C11
SHA-256:	F01CB0BFCF078FD0770969D93F3CCB75F512B98EA144C0A0AE75F56153A29CCE
SHA-512:	1846AC82CA07DD88EBA5D541C110F18602E5EDF9DC6CA8BB3BCA06B0B5CCBA4566B4040FF259CC85908417EBE2B7159C0527A4D9341D7B56961CC42C6DFCFDA0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542533" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF943.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 03:11:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131784
Entropy (8bit):	1.999116963427498
Encrypted:	false
SSDEEP:	384:12gZINtkBbSa9Zrv3+5t3UuDKfUZou5NL1rht0Ve8jLdlsjNCgHOPJvIXpitD++S:DZ4tkB+irzuzrsV1zPFQiA+8O
MD5:	5D02B5FDE900EB93AB83536019CAA8A7
SHA1:	08538453E6E01F6DB6987FD4D8F53CE5C009824A
SHA-256:	A833E9E3D563FA5D13F2E1AB5A358002AD4211343FF3D1462D40AB5FCEF663F2
SHA-512:	52B7F8CABC08CAFFE741FD8B31E6EEB5E7BEE0CA3134D5F7AB6EDA429DB8122E9F2088DC77302019B99167CF68A541395DDAAD82EB251F9E7DD53C67923171AB
Malicious:	false
Preview:	MDMP..a..... .........g............................(............"......4...tO..........`.......8...........T............D..............."...........$..............................................................................eJ......`%......GenuineIntel............T.......\|.....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9C1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.6850572864970244
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2O6k6Y1R6jQ+gmf3JPdpDa89b+7sfFyvNqm:R6lXJH6k6Yz6tgmf3JPr+AfFi
MD5:	2964FB53C40B2D02C9CFA50D20EE2F9C
SHA1:	02F3DBFB989F0D26EF2BD2D050DAE67202DE300C
SHA-256:	7C48081F26842ECBB3A4B73931287DD3AE63A49D41C6A69C01D7181778D159AA
SHA-512:	19791D7E92D07B13DDF727181B504A9000203B7F276DC8AD4CC3929E36A2450A6025CBBD320ABD440266F4A52ECE7977D1B8BD3BBAF4DFB2E6950497257DEF58
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4676
Entropy (8bit):	4.429958996461
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUJg77aI9lSWpW8VY9rYm8M4J0FhFT+q8vKvSNC7rd:uIjfSI77z7VEuJ0ZKaMC7rd
MD5:	E7FF99D894BA85B72BBDB88BEDE92610
SHA1:	00BC2A2867B8D31928D5BDA96F1D9758824FA10B
SHA-256:	52F746C4FA1A21B1474B7553126499D3CB77E7835A0F925F803845E8979DC58B
SHA-512:	3219A15B4FAF07CE3174211534A8CC0EDE3DBCEE573BEFE9830F0E6068D03A6996E471F90B1D14303927D583112DCD6CBEDD8782F3DB1BA92BA6B6711F47DB27
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542533" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465427588703319
Encrypted:	false
SSDEEP:	6144:rIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNtdwBCswSb1:sXD94+WlLZMM6YFHf+1
MD5:	4A48AFF223B642CACDF6E63BCA73C3C9
SHA1:	26F2F838EBD6AABA0879E18657883E20AA36F127
SHA-256:	E64D29A629B7E8893E18C3C3631E600F70146081ACEE0C6A41013E29BD8E45B2
SHA-512:	4E6F260B15AB10F9C6E5043FA7DB993E69BBB5FA2911B384AFD8333D98C8FC740C97297D20F02D3983CA7198D6C5E80AEEB2AF95E07D226F17682AE3CA469BED
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*;+.................................................................................................................................................................................................................................................................................................................................................j.<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.712785230290992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SoftWare.exe
File size:	532'008 bytes
MD5:	495601808baae79851b57369668830dd
SHA1:	f5fdb29cfcb3425474f5e0e128c1f11d3288e5ce
SHA256:	0c90aff3de13a06790b2a690b4f5dcd00ab44e6ed4cb76a0b40829cff4d80471
SHA512:	caf75e0cccaac35d1c32df0d7ab3bbebf483607512f4ca347088a7b7a9a2dbdfabff477fd0582ae2f892d3483e4d49c8b1449593a620782fe13df1fcca199772
SSDEEP:	12288:cTZU3zYlTRintF9Z6TS6g3K53gmuNdE/hK0Y5e74OEO:cFU3z+etnuC65wZr8Y5UTt
TLSH:	A5B4F11175C1C032D563293246E4EA75AE7EBC720E625EDFA3944FBE4F342819331AA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..o!..<!..<!..<...=-..<...=...<...=4..<1M.=4..<1M.=3..<...=$..<!..<Z..<1M.=u..<iL.= ..<iL.= ..<Rich!..<................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4054b4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C1AAE [Sun Oct 13 19:08:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b7ebfc2ac31d5223dc33b9386c1e726b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F52A085600Fh
jmp 00007F52A085546Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F52A085560Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F52A08555FCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F52A08555FEh
add edx, 28h
cmp edx, esi
jne 00007F52A08555DCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F52A08555EBh
push esi
call 00007F52A0856322h
test eax, eax
je 00007F52A0855612h
mov eax, dword ptr fs:[00000018h]
mov esi, 0047F15Ch
mov edx, dword ptr [eax+04h]
jmp 00007F52A08555F6h
cmp edx, eax
je 00007F52A0855602h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F52A08555E2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F52A08555F9h
mov byte ptr [0047F160h], 00000001h
call 00007F52A08559A1h
call 00007F52A08588D5h
test al, al
jne 00007F52A08555F6h
xor al, al
pop ebp
ret
call 00007F52A086125Fh
test al, al
jne 00007F52A08555FCh
push 00000000h
call 00007F52A08588DCh
pop ecx
jmp 00007F52A08555DBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0047F161h], 00000000h
je 00007F52A08555F6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a678	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7f800	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81000	0x1aac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x28c58	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28b98	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f734	0x1f800	a4b622b3fb3f2f74d4696f2468091e65	False	0.5866272941468254	data	6.639467233067605	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0x9e62	0xa000	03ecccac50dd98f45f69fe2c3a84bf0c	False	0.4348388671875	data	4.95153121226835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x54d7c	0x53e00	d8d977854afff7a4d514a2d9a7ed5275	False	0.9908951192250373	data	7.991339046085414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x80000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x81000	0x1aac	0x1c00	e8e59ebcc8c5e14f822118ad15af35a8	False	0.7315848214285714	data	6.418043983246135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

USER32.dll

ShowWindow

KERNEL32.dll

GetStartupInfoW, CreateFileW, CloseHandle, GetConsoleWindow, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, WriteConsoleW, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T05:10:59.689482+0200	2056572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (widdensmoywi .sbs)	1	192.168.2.4	61399	1.1.1.1	53	UDP
2024-10-14T05:11:00.295911+0200	2056573	ET MALWARE Observed Win32/Lumma Stealer Related Domain (widdensmoywi .sbs in TLS SNI)	1	192.168.2.4	49733	172.67.156.197	443	TCP
2024-10-14T05:11:00.768182+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	172.67.156.197	443	TCP
2024-10-14T05:11:00.768182+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	172.67.156.197	443	TCP
2024-10-14T05:11:00.774581+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.4	54534	1.1.1.1	53	UDP
2024-10-14T05:11:01.271809+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-10-14T05:11:01.739729+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-10-14T05:11:01.739729+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-10-14T05:11:01.746698+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.4	54416	1.1.1.1	53	UDP
2024-10-14T05:11:01.757026+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.4	58864	1.1.1.1	53	UDP
2024-10-14T05:11:02.261781+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.4	49737	104.21.33.249	443	TCP
2024-10-14T05:11:02.769670+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.33.249	443	TCP
2024-10-14T05:11:02.769670+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.33.249	443	TCP
2024-10-14T05:11:02.773458+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.4	65407	1.1.1.1	53	UDP
2024-10-14T05:11:03.313522+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.4	49740	172.67.205.156	443	TCP
2024-10-14T05:11:03.743429+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49740	172.67.205.156	443	TCP
2024-10-14T05:11:03.743429+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49740	172.67.205.156	443	TCP
2024-10-14T05:11:03.745002+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.4	59950	1.1.1.1	53	UDP
2024-10-14T05:11:04.249297+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.4	49742	172.67.140.193	443	TCP
2024-10-14T05:11:04.676848+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49742	172.67.140.193	443	TCP
2024-10-14T05:11:04.676848+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49742	172.67.140.193	443	TCP
2024-10-14T05:11:04.678520+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.4	51215	1.1.1.1	53	UDP
2024-10-14T05:11:05.172901+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.4	49744	172.67.173.224	443	TCP
2024-10-14T05:11:05.659472+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49744	172.67.173.224	443	TCP
2024-10-14T05:11:05.659472+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	172.67.173.224	443	TCP
2024-10-14T05:11:05.686620+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.4	61248	1.1.1.1	53	UDP
2024-10-14T05:11:06.212916+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.4	49745	104.21.79.35	443	TCP
2024-10-14T05:11:06.657691+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49745	104.21.79.35	443	TCP
2024-10-14T05:11:06.657691+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	104.21.79.35	443	TCP
2024-10-14T05:11:06.664813+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.4	56986	1.1.1.1	53	UDP
2024-10-14T05:11:07.169602+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.4	49746	188.114.96.3	443	TCP
2024-10-14T05:11:07.617096+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49746	188.114.96.3	443	TCP
2024-10-14T05:11:07.617096+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	188.114.96.3	443	TCP
2024-10-14T05:11:08.918467+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49747	104.102.49.254	443	TCP
2024-10-14T05:11:09.684794+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T05:11:09.684794+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T05:11:10.695109+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49750	104.21.53.8	443	TCP
2024-10-14T05:11:10.695109+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49750	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:10:59.746447086 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:10:59.746536970 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:10:59.746830940 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:10:59.753129005 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:10:59.753182888 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.295754910 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.295911074 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.299860001 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.299887896 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.300394058 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.341577053 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.368426085 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.368474960 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.368633032 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.768225908 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.768481970 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.768668890 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.770457983 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.770457983 CEST	49733	443	192.168.2.4	172.67.156.197
Oct 14, 2024 05:11:00.770492077 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.770509005 CEST	443	49733	172.67.156.197	192.168.2.4
Oct 14, 2024 05:11:00.786582947 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:00.786667109 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:00.787466049 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:00.787991047 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:00.788105965 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.271641970 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.271809101 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.273796082 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.273811102 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.274139881 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.275211096 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.275232077 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.275441885 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.739785910 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.740011930 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.740108967 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.740210056 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.740210056 CEST	49735	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:01.740252018 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.740282059 CEST	443	49735	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:01.770210028 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:01.770251036 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:01.770464897 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:01.770711899 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:01.770735979 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.261646986 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.261780977 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.314052105 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.314094067 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.315120935 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.322716951 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.322716951 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.322900057 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.769721031 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.770014048 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.770296097 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.770364046 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.770382881 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.770402908 CEST	49737	443	192.168.2.4	104.21.33.249
Oct 14, 2024 05:11:02.770410061 CEST	443	49737	104.21.33.249	192.168.2.4
Oct 14, 2024 05:11:02.789287090 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:02.789370060 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:02.789483070 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:02.789988995 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:02.790075064 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.313291073 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.313522100 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.318089008 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.318144083 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.318556070 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.327938080 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.327938080 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.328147888 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.743468046 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.743705988 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:03.743947983 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.743947983 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.743947983 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.757559061 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:03.757646084 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:03.757750034 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:03.758014917 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:03.758033991 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:03.966727972 CEST	49740	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:11:03.966789007 CEST	443	49740	172.67.205.156	192.168.2.4
Oct 14, 2024 05:11:04.249222994 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.249296904 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.251590014 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.251605034 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.251998901 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.253489017 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.253525972 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.253575087 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.676906109 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.677160025 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.677256107 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.677350998 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.677350998 CEST	49742	443	192.168.2.4	172.67.140.193
Oct 14, 2024 05:11:04.677398920 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.677424908 CEST	443	49742	172.67.140.193	192.168.2.4
Oct 14, 2024 05:11:04.693911076 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:04.693994999 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:04.694101095 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:04.694490910 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:04.694574118 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.172715902 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.172900915 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.224762917 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.224843025 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.225713968 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.227118015 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.227118015 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.227340937 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.659493923 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.659719944 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:05.660001993 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.660001993 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.660001993 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.699661970 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:05.699692011 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:05.699760914 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:05.700148106 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:05.700165033 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:05.966764927 CEST	49744	443	192.168.2.4	172.67.173.224
Oct 14, 2024 05:11:05.966826916 CEST	443	49744	172.67.173.224	192.168.2.4
Oct 14, 2024 05:11:06.212728024 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.212915897 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.218053102 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.218065023 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.218453884 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.226711035 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.226737976 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.226869106 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.657728910 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.657964945 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.658060074 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.658118010 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.658138990 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.658157110 CEST	49745	443	192.168.2.4	104.21.79.35
Oct 14, 2024 05:11:06.658164978 CEST	443	49745	104.21.79.35	192.168.2.4
Oct 14, 2024 05:11:06.677613020 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:06.677697897 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:06.677964926 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:06.678169966 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:06.678206921 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.169414043 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.169601917 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.171849966 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.171880007 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.172292948 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.173454046 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.173536062 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.173603058 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.617114067 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.617321014 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.617419958 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.619575024 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.619575024 CEST	49746	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:11:07.619642019 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.619673967 CEST	443	49746	188.114.96.3	192.168.2.4
Oct 14, 2024 05:11:07.645733118 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:07.645767927 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:07.645831108 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:07.649466038 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:07.649482965 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.370580912 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.370661974 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:08.372148991 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:08.372170925 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.372560978 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.374012947 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:08.419414043 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.918569088 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.918622971 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.918670893 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.918767929 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:08.918795109 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:08.918842077 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.049825907 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.049885988 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.049912930 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.049935102 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.049957991 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.049964905 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056607962 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056668997 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056690931 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056734085 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056740999 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056850910 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056889057 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056905031 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056917906 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056917906 CEST	49747	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:11:09.056926012 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.056932926 CEST	443	49747	104.102.49.254	192.168.2.4
Oct 14, 2024 05:11:09.071492910 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.071579933 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.071671009 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.071964025 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.072016001 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.552196980 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.552345991 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.558764935 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.558799982 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.559230089 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.560343027 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.560611963 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.560647964 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.684798002 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.684838057 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.684887886 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.684899092 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.684914112 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.684950113 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.684967041 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.685026884 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.685137987 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.685178041 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.685205936 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.685220003 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.747592926 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.747620106 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:09.747698069 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.747976065 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:09.747989893 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.225883007 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.225956917 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.228463888 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.228486061 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.228820086 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.230429888 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.230463982 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.230525017 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.694655895 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.694740057 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.694799900 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.694905996 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.694943905 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 05:11:10.694972038 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:11:10.694988966 CEST	443	49750	104.21.53.8	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:10:59.689481974 CEST	61399	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:10:59.703356981 CEST	53	61399	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:00.774580956 CEST	54534	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:00.785797119 CEST	53	54534	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:01.746697903 CEST	54416	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:01.755603075 CEST	53	54416	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:01.757025957 CEST	58864	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:01.769272089 CEST	53	58864	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:02.773458004 CEST	65407	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:02.788275003 CEST	53	65407	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:03.745002031 CEST	59950	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:03.756769896 CEST	53	59950	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:04.678519964 CEST	51215	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:04.692557096 CEST	53	51215	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:05.686619997 CEST	61248	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:05.698884964 CEST	53	61248	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:06.664813042 CEST	56986	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:06.676763058 CEST	53	56986	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:07.634795904 CEST	57070	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:07.641757011 CEST	53	57070	1.1.1.1	192.168.2.4
Oct 14, 2024 05:11:09.059674978 CEST	61579	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:11:09.070584059 CEST	53	61579	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 05:10:59.689481974 CEST	192.168.2.4	1.1.1.1	0x3e4f	Standard query (0)	widdensmoywi.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:00.774580956 CEST	192.168.2.4	1.1.1.1	0x3b46	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:01.746697903 CEST	192.168.2.4	1.1.1.1	0xc167	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:01.757025957 CEST	192.168.2.4	1.1.1.1	0x2842	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:02.773458004 CEST	192.168.2.4	1.1.1.1	0xae6b	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:03.745002031 CEST	192.168.2.4	1.1.1.1	0xb170	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:04.678519964 CEST	192.168.2.4	1.1.1.1	0x28fe	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:05.686619997 CEST	192.168.2.4	1.1.1.1	0xccec	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:06.664813042 CEST	192.168.2.4	1.1.1.1	0x8f81	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:07.634795904 CEST	192.168.2.4	1.1.1.1	0x68d7	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:09.059674978 CEST	192.168.2.4	1.1.1.1	0xf5b3	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 05:10:59.703356981 CEST	1.1.1.1	192.168.2.4	0x3e4f	No error (0)	widdensmoywi.sbs		172.67.156.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:10:59.703356981 CEST	1.1.1.1	192.168.2.4	0x3e4f	No error (0)	widdensmoywi.sbs		104.21.8.37	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:00.785797119 CEST	1.1.1.1	192.168.2.4	0x3b46	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:00.785797119 CEST	1.1.1.1	192.168.2.4	0x3b46	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:01.755603075 CEST	1.1.1.1	192.168.2.4	0xc167	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:01.769272089 CEST	1.1.1.1	192.168.2.4	0x2842	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:01.769272089 CEST	1.1.1.1	192.168.2.4	0x2842	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:02.788275003 CEST	1.1.1.1	192.168.2.4	0xae6b	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:02.788275003 CEST	1.1.1.1	192.168.2.4	0xae6b	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:03.756769896 CEST	1.1.1.1	192.168.2.4	0xb170	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:03.756769896 CEST	1.1.1.1	192.168.2.4	0xb170	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:04.692557096 CEST	1.1.1.1	192.168.2.4	0x28fe	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:04.692557096 CEST	1.1.1.1	192.168.2.4	0x28fe	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:05.698884964 CEST	1.1.1.1	192.168.2.4	0xccec	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:05.698884964 CEST	1.1.1.1	192.168.2.4	0xccec	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:06.676763058 CEST	1.1.1.1	192.168.2.4	0x8f81	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:06.676763058 CEST	1.1.1.1	192.168.2.4	0x8f81	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:07.641757011 CEST	1.1.1.1	192.168.2.4	0x68d7	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:09.070584059 CEST	1.1.1.1	192.168.2.4	0xf5b3	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:11:09.070584059 CEST	1.1.1.1	192.168.2.4	0xf5b3	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

widdensmoywi.sbs

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.156.197	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:00 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: widdensmoywi.sbs
2024-10-14 03:11:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:00 UTC	825	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pob1k1mdh1tq92m3nmbhhk021b; expires=Thu, 06 Feb 2025 20:57:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DU9Czp0Fb5M8UhSOBLu2tMoHnBKVV%2BVik1IuoqaDXB5vNZg%2FpPhq8RDAsF11sYkrus%2BWdlgJbZGpoIKLfLDs9iA6JE%2B%2BUQmR20eHtH5uyQcGSUEVPpLgiV%2FnlXb5AfQlTnrQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24612ba956443e-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:00 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	188.114.96.3	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:01 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-14 03:11:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:01 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eti5mlvoq52ivu2ggkv2g5b1f9; expires=Thu, 06 Feb 2025 20:57:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=37E1QSJjfbFMfthYtYqgCSJFKNhvWsJIJSnaYDsWe1KL3TznTujlBRYLftxEHSuGjZzLa8gJ3ZWgngd0slzWwLgV%2F8ZY%2FheiYe0H9CKMXF3XcpDCT2qaha2a%2FHT%2BHPTO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2461315d2442cf-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	104.21.33.249	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:02 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-14 03:11:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:02 UTC	819	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p412am9ovj1tcem7n48c5q9tll; expires=Thu, 06 Feb 2025 20:57:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bPSimegPe%2FVFXdFmvNAU%2FgWLdlEC6PNzTAhgamcdRMED5Z4ih4qOBOlDDYEysbYSQJKW8gMXyw%2FmfmDVHfJbqS%2FzuofHjOTPs2pyCuiePpPNDQ8yP%2FEHfGygCKQGnMi1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d246137d8e11839-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	172.67.205.156	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:03 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-14 03:11:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:03 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ma4mbgj2omahevep4adsa4tgvl; expires=Thu, 06 Feb 2025 20:57:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=afBBLzs6nu%2FjtA2f5yb%2FZucHh144tVt7f4Dx8tA%2B%2Ft0Wqoi1jaZP5KtH6NAv9EGrkKkDNQI%2FiFZdO5vCTo7gFA6A9aJhxPeFOAm0iZPY9UEDRCS%2B38GHeaAz%2B4JFOtJ9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24613e2afe185d-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	172.67.140.193	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:04 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-14 03:11:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:04 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ncd3n254j89v6po681nabed1a6; expires=Thu, 06 Feb 2025 20:57:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ddXds1BqKuzwq3s8OvpD9zhvFJKjcrgHq8WPjndoC1LwPrWUktddleiPQdPtY%2FAe12MhuB5wODFrrm3akCCoFVxebTDAHW6S8B4bcYzBBYwlaSgPa%2B6zM4nTy4wS947%2Bdw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d246143e98141e1-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	172.67.173.224	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:05 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-14 03:11:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:05 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r7i85hf6vbgpgr5sgaab5laupe; expires=Thu, 06 Feb 2025 20:57:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bjrkwWCfnJSO3hcEZE2UFfI3UaDfFPO80%2F2t2UfSSyXrw7UZ1u8e4UWIArRjRgNbsITX5VogQnwVJDUIelealzB6EQ%2FgARtOXYyNlMdV63%2Fn8E9lXpZX3%2BAXrHuvovd0uAo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24614a0c964234-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	104.21.79.35	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:06 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-14 03:11:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:06 UTC	831	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vvat1l6sa77mblndsr4klhc2q4; expires=Thu, 06 Feb 2025 20:57:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QX80%2FK0%2BVwPMQgqbIL%2FLxOBicX400ncH10AtIn8T%2B40scOJJPwZje9a%2F9GaqethuSk3kZ%2B5%2B15BSOtFHRCj9xyaO2EyP%2FQ0Y7rbblKICSANlsb0aaDPqrbqOhk%2Bv4QWRuAVU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2461505fba18c4-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	188.114.96.3	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:07 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-14 03:11:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:07 UTC	829	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dnrkko0rmbar1rpa2a9cr07t31; expires=Thu, 06 Feb 2025 20:57:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Csjuf15rnKZruOQLC5%2BXTb492iVz646OvrkSwG7NsWO77%2FumaibI%2F6FUUx6GwKOr0d4Ahm7F3wqMQrqYOIYWeaafD%2F04FkgtFvW9E1FiApShX8lkbdtE7D3a7XvtPQ9RRghpQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2461565cb40f63-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	104.102.49.254	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:08 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 03:11:08 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 03:11:08 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=c951140d1260d6de58ce539a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 03:11:08 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 03:11:09 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 03:11:09 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 03:11:09 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49749	104.21.53.8	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:09 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 03:11:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:11:09 UTC	555	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yLD0fLr27v9wkhZTFcjZ2Pd1SLdhXuTFzwkUSdX0yY%2BbOw85YOqAu6zdPwOmuK%2F352TK1cuNde4HOBFTz6sbBnQW2aeE4Raf6%2FAHNyIy5iiPP%2BiK5GJSShg4VoQN8XLldEpOAA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24616538b34205-EWR
2024-10-14 03:11:09 UTC	814	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 03:11:09 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-10-14 03:11:09 UTC	1369	IN	Data Raw: 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 Data Ascii: agement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <i
2024-10-14 03:11:09 UTC	889	IN	Data Raw: 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="b
2024-10-14 03:11:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	104.21.53.8	443	3452	C:\Users\user\Desktop\SoftWare.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:11:10 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=eJkD7fdghkY3w75yfrMhybLOU1CqWngT3X8rRbNEPUI-1728875469-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: sergei-esenin.com
2024-10-14 03:11:10 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 31 32 38 35 30 32 35 37 30 35 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--1285025705&j=
2024-10-14 03:11:10 UTC	827	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:11:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sujjn8eoqlpm6e6ufpq1vfv1kb; expires=Thu, 06 Feb 2025 20:57:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dn0tnlXhAUkyCJo4Pd%2Bu91gwKUg1IZyPR7oFrSbX17A3cR38kQu%2B9quNt4EzjSXkDJlDE2BhQ1nWsibgxqpgUpiRWs4UbBwuQMzApwa5ILn%2BsOT089r6YtgtKVPQOguin58WDg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2461696a167ca6-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:11:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:11:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:10:56
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare.exe"
Imagebase:	0x2a0000
File size:	532'008 bytes
MD5 hash:	495601808BAAE79851B57369668830DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:10:58
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SoftWare.exe"
Imagebase:	0x2a0000
File size:	532'008 bytes
MD5 hash:	495601808BAAE79851B57369668830DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:10:58
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare.exe"
Imagebase:	0x2a0000
File size:	532'008 bytes
MD5 hash:	495601808BAAE79851B57369668830DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:10:58
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 308
Imagebase:	0x7ff7699e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:11:09
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1652
Imagebase:	0x80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:11:09
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1724
Imagebase:	0x80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:11:15
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1656
Imagebase:	0x80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	190
Total number of Limit Nodes:	18

Executed Functions

Function 002A1FEA Relevance: 7.7, APIs: 5, Instructions: 153
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(0031E340,000004E4,00000040,?), ref: 002A2101
GetCurrentThreadId.KERNEL32 ref: 002A2138
GetConsoleWindow.KERNEL32(00000001), ref: 002A2167
ShowWindow.USER32(00000000), ref: 002A216E
std::_Throw_Cpp_error.LIBCPMT ref: 002A218D

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Window$ConsoleCpp_errorCurrentProtectShowThreadThrow_Virtualstd::_
String ID:
API String ID: 1484634515-0
Opcode ID: d00846eb0cd11468f6e4dd97af51a1c40deb24b1e8e17bac67f4bad231de7a02
Instruction ID: 6cdf3694fc6565e6f3dee628360152187ac0e30151a14ed61fbf8c5e9323c824
Opcode Fuzzy Hash: d00846eb0cd11468f6e4dd97af51a1c40deb24b1e8e17bac67f4bad231de7a02
Instruction Fuzzy Hash: 5741C032930216EBD3146B798C42BEFBA5DEB57710F004112BB0A971D2EF748665C690

Function 002B2B19 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68241c2f908855ab64458c71af97405ac9bcf99dcd32c8d6d7ae63452862db2
Instruction ID: f481a358594be807cb9438dd425ffae10b1a3b3f2ab92225df79e43bae7903c4
Opcode Fuzzy Hash: d68241c2f908855ab64458c71af97405ac9bcf99dcd32c8d6d7ae63452862db2
Instruction Fuzzy Hash: 42F03031624324EFCB16DB4CD545BD9B3ACEB45B95F1140A6E501EB151C670DD50CBD0

Function 002B1C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9A4ECB85,?,002B1D3C,?,?,?,00000000), ref: 002B1CF0

Strings

api-ms-, xrefs: 002B1C86
ext-ms-, xrefs: 002B1C9A

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c42033a11f6dfd31762e8d0a671be2d6dfdd7633f28f3ff5409712cf43e26e0f
Instruction ID: ee41973101a0a4f24c0f41505da70cb818f0aa28599fe68a2a1de4317a713497
Opcode Fuzzy Hash: c42033a11f6dfd31762e8d0a671be2d6dfdd7633f28f3ff5409712cf43e26e0f
Instruction Fuzzy Hash: 8F210D71A60252ABC7229F25EC65FDB7B68EB417E4F640222ED05E7291D730ED30C6D1

Function 002A9EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00009D5F,00000000,00000000,?), ref: 002A9F04
GetLastError.KERNEL32(?,002A2129,00000000,00000000,002A2C5B,00000000,00000000), ref: 002A9F10
__dosmaperr.LIBCMT ref: 002A9F17

Strings

[,*, xrefs: 002A9F2C

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: [,*
API String ID: 2744730728-2099427899
Opcode ID: 7fd53e4f1af24277ea88c1f1d85c7d41dfd0250f59d3999c827a13214112aa0d
Instruction ID: 566b28eda55a41f8ebb5969b5ca156038572eda2679ca560a49a62b66ec97451
Opcode Fuzzy Hash: 7fd53e4f1af24277ea88c1f1d85c7d41dfd0250f59d3999c827a13214112aa0d
Instruction Fuzzy Hash: EC019E7252121AEFCF15AFA2DC06AAE7BA4EF02360F104159F901D6151EF74CDA0DF90

Function 002A9D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(002C9F68,0000000C), ref: 002A9D72
ExitThread.KERNEL32 ref: 002A9D79

Strings

4=*, xrefs: 002A9DAF

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: 4=*
API String ID: 1611280651-1836062006
Opcode ID: 25e688149a97818d60cd66a71c146863e4da166fcc4fbf3a30daca25528112fa
Instruction ID: 99b759bd319cecc557c51d069d22ddfc86b4ed4e5a64dd7af6747eb3a8602f52
Opcode Fuzzy Hash: 25e688149a97818d60cd66a71c146863e4da166fcc4fbf3a30daca25528112fa
Instruction Fuzzy Hash: 44F08770A20605AFDB10AFB4D80AAAE3B74FF02341F100149F40597292CF34A9A6CFA1

Function 002B1CFA Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486035a68579792ae266ed9255691af2b740a12138c71f9f2d94b94088fe1799
Instruction ID: f0912f1f20da84de0346402f346e0948c4a52893de7e667a7f753fe1fbaa8b60
Opcode Fuzzy Hash: 486035a68579792ae266ed9255691af2b740a12138c71f9f2d94b94088fe1799
Instruction Fuzzy Hash: DC01F53732022B5FDF168E29EC55A9A339AAF853A07A48120F910CB169DB31C8318790

Non-executed Functions

Function 0030310E Relevance: 75.4, Strings: 60, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 0030336E
], xrefs: 003032A2
M, xrefs: 0030336A
x, xrefs: 003033DA
Y, xrefs: 003033D6
r, xrefs: 003033B2
i, xrefs: 00303224
., xrefs: 00303558
x, xrefs: 00303208
X, xrefs: 003032F6
^, xrefs: 00303352
Y, xrefs: 0030333C
n, xrefs: 00303286
A, xrefs: 00303376
K, xrefs: 0030332E
a, xrefs: 00303240
k, xrefs: 0030340E
e, xrefs: 00303406
I, xrefs: 00303396
O, xrefs: 0030339E
z, xrefs: 0030325C
S, xrefs: 003033AE
Q, xrefs: 003033B6
W, xrefs: 003033BE
w, xrefs: 0030324E
K, xrefs: 0030338E
T, xrefs: 00303320
M, xrefs: 003033A6
i, xrefs: 00303416
a, xrefs: 003033F6
X, xrefs: 0030334A
u, xrefs: 00303294
}, xrefs: 00303278
s, xrefs: 003031D0
U, xrefs: 003032E8
G, xrefs: 0030337E
_, xrefs: 003033DE
c, xrefs: 003033EE
b, xrefs: 00303372
U, xrefs: 003033C6
, xrefs: 00303570
p, xrefs: 003031EC
G, xrefs: 0030341A
,, xrefs: 00303560
n, xrefs: 00303422
o, xrefs: 0030341E
[, xrefs: 003033CE
m, xrefs: 00303426
g, xrefs: 003033FE
), xrefs: 00303578
m, xrefs: 0030326A
#, xrefs: 00303568
4, xrefs: 0030364A
, xrefs: 0030311A
Z, xrefs: 00303304
], xrefs: 003033E6
R, xrefs: 003032DA
J, xrefs: 00303362
c, xrefs: 003032CC
E, xrefs: 00303386

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: $ $#$)$,$.$4$A$C$E$G$G$I$J$K$K$M$M$O$Q$R$S$T$U$U$W$X$X$Y$Y$Z$[$]$]$^$_$a$a$b$c$c$e$g$i$i$k$m$m$n$n$o$p$r$s$u$w$x$x$z$}
API String ID: 0-3575643894
Opcode ID: 9bfed66bba9bfba0014b2911bec835af8e9de64a461eda58fe8f65bd3d1b232f
Instruction ID: 4edc4b64815929e1e3a1bf7f3951135ee587993566d3f4466cc6c660567d6c1f
Opcode Fuzzy Hash: 9bfed66bba9bfba0014b2911bec835af8e9de64a461eda58fe8f65bd3d1b232f
Instruction Fuzzy Hash: 4B122C2190C7E989DB32867C8C587CDBFA15B27324F1843D9D4E86B3D2C7B50A85CB66

Function 002F2C23 Relevance: 25.5, Strings: 20, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l]j_, xrefs: 002F3187
AC, xrefs: 002F2C2F
u5`7, xrefs: 002F2DA1
eUgW, xrefs: 002F3195
sAuC, xrefs: 002F3172
n9m;, xrefs: 002F2DAB
6I5K, xrefs: 002F356E
aQaS, xrefs: 002F318E
M0O, xrefs: 002F3564
HyK{, xrefs: 002F31BE
MO, xrefs: 002F2C4D
!, xrefs: 002F2DBF
]_, xrefs: 002F2F23
MO, xrefs: 002F2F07
AC, xrefs: 002F2EF2
*(, xrefs: 002F2FD0
r1`3, xrefs: 002F2D97
4E:G, xrefs: 002F3550
*(, xrefs: 002F344D
Hu@s, xrefs: 002F32E3

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: AC$M0O$ !$*($*($4E:G$6I5K$Hu@s$HyK{$aQaS$eUgW$l]j_$n9m;$r1`3$sAuC$u5`7$AC$MO$MO$]_
API String ID: 0-3249452353
Opcode ID: 2afbac181cee060aeaf19538715f26008316746a0008b687ff17fea878edc9d8
Instruction ID: f1b5826cac692d4c8930548af1cf9bc2f246d95636f940393aeb3d8dfbc5f27b
Opcode Fuzzy Hash: 2afbac181cee060aeaf19538715f26008316746a0008b687ff17fea878edc9d8
Instruction Fuzzy Hash: 193252B5910B659FD724CF26D88078ABBB1FF45344F518A9CC4AA2FB11C774A986CF80

Function 00303AA7 Relevance: 24.0, Strings: 19, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00303AD6
;, xrefs: 00303B2A
1, xrefs: 00303D81
1, xrefs: 00303B00
>, xrefs: 00303D40
), xrefs: 00303AC8
+, xrefs: 00303ABA
7, xrefs: 00303B0E
<, xrefs: 00303D37
?, xrefs: 00303B46
9, xrefs: 00303B38
5, xrefs: 00303B1C
3, xrefs: 00303D69
0, xrefs: 00303E7D
/, xrefs: 00303D61
-, xrefs: 00303AE4
3, xrefs: 00303AF2
+, xrefs: 00303D91
=, xrefs: 00303B54

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: )$+$+$-$/$/$0$1$1$3$3$5$7$9$;$<$=$>$?
API String ID: 0-1201617265
Opcode ID: c0ffde352e9afa619833a4d4a4ac907094959051b462ba44feb21e0b5d92cc12
Instruction ID: f1eb3310685c87cdf2699f5163d2dcf5d5a4f423dfdb9f017cd4704ed91294fc
Opcode Fuzzy Hash: c0ffde352e9afa619833a4d4a4ac907094959051b462ba44feb21e0b5d92cc12
Instruction Fuzzy Hash: 12E17031D086E98ADB32C63C8C583CDBFB51B52324F0942E9D4A96B3D2C7754B85CB52

Function 002CC215 Relevance: 16.0, Strings: 12, Instructions: 987COMMON

Download Yara Rule

Strings

0000, xrefs: 002CD708
0, xrefs: 002CD389
0, xrefs: 002CD091
@, xrefs: 002CD8EF
0000, xrefs: 002CD74E
0000, xrefs: 002CD6F3
0000, xrefs: 002CD701
0000, xrefs: 002CD6EC
0000, xrefs: 002CD6E5
0, xrefs: 002CD13F
i, xrefs: 002CD9BE
0000, xrefs: 002CD6FA

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-3385986306
Opcode ID: b3794e24a1c0b5c59eb8b2be1420e9d4de45e8b1e6abb63032f265fb2efc6c1b
Instruction ID: 26d1d1c0e61b78f04b220201ecd70df8a22252e0ff00b46b0337f65ad2e16b3e
Opcode Fuzzy Hash: b3794e24a1c0b5c59eb8b2be1420e9d4de45e8b1e6abb63032f265fb2efc6c1b
Instruction Fuzzy Hash: C182C4756293828FC719CF28C490B2AFBE1AB85304F188B6DE4DA97391D374DD15CB82

Function 002E9E20 Relevance: 13.9, Strings: 10, Instructions: 1432COMMON

Download Yara Rule

Strings

L, xrefs: 002EA4C8
anol, xrefs: 002EA010
LM[, xrefs: 002EA3AC, 002EA410, 002EA45F, 002EA5F5, 002EA545
ET]?, xrefs: 002EA7B8
1>?<, xrefs: 002EA094
!./7, xrefs: 002EA0C0
P, xrefs: 002EA9CA
[AJ, xrefs: 002E9EAE
URSP, xrefs: 002EA031
%*+(, xrefs: 002EA0CB

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: !./7$%*+($1>?<$ET]?$L$LM[$P$URSP$[AJ$anol
API String ID: 0-2024409930
Opcode ID: 9229b78d7ae1248caacbe81909899af73a150cb512f30ebbf0fc69731995cb67
Instruction ID: 4f3411d84e1c12805dda591aea9e5d23527df92951039ea068af83d1e755eec5
Opcode Fuzzy Hash: 9229b78d7ae1248caacbe81909899af73a150cb512f30ebbf0fc69731995cb67
Instruction Fuzzy Hash: C8A2CF705583C18BD735CF26C8917ABBBE2AFD6304F58892DE0D98B292D7789805CB53

Function 002D84F0 Relevance: 11.5, Strings: 9, Instructions: 288COMMON

Download Yara Rule

Strings

f, xrefs: 002D87F8
J%{o, xrefs: 002D8520
Oz|{, xrefs: 002D874E
rkOL, xrefs: 002D8540
\402, xrefs: 002D854B
lxyg, xrefs: 002D8528
ax`g, xrefs: 002D8530
km, xrefs: 002D87F1
2-, xrefs: 002D8556

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 2-$J%{o$Oz|{$\402$ax`g$f$km$lxyg$rkOL
API String ID: 0-1937825257
Opcode ID: 9412e4017cbadb1f459ba9005e3dc8965fb1477e5eddcd1d6e48edd8a52363dc
Instruction ID: 56e91ed5abd0393cc8184926ec5a96caea08ad2e4dd3fdd0b510f209fb43ef99
Opcode Fuzzy Hash: 9412e4017cbadb1f459ba9005e3dc8965fb1477e5eddcd1d6e48edd8a52363dc
Instruction Fuzzy Hash: 6791BE7050C3858FD319CF2984A17ABFBE1EF96304F148A6DE4E54B391C7798909CB96

Function 002BAA80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 002BAB8C
IsValidCodePage.KERNEL32(00000000), ref: 002BABD5
IsValidLocale.KERNEL32(?,00000001), ref: 002BABE4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002BAC2C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002BAC4B

Strings

L],, xrefs: 002BAAE5

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: L],
API String ID: 415426439-3138183756
Opcode ID: 77a3e5e695d052f77a3ae4ccf7158247ecf729fb1b67f46604d15d7ec80729e1
Instruction ID: f0ae750915236a6620d25ecfcfedd8593b738db1f0879c8cbb15e15c67e70171
Opcode Fuzzy Hash: 77a3e5e695d052f77a3ae4ccf7158247ecf729fb1b67f46604d15d7ec80729e1
Instruction Fuzzy Hash: 7851A271A20206AFDF10DFA8CC45EEE73B9FF14784F044469A921E7191E770D964CB62

Function 002CBF40 Relevance: 10.2, Strings: 7, Instructions: 1454COMMON

Download Yara Rule

Strings

, xrefs: 002CE6D4
, xrefs: 002CE6DB
, xrefs: 002CE6E9
, xrefs: 002CE6F0
, xrefs: 002CE6E2
, xrefs: 002CE6CD
, xrefs: 002CE766

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $
API String ID: 0-935225467
Opcode ID: d42e65d7817bbebdab01302d3a0d661209f263663f4e36fb4326d3467a758523
Instruction ID: 090bf140b5cb6f52a9dfb99ef14bed36c0ff856c600586bf7fdb86cdfa1bb1fe
Opcode Fuzzy Hash: d42e65d7817bbebdab01302d3a0d661209f263663f4e36fb4326d3467a758523
Instruction Fuzzy Hash: 4EA2F8716283828FCB18CF28C494B2ABBE2BF95314F19876DE4968B391D374DD55CB81

Function 002BB551 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002BB735

Strings

1#IND, xrefs: 002BB656
1#QNAN, xrefs: 002BB664
1#SNAN, xrefs: 002BB65D
1#INF, xrefs: 002BB687

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 48e2ff388ca2fc9c9add1ff2ee568b99dab23e46c5aaafa2b0a195699e8b3ebc
Instruction ID: 48cbddfdc839e5bbf37e50d007cd21f2b01f34f68e7cc6393122b392c3768f4e
Opcode Fuzzy Hash: 48e2ff388ca2fc9c9add1ff2ee568b99dab23e46c5aaafa2b0a195699e8b3ebc
Instruction Fuzzy Hash: 29D23971E282298FDF65CE28CD40BEAB7B9EB44344F2445EAD44DE7240DB74AE958F40

Function 002F14D7 Relevance: 8.8, Strings: 7, Instructions: 89COMMON

Download Yara Rule

Strings

>408, xrefs: 002F14E1
%!?-, xrefs: 002F14EF
-:4, xrefs: 002F14E8
!!KM, xrefs: 002F150B
EAFD, xrefs: 002F153C
TD, xrefs: 002F15A7
BAoo, xrefs: 002F1543

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: !!KM$%!?-$-:4$>408$BAoo$EAFD$TD
API String ID: 0-548505009
Opcode ID: 16af84e7640d8c6cd4ee85b582a09f937a406e0a639f75bfbd5b7e400799ca78
Instruction ID: 3d53c77ebca315a18c157080d96a95fda3606e44c72ce4b87df1f8b6abc66001
Opcode Fuzzy Hash: 16af84e7640d8c6cd4ee85b582a09f937a406e0a639f75bfbd5b7e400799ca78
Instruction Fuzzy Hash: CA21BCB1D052AC8BDB21CFA9E88039DFBB1BF62351F649168C2A5BB245CB344846CF45

Function 002BA8AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,002BABC9,00000002,00000000,?,?,?,002BABC9,?,00000000), ref: 002BA944
GetLocaleInfoW.KERNEL32(?,20001004,002BABC9,00000002,00000000,?,?,?,002BABC9,?,00000000), ref: 002BA96D
GetACP.KERNEL32(?,?,002BABC9,?,00000000), ref: 002BA982

Strings

OCP, xrefs: 002BA8FF
ACP, xrefs: 002BA8C9

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a3ca677b1e472196582625c5082752168c2dc8df2a47cfdd573c66ba24d85c4e
Instruction ID: e5483da6eaec86688c8a322127ecb5f72d347273be412da4f5c6dc168fc78bbd
Opcode Fuzzy Hash: a3ca677b1e472196582625c5082752168c2dc8df2a47cfdd573c66ba24d85c4e
Instruction Fuzzy Hash: 0721F532630603A6DB348F54C801EE7B3A6AF64BD0B578524E94AD7101F732DDA1E352

Function 002FA91B Relevance: 6.7, Strings: 5, Instructions: 474COMMON

Download Yara Rule

Strings

vw!, xrefs: 002FAD49
{qb, xrefs: 002FAD3F
z\B=, xrefs: 002FAC5C
/Hla, xrefs: 002FAB67
BHla, xrefs: 002FABE1

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: vw!${qb$/Hla$BHla$z\B=
API String ID: 0-1500912124
Opcode ID: 1c40eac1187402211cf307898039311c3eb4515e447feb491b672f070a0abef2
Instruction ID: 66fdc2f40d4e5fa34ea26bb6d8cd2cff759d16393f75dafba13ecfda5ea09a47
Opcode Fuzzy Hash: 1c40eac1187402211cf307898039311c3eb4515e447feb491b672f070a0abef2
Instruction Fuzzy Hash: 92E1D5A0614B818EE725CF35C5507B3FBE1AF53345F0888ADC1EB8B686D7796509CB22

Function 002FA911 Relevance: 6.7, Strings: 5, Instructions: 451COMMON

Download Yara Rule

Strings

vw!, xrefs: 002FAD49
{qb, xrefs: 002FAD3F
z\B=, xrefs: 002FAC5C
/Hla, xrefs: 002FAB67
BHla, xrefs: 002FABE1

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: vw!${qb$/Hla$BHla$z\B=
API String ID: 0-1500912124
Opcode ID: c438d6febc3fba4f6dee4dabbb817b0e23a8062de8b8692760a6254e32aeeb85
Instruction ID: 28657e532e05cf836597498e54fbdd092f0abe743568488cb26bd4555754e1dd
Opcode Fuzzy Hash: c438d6febc3fba4f6dee4dabbb817b0e23a8062de8b8692760a6254e32aeeb85
Instruction Fuzzy Hash: 44E12660625B828EE725CF35C4907B3FBD1AF53344F08896DC1EB8B682D739A519C762

Function 002D9BE0 Relevance: 6.7, Strings: 5, Instructions: 410COMMON

Download Yara Rule

Strings

pE, xrefs: 002D9CD8
IX[E, xrefs: 002D9E54, 002D9FA0, 002DA014, 002DA0A0, 002D9F90, 002D9E34, 002DA097, 002DA0CE
Kz, xrefs: 002D9CE8
IX[E, xrefs: 002D9EDB
D@DF, xrefs: 002D9BF2

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: D@DF$IX[E$IX[E$Kz$pE
API String ID: 0-155741351
Opcode ID: ea9821a02325da67c6d8426d23f3770375bafb020a48db46c677ba2e55d8eb42
Instruction ID: eed4e7200ac556acfdc99f1bcac4dc2b7e00bf15c6de712b107620148ba0f474
Opcode Fuzzy Hash: ea9821a02325da67c6d8426d23f3770375bafb020a48db46c677ba2e55d8eb42
Instruction Fuzzy Hash: 2ED1D07252C3918BD310CF28844076BBBE2ABD2304F19892EE4E59B751D7758D5ACB93

Function 002B2D9D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002B2E2A

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction ID: 5c0b5546876c655d2c192f3e65ec5d08c2385fffeb8584f56e66cec23c319a85
Opcode Fuzzy Hash: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction Fuzzy Hash: F4B17832A24246DFDB11CF68C881BFEBBB5EF59380F14416AE801AB241D274DD25CBA0

Function 002B7C3B Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 002B7CD6
FindNextFileW.KERNEL32(00000000,?), ref: 002B7D51
FindClose.KERNEL32(00000000), ref: 002B7D73
FindClose.KERNEL32(00000000), ref: 002B7D96

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5dfe841140afbcddd2d52fe4ec0bf0452f6fb36e654ad99211ca90a8816a740a
Instruction ID: 33b5216e6062c7270f4eca82657de75a5ee2e335090bbb8495e62e7670ede364
Opcode Fuzzy Hash: 5dfe841140afbcddd2d52fe4ec0bf0452f6fb36e654ad99211ca90a8816a740a
Instruction Fuzzy Hash: 9F41C27191462AAFDB20DF64DC89EFAB7B8EFC5384F148199E405E7144E7309EA08F60

Function 002A5F93 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002A5F9F
IsDebuggerPresent.KERNEL32 ref: 002A606B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002A6084
UnhandledExceptionFilter.KERNEL32(?), ref: 002A608E

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5c4d4a976fe741db07450c0b02742da9aad02306f6816ef6ca362b1c2024b443
Instruction ID: 1b0157a036bf50c87f5d02ab3a8dc60f73c36c7881e004a26906e029680ed235
Opcode Fuzzy Hash: 5c4d4a976fe741db07450c0b02742da9aad02306f6816ef6ca362b1c2024b443
Instruction Fuzzy Hash: 413127B5C152289BDF21DFA4D94DBCDBBB8BF09300F1041AAE50CAB250EB719A948F45

Function 002ECCB0 Relevance: 5.5, Strings: 4, Instructions: 490COMMON

Download Yara Rule

Strings

CJu{, xrefs: 002ED178
WeA, xrefs: 002ED0CD
feA, xrefs: 002ED135
\, xrefs: 002ECEE4

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: CJu{$WeA$\$feA
API String ID: 0-3042424217
Opcode ID: 1476d3b6f5ccc56c8349898d657de074a1760bfd8308db51f2eeec480568600d
Instruction ID: b28eb69728b865db9fbf9e5fb706e9e5f988b75ee1ab1f6016967b2858c72aac
Opcode Fuzzy Hash: 1476d3b6f5ccc56c8349898d657de074a1760bfd8308db51f2eeec480568600d
Instruction Fuzzy Hash: F9E13571A583806BE310DE25DC82BAFBFE5EBC1310F18492DF88487392E6759C158B93

Function 002A1AC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 002A2B18: __EH_prolog3_catch.LIBCMT ref: 002A2B1F

_Deallocate.LIBCONCRT ref: 002A1C9D
_Deallocate.LIBCONCRT ref: 002A1CEA

Strings

Current val: %d, xrefs: 002A1C76

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: 65f8f0b882eb1246e3688421a423785d4d0f7012aed0f0cf7c8ac5857c7fc8af
Instruction ID: 045a83eb2db96bcfa80b56a3f45b204fa9629e7f3f5ca4fa0a8b89229266f9f6
Opcode Fuzzy Hash: 65f8f0b882eb1246e3688421a423785d4d0f7012aed0f0cf7c8ac5857c7fc8af
Instruction Fuzzy Hash: CC61AD7252C3558FC320DF29D48026BFBE0AFCA728F150E2EF9D493242DB3599148B56

Function 002A51AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,002A5151,?,00000000,00000000,?,002A5110,?,?,?,?,002A504F,?), ref: 002A51E7
GetSystemTimeAsFileTime.KERNEL32(?,9A4ECB85,?,?,002C0535,000000FF,?,002A5151,?,00000000,00000000,?,002A5110,?,?), ref: 002A51EB

Strings

4=*, xrefs: 002A51E1

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: 4=*
API String ID: 743729956-1836062006
Opcode ID: 8da4c1e02fc3ceb3d741f497b95d583a5433dccb481806f21ba284c070da7611
Instruction ID: e41e15f19c624a475bddbebb0074067480129c2ff4ff915323bd2613c821fbec
Opcode Fuzzy Hash: 8da4c1e02fc3ceb3d741f497b95d583a5433dccb481806f21ba284c070da7611
Instruction Fuzzy Hash: 4BF06C32554954EFC7018F44EC45F6A77ACFB09B10F04422AEC16D3750DB755914CB80

Function 002DC185 Relevance: 5.3, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

oi, xrefs: 002DC3C5
k=e, xrefs: 002DC3CC
w'q, xrefs: 002DC3B7
{u, xrefs: 002DC3B0

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: k=e$oi$w'q${u
API String ID: 0-1721675072
Opcode ID: 8b86ccf00193ef7510d7dea85ea26e211bd0b1d6b9477f98adf200d6b3041581
Instruction ID: 9d3757c063632226a85689e76205cf3464a7992d738f4ee6838c7a323d3d9d83
Opcode Fuzzy Hash: 8b86ccf00193ef7510d7dea85ea26e211bd0b1d6b9477f98adf200d6b3041581
Instruction Fuzzy Hash: C191CEB01057828FE7598F2AC490626BFA2BF97300B29959DC8D60F756D778D806CF90

Function 002BA52F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BA583
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BA5CD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BA693

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 2638c5ce72f0679b3c4d08a5c997555f926058d91acaec039de3bf5e29325a7d
Instruction ID: bc33f89a437337194be3b0626174e41b1b2b39ea7dc358fc409328507653cc52
Opcode Fuzzy Hash: 2638c5ce72f0679b3c4d08a5c997555f926058d91acaec039de3bf5e29325a7d
Instruction Fuzzy Hash: 1E61BF719242079FDF289F28DD82BEAB7B8EF04380F14806AE805C6585FB74DDA5DB51

Function 002ABE0F Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 002ABF07
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 002ABF11
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 002ABF1E

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d06df3bd0644f19ad9310b0dab81db4a8290fa61f7b86bac0519cc57db98b755
Instruction ID: c442a4805af6d399c22eef77cb7b2605fcc9b0d52f9b3aaa8d5635497b9b2005
Opcode Fuzzy Hash: d06df3bd0644f19ad9310b0dab81db4a8290fa61f7b86bac0519cc57db98b755
Instruction Fuzzy Hash: 0131E574911228ABCB21DF28DD89BCDBBB8BF19310F5041DAE81CA7251EB349F958F44

Function 002CC268 Relevance: 4.1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

Strings

gfff, xrefs: 002CCEB7
-, xrefs: 002CCE17
gfff, xrefs: 002CCE52

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: -$gfff$gfff
API String ID: 0-837351935
Opcode ID: ebb5f48ed8c1f46df3ca7e802c4689bd9c6416c223b09ec74931e76127cba49b
Instruction ID: d90209fbb1cbc9caea4944884c42d5146b16ba3aea9ab4fa71ffa7fb88a8f990
Opcode Fuzzy Hash: ebb5f48ed8c1f46df3ca7e802c4689bd9c6416c223b09ec74931e76127cba49b
Instruction Fuzzy Hash: 73E1903161C7928FC719CF28C08076AFBE1AFD9314F188A6EE8D997352D274D945CB92

Function 002EBA50 Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

87, xrefs: 002EBB3B
R?G=, xrefs: 002EBB2B
a/\-, xrefs: 002EBB0B

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 87$R?G=$a/\-
API String ID: 0-3222100567
Opcode ID: c297b0578884d341d4b8c8d2ebea2375a762d0eeafbfd6e7ca4e52638cf535df
Instruction ID: 41d6b7f58979f00ae0b3949178a131143fb6e72b8500c8119d1318f303e65ced
Opcode Fuzzy Hash: c297b0578884d341d4b8c8d2ebea2375a762d0eeafbfd6e7ca4e52638cf535df
Instruction Fuzzy Hash: 79B112749583468BC725CF29C89166BB7F1FF81314F988A2CE8D59B3A0E774D905CB82

Function 002F73C6 Relevance: 4.0, Strings: 3, Instructions: 294COMMON

Download Yara Rule

Strings

lC, xrefs: 002F7609
[M, xrefs: 002F75F1
I^, xrefs: 002F75F9

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: I^$[M$lC
API String ID: 0-3459864908
Opcode ID: 5426fd2ad614aebe9bf2137d00de55aaf2a0d0a90dbb6cb7222aa98a94740366
Instruction ID: 6a65b28abf37f4e4d156a7e11272d7441d6d60d0c0f4355410b1a099c911c9e0
Opcode Fuzzy Hash: 5426fd2ad614aebe9bf2137d00de55aaf2a0d0a90dbb6cb7222aa98a94740366
Instruction Fuzzy Hash: 4E81EE71A183168BE720DF18D851777B3B1EFA2750F08892CE9D54B3A0E3B9D905C796

Function 002F9790 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

sgz/, xrefs: 002F97BB
AE^1, xrefs: 002F9975
]\C , xrefs: 002F9961

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: AE^1$]\C $sgz/
API String ID: 0-1514024656
Opcode ID: d1c4fbfcbfbed1d9bd767d306693713e557d9b9b8ca1f08c8baeec1abf5e1330
Instruction ID: e6def12a9f41492e0d253e1566e7f64dcc25523be1809172a9e32c71c3d2599d
Opcode Fuzzy Hash: d1c4fbfcbfbed1d9bd767d306693713e557d9b9b8ca1f08c8baeec1abf5e1330
Instruction Fuzzy Hash: 3581C1B4518B818AE3358F39C5907A3BBE1AB53340F08896DD1EB5B386D7796405CF62

Function 0030B93C Relevance: 3.9, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

t}E, xrefs: 0030BBCB
[e\c, xrefs: 0030B964
@, xrefs: 0030BC29

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: @$[e\c$t}E
API String ID: 0-918470651
Opcode ID: 0cef1833a06ead749ae478d69e79b2ec7b6aa28724c1946c7a94438a53451a6c
Instruction ID: 0ee1ec16be1ee266438c1f4042355582a3de4f7c31b60412e732acc7324ee0f5
Opcode Fuzzy Hash: 0cef1833a06ead749ae478d69e79b2ec7b6aa28724c1946c7a94438a53451a6c
Instruction Fuzzy Hash: A341BB746093028BE715CF28C46163BB7E2EFD6309F18482CE1829B290EB34C906CB4A

Function 002B1F50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,002B0946,?,20001004,00000000,00000002,?,?,002AFF48), ref: 002B1F84

Strings

4=*, xrefs: 002B1F6F

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: InfoLocale
String ID: 4=*
API String ID: 2299586839-1836062006
Opcode ID: 18a31b9d1950a99595f97d8760ed2faa5b48b5c64931860d7fb5ce49d7fff2ef
Instruction ID: a75c8e58647581d158f19707bd9116556db14e4f372a12e94e9713f49d504ceb
Opcode Fuzzy Hash: 18a31b9d1950a99595f97d8760ed2faa5b48b5c64931860d7fb5ce49d7fff2ef
Instruction Fuzzy Hash: FFE01A35510258BBCB122F61EC09EEE3A19EF457A1F044011FD09652218B729D71AAD0

Function 002AE190 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ae356b703282245e46982a16b0c15d5e2b54d97083e81566a83ef1af4d191c
Instruction ID: 6c0683f8288804aeb2c1896a0495a1ae557e09e1aa3d3a5e5b1fa48ab1ba3e54
Opcode Fuzzy Hash: 92ae356b703282245e46982a16b0c15d5e2b54d97083e81566a83ef1af4d191c
Instruction Fuzzy Hash: F4F13E71E1021A9FDF14CFA8D8806ADB7B5FF89314F168269E815A7381DB30AD56CF90

Function 002FAFC8 Relevance: 2.9, Strings: 2, Instructions: 360COMMON

Download Yara Rule

Strings

gav`, xrefs: 002FB4D6
8>7, xrefs: 002FB28D

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 8>7$gav`
API String ID: 0-315841382
Opcode ID: 4ca61c2711ed270002dcb12c39466b93d52bdd0266d879013d660566178094b5
Instruction ID: 314c39ef3bb8a4fb41ab6a11faffd6803c5f9053034dc6b6da0ff4b4f824db9e
Opcode Fuzzy Hash: 4ca61c2711ed270002dcb12c39466b93d52bdd0266d879013d660566178094b5
Instruction Fuzzy Hash: ECC1D474614B858EE726CF39C4607A3FBE1AF53304F1889ADC4EA8B792C775A405CB51

Function 0030D620 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0030D913
P, xrefs: 0030D7AA

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: MJKH$P
API String ID: 0-3092794351
Opcode ID: e4d991c71839b364af27dd944d6ee727f6249d13d58c7a8be3f2149911eb1e0b
Instruction ID: d40a2572fa1ee836a86366039648ac192771790c5b042783be8097e81552c1dc
Opcode Fuzzy Hash: e4d991c71839b364af27dd944d6ee727f6249d13d58c7a8be3f2149911eb1e0b
Instruction Fuzzy Hash: EDB1F1326093614FD326CE5888A072FB6E1EBC5714F16862CE9A5AB3D1C7759C46CBC2

Function 002FB266 Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

gav`, xrefs: 002FB4D6
8>7, xrefs: 002FB28D

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 8>7$gav`
API String ID: 0-315841382
Opcode ID: ac8e35e2ba53b6f56c869ab1138b9646fe9cedce0f0aa12dc3155a16e1a3533d
Instruction ID: 31cb5338a4fff44db665ac67722590dca1bcb61fd50a41c19049c5c0233ff00e
Opcode Fuzzy Hash: ac8e35e2ba53b6f56c869ab1138b9646fe9cedce0f0aa12dc3155a16e1a3533d
Instruction Fuzzy Hash: 3FA1D370614B858EE326CF39C4607A3FBE1AF52344F18886DC5EA8B792D779A409CB51

Function 0030CD90 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0030CDF1
MJKH, xrefs: 0030CF64

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: MJKH$MJKH
API String ID: 0-2671171847
Opcode ID: 1136e558147c4f633bdffd0b88e4db1898f854eb3dea8c99557a1c309228dca3
Instruction ID: 78b96af90062f5dd8a8ed90321b38a0da6eb3bf3be515645e85f65d3aa00d3d2
Opcode Fuzzy Hash: 1136e558147c4f633bdffd0b88e4db1898f854eb3dea8c99557a1c309228dca3
Instruction Fuzzy Hash: C6910371A1A3019BE735CF64CC61BBBB7D2EF89310F54893CE999872C1E6319801CB96

Function 002F6A90 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

Kwvq, xrefs: 002F6ABE
MNO, xrefs: 002F6BC3

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: Kwvq$MNO
API String ID: 0-948701108
Opcode ID: 36fb66e33f32a4e4203568b47c2a2a272bc78b20a2aea5167491f8fd019560a2
Instruction ID: 58469cdc65c2cd27f49e9d1ffa78160652553676c5711fffc683406eff284c57
Opcode Fuzzy Hash: 36fb66e33f32a4e4203568b47c2a2a272bc78b20a2aea5167491f8fd019560a2
Instruction Fuzzy Hash: 278100B25083948FD314CF28D85576FBBE1EB85714F05892CE5EA9B381E7B48909CBC2

Function 002FA261 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

C+N), xrefs: 002FA86A
4_2], xrefs: 002FA89C

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 4_2]$C+N)
API String ID: 0-865003193
Opcode ID: f3dde1f364c2ac19122c956b19f646a2200000e231a1a5fe83d71141fe3e7ce8
Instruction ID: 5e00b80a28b08e243a34f24df8e5c5fc061e2312186eec2afee67f1095daf7b8
Opcode Fuzzy Hash: f3dde1f364c2ac19122c956b19f646a2200000e231a1a5fe83d71141fe3e7ce8
Instruction Fuzzy Hash: F5710A74519B848EE3268F35C4907B3BBE1AF53344F4848ADC1EE4B286C779650ACB53

Function 002D8280 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

*, xrefs: 002D8298
*3, xrefs: 002D82CC

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: *$*3
API String ID: 0-20239172
Opcode ID: 9e0d93b3c3b16dc16128a736b581e60677b2ba48636828ab342dd6c1eaca591e
Instruction ID: 7045da1feef27d42e4300e94d2fb1e3d8332a6ae0e07b7032b688ed7a1504140
Opcode Fuzzy Hash: 9e0d93b3c3b16dc16128a736b581e60677b2ba48636828ab342dd6c1eaca591e
Instruction Fuzzy Hash: 3751DF7151C7828ED315CF29841476BBFE0AFE3304F28999EE4C49B392DB7988068B52

Function 002FA6B6 Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

C+N), xrefs: 002FA86A
4_2], xrefs: 002FA89C

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 4_2]$C+N)
API String ID: 0-865003193
Opcode ID: 105e2b1cc8ed26967a536be2abf09d8f9c3ca52378e71c2c9325f45cd807fa9a
Instruction ID: a7c67173c930118b1ff35c44e3d61ee0f7458abb31f411ab4918dc4f9007833b
Opcode Fuzzy Hash: 105e2b1cc8ed26967a536be2abf09d8f9c3ca52378e71c2c9325f45cd807fa9a
Instruction Fuzzy Hash: FE51C1B4515B858EE3268F35C4A07B3BBE1AF53344F4858ACD0EF4B286C779610ACB56

Function 002EEF70 Relevance: 2.6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

L9D;, xrefs: 002EEFB4
01, xrefs: 002EEFC4

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 01$L9D;
API String ID: 0-286162271
Opcode ID: 6ec02ff8f8705f771715293091e07054b5d943dcaa09aba49db511dfa7819aee
Instruction ID: 94c83ce0b57f1114fb9a777eb8699ef1a4996152466e26a7d5f37ee286acf349
Opcode Fuzzy Hash: 6ec02ff8f8705f771715293091e07054b5d943dcaa09aba49db511dfa7819aee
Instruction Fuzzy Hash: CA2100619583418BD3109F29C85263BB6F4EF97360F958A28F4C8CB791F7388D54C7A6

Function 00309840 Relevance: 1.9, Strings: 1, Instructions: 631COMMON

Download Yara Rule

Strings

f, xrefs: 00309A43

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 0c6a8436a2adc5f8aeb8fd868c0ec21f6a3b64167c10a0e92c077d917db465df
Instruction ID: 66d3c103cc58dc01ea4d795455a677bf32c16e920cf116babf2a0b8d356fa3d0
Opcode Fuzzy Hash: 0c6a8436a2adc5f8aeb8fd868c0ec21f6a3b64167c10a0e92c077d917db465df
Instruction Fuzzy Hash: 0D22CE756093419FD316CF18C8A0B2BBBE2BFC5314F198A6EE4958B392D770D805CB92

Function 002B6E51 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002B6E4C,?,?,00000008,?,?,002BFC05,00000000), ref: 002B707E

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: dc7ad64767f6b36172404b5ee8b93aafab9f8c61aedd2f970507c9cf0449388c
Instruction ID: 09aef8b52a716e606631057fb52aba052aa68b074724a8aa7142998830166424
Opcode Fuzzy Hash: dc7ad64767f6b36172404b5ee8b93aafab9f8c61aedd2f970507c9cf0449388c
Instruction Fuzzy Hash: B7B14E31620605DFD715CF2CC48ABA57BE1FF453A4F298659E89ACF2A1C335E9A1CB40

Function 002A58F5 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002A590B

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b61e5c517c69a9169494136e787e7be17ff0edd55952d52e06497d83d8aacf79
Instruction ID: 9aad7b74677988b958fea571db963b15cb1a9243ac0939a23bbfd1ab8430cbff
Opcode Fuzzy Hash: b61e5c517c69a9169494136e787e7be17ff0edd55952d52e06497d83d8aacf79
Instruction Fuzzy Hash: 7CA1AE71921A16DFDB19CF64E886A9FBBF5FB48324F14812AD429EB390D7359840CF50

Function 002EE910 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

J, xrefs: 002EE9E5

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-793186624
Opcode ID: 0014f90ac7ba6fa0ba625283ae68f3912cdacf7303457fd4ec59a51b9219c706
Instruction ID: 4ae22da071a120efc1f98611a03b2f9cd8a0fe3df7d10bd4572a924258ee0a15
Opcode Fuzzy Hash: 0014f90ac7ba6fa0ba625283ae68f3912cdacf7303457fd4ec59a51b9219c706
Instruction Fuzzy Hash: E7C144B15583518BCB24CF29C85276BB7F1FF91354F498A1CE4C28B395E7788904CB92

Function 002F8F70 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

", xrefs: 002F9267

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b88f7633290bd7b85b040f54da1c10ae0dd7a5952399405581d81398b0962116
Instruction ID: 5a0288b65ed0acde21d4445dcce263c1499ff8a3752f69a68d156e596305f008
Opcode Fuzzy Hash: b88f7633290bd7b85b040f54da1c10ae0dd7a5952399405581d81398b0962116
Instruction Fuzzy Hash: D5D10672A2830A5BDB24CE24C49477BF7D59F94390F08893DEA8987381E734DD95CB92

Function 002CE820 Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

EqD, xrefs: 002CE873

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: EqD
API String ID: 0-3464846087
Opcode ID: 35025c906db6bc8461873c7f6d634259a4ab03f748692cbdafb0f3261488af20
Instruction ID: 5e8f9b596d6e8e75e587d53fca247cd3118ee74ea0c9c9b7739a259be84b4143
Opcode Fuzzy Hash: 35025c906db6bc8461873c7f6d634259a4ab03f748692cbdafb0f3261488af20
Instruction Fuzzy Hash: 93D1C572A183129BCB04CF28C881A5EBBE5FFC4750F168E2DF89597391E671DD148B81

Function 002BA782 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002BA7D6

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9587d7bdd34e4a5a8fe7f3506aa80281ace6701448eb2cf7782732815a9d0520
Instruction ID: 30d5ba9233eb5ee6b1a064dffbcdab8810dbce86a36331cce138e1b594d9c8cd
Opcode Fuzzy Hash: 9587d7bdd34e4a5a8fe7f3506aa80281ace6701448eb2cf7782732815a9d0520
Instruction Fuzzy Hash: 5721F272620207ABDB289E24DC42AFA73A8EF45380B10407AFC01C6541EB74ED26DB51

Function 002EB6A0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

TU, xrefs: 002EB8D4

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: TU
API String ID: 0-2215587796
Opcode ID: a603a22b7ab688f63ba2b3a2b2306acb1e9b03ccd66410a86586d9466923dc8d
Instruction ID: 591860131e081114e6c54a11eaa7c037db7442d4043581bef73d386d56d8871b
Opcode Fuzzy Hash: a603a22b7ab688f63ba2b3a2b2306acb1e9b03ccd66410a86586d9466923dc8d
Instruction Fuzzy Hash: 038134B55583468BD314DF2AC89132BB7F2FFD5314F48892CE8958B791E3789905CB82

Function 002AB25E Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 002AB3E8

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ae1197353ceff2f68a0c727079a96aa3493b6c7bb4b4d85d12cf5feaf9991085
Instruction ID: 8a076d14a60f8fd755a2f7884a7d4d0e89f1a843b30e0b39650b7a0ca512a292
Opcode Fuzzy Hash: ae1197353ceff2f68a0c727079a96aa3493b6c7bb4b4d85d12cf5feaf9991085
Instruction Fuzzy Hash: CFB1F27092070B8BCF26CF68C5A16BEBBA1AF0B300F540A5AD952D7293DF71D925CB51

Function 002BA409 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

EnumSystemLocalesW.KERNEL32(002BA52F,00000001,00000000,?,-00000050,?,002BAB60,00000000,?,?,?,00000055,?), ref: 002BA47B

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 92da5ea801ea7e331913bbf17d0bd0438dc12c255d4bba7f3ae8f02e640ce9f2
Instruction ID: 71c6e89ba68020c8de3ddd49c975af736d3133e866ab17d7e3145a1d794f8cca
Opcode Fuzzy Hash: 92da5ea801ea7e331913bbf17d0bd0438dc12c255d4bba7f3ae8f02e640ce9f2
Instruction Fuzzy Hash: C1110C3B6107025FDB289F39D8955FAB7A2FF80398B14442DE98687640E771B952CB40

Function 002BA9B1 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002BA74B,00000000,00000000,?), ref: 002BA9DD

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 2daaa2e909b67fa5accc315a99f174267d0b0f9b2192f6ee9f2d3c846d2c2957
Instruction ID: 9417802e37ae1d2bc8eca7996698622ed274c80c223a062805fe99c3c0a79f4c
Opcode Fuzzy Hash: 2daaa2e909b67fa5accc315a99f174267d0b0f9b2192f6ee9f2d3c846d2c2957
Instruction Fuzzy Hash: 65F0F932920112BBDB245A64C946BFA7768EB41794F054428EC06B3180DA74FEA2C6B1

Function 0030F840 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0030F893

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: MJKH
API String ID: 0-1589446790
Opcode ID: eba3ca80d2eed2c5827367e46593e4947e03e2a93cf3c22ff2e31f660b972c2a
Instruction ID: cd7d211105c1f2d8cb20163e19882f1e4b5a870d2ed8de47eec1296384408ce8
Opcode Fuzzy Hash: eba3ca80d2eed2c5827367e46593e4947e03e2a93cf3c22ff2e31f660b972c2a
Instruction Fuzzy Hash: 6691CE35B093119FD736DF28C8A062AB3E2BF89710F16853CE98597791D731AC51CB86

Function 002BA4A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

EnumSystemLocalesW.KERNEL32(002BA782,00000001,?,?,-00000050,?,002BAB24,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 002BA4EE

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 51b65afc8311c8207bb04f737f4ff6197e051a2e854bd189ce8ce69c1d733875
Instruction ID: 1ef6e99a21722c0c65332ff6be57020eef44d5d13ce8fb9f698076f0cb84e310
Opcode Fuzzy Hash: 51b65afc8311c8207bb04f737f4ff6197e051a2e854bd189ce8ce69c1d733875
Instruction Fuzzy Hash: 0FF0F6362103055FDB245F399886ABA7BA1EF813A8B05442DF9458B690D6B2AD52CB50

Function 0030F540 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0030F593

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: MJKH
API String ID: 0-1589446790
Opcode ID: c60d995ea1513887eb4da529178366a9853ba3c03e019ff3515f872f39185351
Instruction ID: b199cf508f79aa1e5cf0443637468b67cd153d7e5485bae8485cd6f97719135b
Opcode Fuzzy Hash: c60d995ea1513887eb4da529178366a9853ba3c03e019ff3515f872f39185351
Instruction Fuzzy Hash: CE81C6356093019FD726DF28C8A0A2A73E1FF99750F16857CE9818B7A1E731DC51CB86

Function 002B1A66 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 002AC15D: EnterCriticalSection.KERNEL32(?,?,002B2506,?,002CA2F8,00000008,002B26CA,?,?,?), ref: 002AC16C

EnumSystemLocalesW.KERNEL32(Function_00011A59,00000001,002CA298,0000000C,002B1E4C,?), ref: 002B1A9E

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: e7613c46cb0fdf644cc94675522c8d736dee314cc9b1d0804430fa9c3c67d32f
Instruction ID: 0c6a0311ac040d4b46c4c377f7f93ba6db78cfce6de736cbff0dcc3b0c42bfdf
Opcode Fuzzy Hash: e7613c46cb0fdf644cc94675522c8d736dee314cc9b1d0804430fa9c3c67d32f
Instruction Fuzzy Hash: 86F04932A10214DFDB01EF98E846B9D77F0FB0A721F10812AF915DB2A1DB755960CF41

Function 002BA3BE Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,?,002A9D84,002C9F68,0000000C), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000), ref: 002B28D4

EnumSystemLocalesW.KERNEL32(002BA317,00000001,?,?,?,002BAB82,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002BA3F5

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ce9175640eb1bb28f149a0b1469c0d84b98bafdd13fb2071c7bbd1e1ee89e37e
Instruction ID: 673bac80b97f78b8b8329a2ad1780fd1116e08c38679660570f0f2d13862b436
Opcode Fuzzy Hash: ce9175640eb1bb28f149a0b1469c0d84b98bafdd13fb2071c7bbd1e1ee89e37e
Instruction Fuzzy Hash: 98F0553A30020697CB149F35D80AAAABF90EFC2790B0A4098EE058B640C6719C93CB90

Function 002A6120 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000612C,002A532B), ref: 002A6125

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a0c5e61e66d7393e51c868e6862473a9ca59e315d0ef81ba6be7a6b10aca0ca5
Instruction ID: 5d0caf60c004f24076c26d85b2188537f14b35eece43c0ff2930d4be1981e1a2
Opcode Fuzzy Hash: a0c5e61e66d7393e51c868e6862473a9ca59e315d0ef81ba6be7a6b10aca0ca5
Instruction Fuzzy Hash:

Function 002FDDC0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

0, xrefs: 002FDE42

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: acf3292e7c67ae378b7fe06a9f0383c4af1544eb94d4d58325473d23c5c899d8
Instruction ID: 804dacba67bbbff8b078f0d9a25055ad352b30d1dd60e852e1b4e8537fbd5a23
Opcode Fuzzy Hash: acf3292e7c67ae378b7fe06a9f0383c4af1544eb94d4d58325473d23c5c899d8
Instruction Fuzzy Hash: 498146379395A947CB158E3C48902B9EB534B97370F2E83BDCEB15B3E5C5A90C1683A1

Function 002FBDC7 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

xl&w, xrefs: 002FBC80

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: xl&w
API String ID: 0-3283944080
Opcode ID: f6ac4ba04ed318b3f27e443f90f4804ebf7ce7fd35bad91afc46b790b5aeea52
Instruction ID: 37952d9fafc46a6c8557470fbc1134222b2fa5f3a863b45360e5afb1c610d8d2
Opcode Fuzzy Hash: f6ac4ba04ed318b3f27e443f90f4804ebf7ce7fd35bad91afc46b790b5aeea52
Instruction Fuzzy Hash: BA510160268B858FE7268F35C4A03B3FBE29B93344F1885BDC5E78B296C7296815C751

Function 002F1E60 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

8;, xrefs: 002F1EA3

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 8;
API String ID: 0-3880601376
Opcode ID: 7ecb673db76c22923c440afbbf4a8b0a9c008e4a404bc89566dec70be081ff74
Instruction ID: b739aca7b31825cdad253e40d993e6cbdd49dd33b5cd27406b2a085553b2bd32
Opcode Fuzzy Hash: 7ecb673db76c22923c440afbbf4a8b0a9c008e4a404bc89566dec70be081ff74
Instruction Fuzzy Hash: 21510FB56583058BD304CF24DC91B6BBBE1EFD2390F04892CE5D58B781E7799909CBA2

Function 002F2610 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

3t, xrefs: 002F2888

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: 3t
API String ID: 0-3730750879
Opcode ID: 5a95e2e8349052b6d3c85cec957bcff1230419c76787d701f9b3c67991eb9d45
Instruction ID: dccbc760b315c9ecdd0eafaa8bf0a8e0c7834207a373eb186ba0492ab72206bc
Opcode Fuzzy Hash: 5a95e2e8349052b6d3c85cec957bcff1230419c76787d701f9b3c67991eb9d45
Instruction Fuzzy Hash: 9D71F0B66183409FD304CF29C88126FFBE2ABD6754F149A2DF4D86B344D770D9098B92

Function 002D7DC0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

\_, xrefs: 002D7F59

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: \_
API String ID: 0-2885897410
Opcode ID: 10f6306e3cd2986815440ce296398dc14b467fffa91fca07c6c850d5dcc703b3
Instruction ID: 091073ad2962ab7884fdbe00d4c3e22d07a2be3c872c783910c2415a25fabb4f
Opcode Fuzzy Hash: 10f6306e3cd2986815440ce296398dc14b467fffa91fca07c6c850d5dcc703b3
Instruction Fuzzy Hash: 6D5128326587014BD7189F359D1636FBBD2DFC1314F18C52DE4829B6D1EA788C068B46

Function 002FBC41 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

xl&w, xrefs: 002FBC80

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: xl&w
API String ID: 0-3283944080
Opcode ID: e3dc08f7d0a73ea1f9f11ca5237e5a0bd880004a4dd2586de4815b664aa85c31
Instruction ID: e845e0281f90818f84cd03be6690dad93cdf631b5c40b1865d0afafcc8c18eb8
Opcode Fuzzy Hash: e3dc08f7d0a73ea1f9f11ca5237e5a0bd880004a4dd2586de4815b664aa85c31
Instruction Fuzzy Hash: 2A411474624B468EE7368F34C890BB3FBA2EF52344F18847CD6D78B296D7256811C715

Function 002F2290 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

LM, xrefs: 002F247A

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: LM
API String ID: 0-360198107
Opcode ID: 06bc9ca53dbdb2c424167b523210f65b638c0ce14d6acdfa06f741ba50a8ace4
Instruction ID: c5a6dbecb5e8074c3eb9e80051621524761d2228e38ff732d357faec374d36e2
Opcode Fuzzy Hash: 06bc9ca53dbdb2c424167b523210f65b638c0ce14d6acdfa06f741ba50a8ace4
Instruction Fuzzy Hash: F75196B1418381ABE700DFA4A85062FFBE0EF92754F149E2CE5D06B295D770C806CB4B

Function 002A1D0A Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 002A1E2C

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: 8b2b4be5edc905a2cebeefe5ee329258f6e9061c2b68352c87fc8dcbd8a05697
Instruction ID: bb40825f23678d96217c287a16a2c8e950b2e7b528094ebe9af5807b70982881
Opcode Fuzzy Hash: 8b2b4be5edc905a2cebeefe5ee329258f6e9061c2b68352c87fc8dcbd8a05697
Instruction Fuzzy Hash: 24411E76E305274BCB4CEEB8C5561AEBB65E747320F044279DD11DB3D1E634CA218AD0

Function 0030B9CB Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0030BA34

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: MJKH
API String ID: 0-1589446790
Opcode ID: fa6d397bda8ebcd5a5cfbc49577cb45846bdd787be9d5062e3e957ffc420d811
Instruction ID: e827b2e6bc50ad1f65c4698cc8b3ad96f3a5b1eb3badfd7cfeeb9c51c8a5adad
Opcode Fuzzy Hash: fa6d397bda8ebcd5a5cfbc49577cb45846bdd787be9d5062e3e957ffc420d811
Instruction Fuzzy Hash: 683103347562028BE326CF188C647277296FFC631AF299678E052E72D0DB70C806CB59

Function 00305500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

IK, xrefs: 003055D3

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: IK
API String ID: 0-3928182224
Opcode ID: 56661674ddd196125949858854e61f3e4e9d97a1b983f8a5867d9c3165c57ed7
Instruction ID: 327d2c0f63b34ab2883599df7aaabac292a62e3e2bee64d14befca4a9d7d1041
Opcode Fuzzy Hash: 56661674ddd196125949858854e61f3e4e9d97a1b983f8a5867d9c3165c57ed7
Instruction Fuzzy Hash: 5A41B876A183009FD314CFA1D89265BFBF1FB9A304F05992CE5959B341D774C809CB9A

Function 0030F160 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0030F1C8

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cb3f65625e6e7d249f5b10247d980b5dd8d52dc0dcd54fc1dce5e7340e57417b
Instruction ID: 5e0ecde66d04d27d9c381f9c2ce07b966fa9fced32759791ad70d567c5fa093c
Opcode Fuzzy Hash: cb3f65625e6e7d249f5b10247d980b5dd8d52dc0dcd54fc1dce5e7340e57417b
Instruction Fuzzy Hash: 2A310E795093049FD320DF58C89136BBBF8FFC5314F14883CEA9887291D37999488BA6

Function 002D9859 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

LD, xrefs: 002D985E

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID: LD
API String ID: 0-1004928874
Opcode ID: 0a79b18b3cf71cc35f5831930cb33ec61ce13f661e2b316a191cfc4ea4eb646d
Instruction ID: 749ee774e5372ea69d60d732c02865c3803916bed1e1fb9e533aa422c97ca9aa
Opcode Fuzzy Hash: 0a79b18b3cf71cc35f5831930cb33ec61ce13f661e2b316a191cfc4ea4eb646d
Instruction Fuzzy Hash: C5F0EDB88142418AC304DF00D86223673B0FF87744F002429E98ACB391EB35AC40EB2A

Function 002BACE2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 002BACE2

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 26a74b6e6659538c6c4716ceb76b609687c9aa0d7a5f391399b056d65fe09be6
Instruction ID: f878967594396f9d81d35072de8db4d87da01adc9db38feb771953e7845b3a28
Opcode Fuzzy Hash: 26a74b6e6659538c6c4716ceb76b609687c9aa0d7a5f391399b056d65fe09be6
Instruction Fuzzy Hash: 52A011B0200200CF83008F33BA0A3883AECAA0AA80B08802AA208C0020EA2880208F00

Function 002D6B40 Relevance: .8, Instructions: 831COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd78b4c60dd5f9cfea151a7ce302f7e7a30702bc287e926b4d7a4ec953a1e4f
Instruction ID: 7d980e58dfb16972f0bac629c6caf561a54ef7a1b68b05caf2075cf7cc44686f
Opcode Fuzzy Hash: 6cd78b4c60dd5f9cfea151a7ce302f7e7a30702bc287e926b4d7a4ec953a1e4f
Instruction Fuzzy Hash: 0E52C5316287118BC725DF18E88426EB3E2FFD4305F25892ED99697385E738ED61CB42

Function 002ED3C0 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cfee72dac46c0eb379e5a6b1e13882b08bdf29daae6b479ae2f7a5823277694
Instruction ID: 958a930635df36ad0e0b875596cd94ee16bc948df5c4e4679bf629fb46153222
Opcode Fuzzy Hash: 8cfee72dac46c0eb379e5a6b1e13882b08bdf29daae6b479ae2f7a5823277694
Instruction Fuzzy Hash: EE7289B0508B818ED3768B3D8849787BFD56B5A324F088A5DE0FE873D2C7796105CB66

Function 002D6030 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5271431dcd1213e40af593cab59d3b06915764223f1fb1a066354286724bebe6
Instruction ID: 3877c6d1488298f259844f2729066e0c9b49162dfef7d9dbf958dd31671b47c7
Opcode Fuzzy Hash: 5271431dcd1213e40af593cab59d3b06915764223f1fb1a066354286724bebe6
Instruction Fuzzy Hash: 9C52E6B09187858FE734CF24C49C7A7BBE1EB95314F14882FC5EA06B82C2B9AC95C741

Function 002D1F00 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bcb5a2be521062ce6de001c9d93a7f8df923a2656bd624607cb57e0fedfc2a
Instruction ID: 8bfad6076bad2623b495d877500b1cd7fd6e7e169d6c0fe2ae516e56eb03693f
Opcode Fuzzy Hash: 63bcb5a2be521062ce6de001c9d93a7f8df923a2656bd624607cb57e0fedfc2a
Instruction Fuzzy Hash: 0352E131518346CFCB19CF28C0906AABBE1FFA8314F198A6EE89997341D774DC59CB81

Function 002EC2A0 Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77334416f8b0e68a6fd2d1c428c37ef8510348aefc4d2b4119dbc88903b7a969
Instruction ID: 3ae70ad2f1a6695b4f6674e2032ced40a489ee1e68ef3517cb70fc20a07b7e14
Opcode Fuzzy Hash: 77334416f8b0e68a6fd2d1c428c37ef8510348aefc4d2b4119dbc88903b7a969
Instruction Fuzzy Hash: 693214716583819BD734CF56C851BABB7E2FFC4304F64892DE4899B381E774A812CB92

Function 002D2920 Relevance: .6, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdabc3ba92e8a9de5319386587eb60edbff373e61f8f7e770eb57110442e385
Instruction ID: 727cdae9a4a3b473adbd722a5d4ba7d08f5dbcf1bd93d8e91adbc75039359681
Opcode Fuzzy Hash: 6cdabc3ba92e8a9de5319386587eb60edbff373e61f8f7e770eb57110442e385
Instruction Fuzzy Hash: 99423370624B11CFC328CF29C59066AB7F2BFA5710B644A2ED69787F90D776B858CB10

Function 002D4F00 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a2b2125c60903ea883d38cab1796ee77100bb580198cfed62a5c9224c3e6d1
Instruction ID: cb4d042b92d95aaf430f66af31f712cc31c72b84a121d111787ac5c378500516
Opcode Fuzzy Hash: 69a2b2125c60903ea883d38cab1796ee77100bb580198cfed62a5c9224c3e6d1
Instruction Fuzzy Hash: CA12D5352587418FC704CF29C88176AFBE6AFC9304F18886DE4858B351EAB6DC56CB92

Function 002D7890 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad36afbf0f696626e54985cae60896ce10c1deb1c49a8612ca181501e5d9bda
Instruction ID: 9e0188beb4bff96f807defc8ffb05af2e680b0a567aba7cce98351f17b7eecb5
Opcode Fuzzy Hash: 2ad36afbf0f696626e54985cae60896ce10c1deb1c49a8612ca181501e5d9bda
Instruction Fuzzy Hash: 4EC11A32A1C6424BC3118E2DC84025AF7E7EFD5324F6ACA1BD4D4973E8F6789C528B81

Function 0030D100 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e1a3bb057f5cfa696cacd2a3139aaa2945eeb51de94c07f6eff32c8cd012b6
Instruction ID: 7b83fdfc34002b0ca1d9d0644bb72df1a347e03c119884771d842c5aa1fe8dac
Opcode Fuzzy Hash: 89e1a3bb057f5cfa696cacd2a3139aaa2945eeb51de94c07f6eff32c8cd012b6
Instruction Fuzzy Hash: E5B16772A093104BE3159E68CC5176BB7DAAFC0324F194A3DFD95973C1EA78EC058782

Function 002FB668 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b8739c631daa66496d642fcdd3669062bf22f4a61a4d1a3807ad02349d5667
Instruction ID: f46700ae9f5491802298613f9865e8ebad36ad3537627485fc99ef08d562484e
Opcode Fuzzy Hash: 07b8739c631daa66496d642fcdd3669062bf22f4a61a4d1a3807ad02349d5667
Instruction Fuzzy Hash: 80A1CD70614B458FE32ACF39C4617B3BBE1AF56345F18886DD1EB8B682C778A4058B11

Function 002D5BA0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bad06fd6ba537ee727fb790b1ba54bd1938b7fd49f989a726dc1cb2cbd8d5cc
Instruction ID: 2d9754f4e4332895e4e7b1e0d3574928894d5da7b4addd7d945fb0f7dea61fea
Opcode Fuzzy Hash: 0bad06fd6ba537ee727fb790b1ba54bd1938b7fd49f989a726dc1cb2cbd8d5cc
Instruction Fuzzy Hash: 72C15AB2A187418FC360CF28DC86BABB7E1BF85318F48492DD1D9C6342E778A555CB46

Function 002F0AC0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd2eed04f6ee8de774930118f10217c76d00b22341c92e1a89d9708d7aaef3c
Instruction ID: cdfc6f6171dfb25e2643ad637fa4db5a4dbee5a96dbb2b00a3a658e8eb14c5d8
Opcode Fuzzy Hash: 3cd2eed04f6ee8de774930118f10217c76d00b22341c92e1a89d9708d7aaef3c
Instruction Fuzzy Hash: 5571F4B16242099BDB209F64CCD2B77B3A4EF85398F044538FA86CB291F775E814C761

Function 002CFFCA Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304afed5a4fc590603e83fa9c9e0a9215951cd49856433c17ab3032eb44e6c35
Instruction ID: 9c61a1c9141749c2be444f5b6097a01207ab3660f0c6836737569c95cedf2f7e
Opcode Fuzzy Hash: 304afed5a4fc590603e83fa9c9e0a9215951cd49856433c17ab3032eb44e6c35
Instruction Fuzzy Hash: AF91ECB19283428BD7258E55E4C072BBAD2AFA1314F1C857FDD854B3A2E7B0DC69C781

Function 002F4CE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6749809379286466afeccfeff00fd6f9517f010ed0ccf5115efa92393819f46
Instruction ID: 21e3e3be93b72e095980db68dc6b98b381f82bfad4515f06659dd148eb9bf667
Opcode Fuzzy Hash: a6749809379286466afeccfeff00fd6f9517f010ed0ccf5115efa92393819f46
Instruction Fuzzy Hash: F3716FB1A283055BE724AF24EC91737F6D6FFC1794F18843DE6428B385E6B89C248751

Function 0030F280 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6941307a5ed04466f9da42742a1a27ef6585ef3bd95dffff27fb40bd4572e267
Instruction ID: 99f1f344dbcd69ff31428e1dd34c159531cd75db0cade17880a6681faabd14ee
Opcode Fuzzy Hash: 6941307a5ed04466f9da42742a1a27ef6585ef3bd95dffff27fb40bd4572e267
Instruction Fuzzy Hash: 1E7112356093019FD726EF28D86072FB3A2FFD5720F0A843CE8868B6D1DB3098518B85

Function 0030FB50 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f065c3c12e61c0a467c4d9816400eef10fcdd9dd3064b7c6c78264368d2a82
Instruction ID: 43fc775890a2eed277c225c9a877e3e678e8b202256a8e0208fbcc4d5f0d0f9c
Opcode Fuzzy Hash: 97f065c3c12e61c0a467c4d9816400eef10fcdd9dd3064b7c6c78264368d2a82
Instruction Fuzzy Hash: B3611471A093019FD3269B28D8A1B2BB7A2EBD5710F19893CE8858B6D5D634DC45CB82

Function 002CFF30 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f99aab2791bd1aba6dfb3b61b9a4968c41f01324f8c9ecb9249fe38aea401d4
Instruction ID: 9d0390dae06d0f169562523bf69763cb1b79c0c16008e70155a702eca80fa4f3
Opcode Fuzzy Hash: 5f99aab2791bd1aba6dfb3b61b9a4968c41f01324f8c9ecb9249fe38aea401d4
Instruction Fuzzy Hash: 3B7126B69297438BE7258E18D48432BFBA2BFE1304F19865FD8994B361E7B1CC25C741

Function 00308AD0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7716a1d12a53a186e268012c72d539660041feecce5556202cdd5621d0104c
Instruction ID: 7f23fa6d6e3e752c4039e0a5cb3335e219da2789bda80d8d16d33e9114447157
Opcode Fuzzy Hash: 6c7716a1d12a53a186e268012c72d539660041feecce5556202cdd5621d0104c
Instruction Fuzzy Hash: 705139BAA066109BE715CB18CC60727B7B2ABC5714F1B847DD5C66B381EA319C01C7E5

Function 002F054E Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b3d88f2fb89febad35887293a8ccc8d141cdd483a8086617716e075b2b4896
Instruction ID: af6cbf006d06c4793e68e62a8565921d15301161135518814beed99b3c652f46
Opcode Fuzzy Hash: 53b3d88f2fb89febad35887293a8ccc8d141cdd483a8086617716e075b2b4896
Instruction Fuzzy Hash: AE714A32A146448FD714CA3CC8913ADFBE2AF96324F2982A9D5A5CB3C2D7758C42CB41

Function 00304760 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b6ea0227616b0150ee4cac195174764c7e9efb1a3d28bae12c78286de8a1b
Instruction ID: ba7d21bced6966e589c46b80cc8966332df1be8684f3f98c624d029570695122
Opcode Fuzzy Hash: 914b6ea0227616b0150ee4cac195174764c7e9efb1a3d28bae12c78286de8a1b
Instruction Fuzzy Hash: EF516CB16097548FE314DF29D49435BBBE1BBC4318F054A2DE5E987390E379DA088B92

Function 002FDBB0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538a3d60b0eacfcd248c93962c2d3e0ec11bc35ca634c75a3bc330a609f9bf5f
Instruction ID: 2c0c79c9f371ab68aef4bf46af06e63f848e231d1e27fc471eeb7b57ec7ff597
Opcode Fuzzy Hash: 538a3d60b0eacfcd248c93962c2d3e0ec11bc35ca634c75a3bc330a609f9bf5f
Instruction Fuzzy Hash: C851183773A58547D7155E3C4C502B9EB130BE33B873E837ADAB54B3E6C9A248229351

Function 002D07C0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a885e886c42067f7fb1eabad49ca0b64fcf4c5a9d92c2d3f83371cc2ab76d3
Instruction ID: 77cc8b081c76d2c8880fa791b80e8c4f2fb28e41f95d7125d5622b513161fb2a
Opcode Fuzzy Hash: 56a885e886c42067f7fb1eabad49ca0b64fcf4c5a9d92c2d3f83371cc2ab76d3
Instruction Fuzzy Hash: 2151C275E182119FD714DF18C890A1AB7A1FFC9324F15466DF8998B3A2E630EC61CBD2

Function 00305000 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b73a35417e612f7ee7c0e0ff057947091664b2b468358c48cbe8346e18a442b
Instruction ID: 9a5a57e35ef0f0e9d802c359efb0fad0622ab62ebc32388b1c90e9f0daa072b5
Opcode Fuzzy Hash: 0b73a35417e612f7ee7c0e0ff057947091664b2b468358c48cbe8346e18a442b
Instruction Fuzzy Hash: D341187464A7409BE7269B288CA4B7FB7A5EF96310F65C93CE4C2532D1D3309845CBA1

Function 002DFE4C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249454350583569174c0f98de3ca2017863044d016924bc6e6f322131f61306b
Instruction ID: a89fe9914477502aa89d693b1668db65948d2c7622adbc3e49d6b4b6526462f1
Opcode Fuzzy Hash: 249454350583569174c0f98de3ca2017863044d016924bc6e6f322131f61306b
Instruction Fuzzy Hash: 2951E172A19B418FC365DF78D8887A6BBD1AB4A320F588A7DD4FBC33C1D634A5058B01

Function 002F9D11 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e31656177c183fb541481db3e2539ab1be7d2d24883c4ca026d88ee57ab6b11
Instruction ID: ae27c08c0dd559e3ef7f286e739db7238efa9acddd1044963103c01fb2d64e48
Opcode Fuzzy Hash: 5e31656177c183fb541481db3e2539ab1be7d2d24883c4ca026d88ee57ab6b11
Instruction Fuzzy Hash: CC4123A44087958AE7328F2984E07B3FFE1AF63341F18489DD6E71B282D2316455CB62

Function 002F5CF8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f65af5c3b178ec7705effdb494ca39605f2373f4d4f7596505f723ee1dc7d3
Instruction ID: 8686f654188e6c835983ff4661b9bc1cad721c6e50b8ca573df98ad14690b25f
Opcode Fuzzy Hash: 18f65af5c3b178ec7705effdb494ca39605f2373f4d4f7596505f723ee1dc7d3
Instruction Fuzzy Hash: 0C41B1B1A18B095BC718CF28D88176AF7E2ABC4344F58853DEA5A87351EB34E810CB81

Function 00305B60 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431cdeae81bd92e39937b166cfe828993fbc61acd9769d06a9611e0ac92f991
Instruction ID: c40522abafb70e2d391e15393d66c2ce985876a02f3065597dd717dcf437c311
Opcode Fuzzy Hash: f431cdeae81bd92e39937b166cfe828993fbc61acd9769d06a9611e0ac92f991
Instruction Fuzzy Hash: 6A316EB16067006BF622DB14DCA1B3B7798EF81748F454838FD46972D2E231DC05CB62

Function 002F3A90 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a706416a4ec37fe91d218cee431c79e76f8eea414cd31906ee00febf05944f
Instruction ID: dd1e1ac67333b4a0516d57a64bb352f1bb95a87769966ad862febed2ff7ee8d1
Opcode Fuzzy Hash: 94a706416a4ec37fe91d218cee431c79e76f8eea414cd31906ee00febf05944f
Instruction Fuzzy Hash: 2931C235E1111ACFCB14CF69C8909FDF7B2FF89750B1981A5E944AB260EB309D62DB60

Function 00305CA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b478f97dbd23c02cee91501e9308bccc420f24825f9ef5187180e8730c8a80f8
Instruction ID: 860b75d1f91b1a384cd8838362bb8fd0ddfb73cb3ea291fd81e402c53beba9f0
Opcode Fuzzy Hash: b478f97dbd23c02cee91501e9308bccc420f24825f9ef5187180e8730c8a80f8
Instruction Fuzzy Hash: 88313972A1EB144BD3165D3D8CA036FB796ABC6730F6A872EEAB14B3D1DA304C415781

Function 002F62F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f798abfb7db30e922267357b6e84ed5622787c9e7110ffc9bbddcfee32bf17
Instruction ID: 762f80a2a748a796436e3860a287a9c0307553fe656e2f84fc490274d3c828c3
Opcode Fuzzy Hash: d2f798abfb7db30e922267357b6e84ed5622787c9e7110ffc9bbddcfee32bf17
Instruction Fuzzy Hash: 3731F8705293118BE724CF1099E473BB3A3EF96B81F5444BCD94227256C7749C158B96

Function 002F366C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d838ef6c62e3138bdf27bf4396bff5534691e46e445b5c5da1bf969803110b
Instruction ID: e4a061a5fb146174ab3867acab7c0ebeb5bb09157228265f7e52f8d2f444ba54
Opcode Fuzzy Hash: b4d838ef6c62e3138bdf27bf4396bff5534691e46e445b5c5da1bf969803110b
Instruction Fuzzy Hash: 1521F134A2C2498BEF29CF648D907B9B332EF96380F5052B8C14A17262D7318D56CF19

Function 002F2100 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bedda99306a84c4e5ab5a0f65854d84da15a76777632c37de802f9c49d56d8e
Instruction ID: 9bf90c1b8fd70cc6ae51feef93ee2301a1da11a218601e357acd2469f147951c
Opcode Fuzzy Hash: 6bedda99306a84c4e5ab5a0f65854d84da15a76777632c37de802f9c49d56d8e
Instruction Fuzzy Hash: 5E317AB8119315CBD310AF64D4A122BBBF0EF92355F00692CF6D59B361E3788949CB9B

Function 002F3B13 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71852c5880d6724eb9fad988bce362eda1621b3250895a153e729ff70ae668e9
Instruction ID: dde08967712eac42f683b07857e28507d3a44efd8e926ad90af694acc71b77c1
Opcode Fuzzy Hash: 71852c5880d6724eb9fad988bce362eda1621b3250895a153e729ff70ae668e9
Instruction Fuzzy Hash: F6219E35E1021BCBCB14CF68C4909BEF3B2FF8975471A8069C544AB364EB319E62CB50

Function 002F4861 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710ddec19256f3a31814aca126abc747fca24c03a0dd348811ed2364e01891ac
Instruction ID: 5accc196f45ab6ef718fe0c4df6e84d4990ff83e36f9f0da0c0148b6509aa6ec
Opcode Fuzzy Hash: 710ddec19256f3a31814aca126abc747fca24c03a0dd348811ed2364e01891ac
Instruction Fuzzy Hash: 7C21A1B4E293498FD724AF14AC90937B3B2AF96380F54187CE2815B162D7A4CC658B99

Function 00304F30 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1649295fb1477b7db2a9cf3e44ab76b69c4b3aa479a04e88ae5594c86e9f7d4
Instruction ID: cc14b2b6e0af3bf253a81510078c684d07ad578e050ba6f67de240ab2fd4259c
Opcode Fuzzy Hash: e1649295fb1477b7db2a9cf3e44ab76b69c4b3aa479a04e88ae5594c86e9f7d4
Instruction Fuzzy Hash: D0117B6170521249C3209F95D891237F3D9DBCD724F0A857ADA849F1C1E271CD41C3E0

Function 0030BD1C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af618a4c74c0d27f4e539dac156e552964cc6e47e05d198294d4173f51e3b820
Instruction ID: 87c8925b0b82daff53f9c26da874062896b4c47375edd6f1f94404ac67a3e184
Opcode Fuzzy Hash: af618a4c74c0d27f4e539dac156e552964cc6e47e05d198294d4173f51e3b820
Instruction Fuzzy Hash: FC21D235789301AFE321CF19CCD1B27B3A6EBC6301F299538E5A1972D5CBB0E8068B55

Function 002F8481 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c3e4d4027d95c045af33911517315b22eacbe4de32b28414fd99babad28f2b
Instruction ID: 9125e27ca7e00f0e6813b51445743efd98c8653c8f682ccb0c1aece6684ee21a
Opcode Fuzzy Hash: 41c3e4d4027d95c045af33911517315b22eacbe4de32b28414fd99babad28f2b
Instruction Fuzzy Hash: 48113A72539602DBDB25CF0498A163AF353BF91391F98843DD54317145CB7188268AA6

Function 003025E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9903459dcd51a5926db1f31f368607678940fdfb00b9b870c99c51102f60a9d6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: AF11E933A061D80EC3178D3CC414966BFA35BA3634F194399F4B49B2D2D6678D8E8354

Function 002F89C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbfd6af418708a7af940c40c0cfd311d8c3b64625c6a4e35f2ca54d12086664
Instruction ID: 9ab4d3f282276ce8370e3973d3c55271593a631bac56d26e13180830d3a4606d
Opcode Fuzzy Hash: 0cbfd6af418708a7af940c40c0cfd311d8c3b64625c6a4e35f2ca54d12086664
Instruction Fuzzy Hash: 4A01B1F162070647DB209E5494C4737F2A8AF91744F18043DEA0947342EFB6EC248AD2

Function 002F5F1F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20087f3877e2edef3d048e275c4f28355d3d23af0a11b5ec190535981245858
Instruction ID: fa38fc596a85cad8959aa003f34f648d5696c5d8305c5d3552fc3e469e22b3ce
Opcode Fuzzy Hash: b20087f3877e2edef3d048e275c4f28355d3d23af0a11b5ec190535981245858
Instruction Fuzzy Hash: E921A9B012C744AFE710DF11984062BFBF4AFD2354F200A1DF2996B251D775D9058F96

Function 002D9044 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3be47c5f3a7ba11e6894c4f50fda181ad68b8f1d3eadd35cdc6084dae2bddd
Instruction ID: dd93049fb90b3838ca9af78440e27b87c51571b8c880dc2c69dffbe941dae03d
Opcode Fuzzy Hash: dd3be47c5f3a7ba11e6894c4f50fda181ad68b8f1d3eadd35cdc6084dae2bddd
Instruction Fuzzy Hash: 051115BDC214119FE7019F22FC51928BAA2F717316B448835F81235BBBEA3315149B5D

Function 002D1BC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc448f7a0757570887804c70dd0cc10aca0ed51d0c2ec81a21aa56c3fe11213
Instruction ID: f941e9b1d0bcf0c9079386c9e1914787e9a4abdf263801fd169bfc1a5c0e88a8
Opcode Fuzzy Hash: 5bc448f7a0757570887804c70dd0cc10aca0ed51d0c2ec81a21aa56c3fe11213
Instruction Fuzzy Hash: AAF0F63A7E862707A714DDD6ECC0867F397E7CA255B1D913AD94093B05C570FC1282E1

Function 002DB5ED Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c741f2df6dd4210371a30b7680689da59355ccae8eb591f21f6be8eb3c74ee8
Instruction ID: 0b38df70ffc7f1d3627a28ef40f4c60484faa984f219a69f1cb601e40a8c5606
Opcode Fuzzy Hash: 5c741f2df6dd4210371a30b7680689da59355ccae8eb591f21f6be8eb3c74ee8
Instruction Fuzzy Hash: 54014275A056428BD718DF39D84573BBBF5EB83701F448A3EE892D3AC0CA34D8018B15

Function 0030B69B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39197561d33f0aa41b1e17115bef9b7e7304498ef22fdee88eeb57b766e7605e
Instruction ID: 5aa47f5b614032c63c5ea1145dea4793d40bdc9e2638f34d05a8e2dc0adb49c6
Opcode Fuzzy Hash: 39197561d33f0aa41b1e17115bef9b7e7304498ef22fdee88eeb57b766e7605e
Instruction Fuzzy Hash: E9F0F4227AC3044BE3205DA8ACD126BF656FBE1124F1E523DE8D497AC0D1A95C4253D1

Function 0030E616 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a080dcadb068f1eb380c05969e8fb25d59c9dc899e53cf341e44b39f0957ce
Instruction ID: 7f5039bb0d4a8fb1dd07fbfe1101ce9e6af8c3870da36cea5284dfa2ddfb5f9f
Opcode Fuzzy Hash: 02a080dcadb068f1eb380c05969e8fb25d59c9dc899e53cf341e44b39f0957ce
Instruction Fuzzy Hash: 86F04671E506528FC349CF59C8A06BEFBE3ABCA311F0E94BDC183A7295CA708905C790

Function 002FA631 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443fa187ee46ee4956dfbba196d6768b3ac7b3f65f66dd8471e45128e47c50b0
Instruction ID: f41f69fc73834b898b6b3f5d0c98615d166c795675bd0b2a4f65247040a62a1b
Opcode Fuzzy Hash: 443fa187ee46ee4956dfbba196d6768b3ac7b3f65f66dd8471e45128e47c50b0
Instruction Fuzzy Hash: 8EF0F0A0A63A418BDB691B3489657FA6BD6C3D2555F0ECABC838ADA50AD43C50074358

Function 0030DD45 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed301b781c508afa05feca731a1444efa6fbbb7ac641588382373ade77d8320
Instruction ID: 6a164094c9f86c59351f2257be1b027bd17349195d5061ed61c8ba5b943dcd4f
Opcode Fuzzy Hash: 3ed301b781c508afa05feca731a1444efa6fbbb7ac641588382373ade77d8320
Instruction Fuzzy Hash: 86F06D75E011018FC719CF28C8E15B9B7B0FB17310B5410E9D851EB342C27C994ADB64

Function 002B2B5D Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dd7c0d121006efe31c3cd602c915a0361a8b0e70717307f03d36f8c7cad8ac
Instruction ID: 3f894dae8d6c43fa2c62bbc3635b8e54c8f10b5c04a9563a945c07ecf3dec40b
Opcode Fuzzy Hash: 49dd7c0d121006efe31c3cd602c915a0361a8b0e70717307f03d36f8c7cad8ac
Instruction Fuzzy Hash: F8E08C32921629EBCB14DF88D904A8AF3ECEB48B94B11419AB505D7200C670EE10CBD0

Function 002F550F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374a1a830018020fd51593e5eef4d166aa2c26887ebe2b4d87b0c9bed8723a3a
Instruction ID: 2141b5d59008d7d3981c52667c700970688b636cb1bb49d9c7a124360ce0689e
Opcode Fuzzy Hash: 374a1a830018020fd51593e5eef4d166aa2c26887ebe2b4d87b0c9bed8723a3a
Instruction Fuzzy Hash: DBD0A70122CF7B874F190EA934F1275E7A74B173817D854BCDBC69B542D946C8275358

Function 00307480 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: fce843b2bd60873f436afd593e0e156ad58679a3627a855a05a4a5411b390ffa
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: A3D0A52190D36146DB748E1E9411577F7F0EDC7711F45555EF581D3198D230EC41C169

Function 002D9199 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebee45bc7a6e2427ab7cb834a4358e895651f36fadff84b888ab3f5421a96df
Instruction ID: 442969090c2b39f116bd3496240278acaf68c51574d6dc5d624beedd715a6797
Opcode Fuzzy Hash: eebee45bc7a6e2427ab7cb834a4358e895651f36fadff84b888ab3f5421a96df
Instruction Fuzzy Hash: 5FD05E3D9250019BE205AB50FC52924B2627343246F041874EC17F76ABDF129810565D

Function 0030BE23 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0fa3bf15fe9eaaac5235956751458610fcee81ea7529bb87bcba0797afb061
Instruction ID: 5db230ac84d3f04f14d33653bd3362530d74564c228cc66b1af891f2f5dc9c73
Opcode Fuzzy Hash: 6a0fa3bf15fe9eaaac5235956751458610fcee81ea7529bb87bcba0797afb061
Instruction Fuzzy Hash: BAD012B9EA10014BD11AEB25ACA253A7274778710CB443539D507D7343EA20D415C99F

Function 002AF4C6 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b479a11ccc6c2eceaea55d319ac4cd762b21b8c39f808f14f8525f6a159b148
Instruction ID: 1f2b3572bf5e643744de06d29e111f1c8c09145cd6b999db4582bc35020b8326
Opcode Fuzzy Hash: 5b479a11ccc6c2eceaea55d319ac4cd762b21b8c39f808f14f8525f6a159b148
Instruction Fuzzy Hash: 46C08C34020A0287CF39CE10C3713E7335AA397BC2F80049CC6028BA42DD1E9C9ADE00

Function 002E9833 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acd7cbf15b88e8a3d719f877b9b09acc4f25b279c41e0dae5fb15bfa60c6312
Instruction ID: a8a59bd2a4b1be09a2c5dd725aebc1b7b63c66522ad1c776ff4090974c169354
Opcode Fuzzy Hash: 9acd7cbf15b88e8a3d719f877b9b09acc4f25b279c41e0dae5fb15bfa60c6312
Instruction Fuzzy Hash: 4FB092E9C585008AE1102F243D464A6B12C1913208F453832E80722343B52AD9388C9F

Function 003057A5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d940699ed0374fdfbddcba99ab2e86f4a9f04a31f7bf4afb4e53d5570bbe217e
Instruction ID: 264a2a04fd6a7b9ed71bc5f858e32b7d2df66d8990e16e992b9b26c9dcc2babb
Opcode Fuzzy Hash: d940699ed0374fdfbddcba99ab2e86f4a9f04a31f7bf4afb4e53d5570bbe217e
Instruction Fuzzy Hash: 05B00278808600EFC2141F20AD48865B639A617206B01B8A0A407675218B38C4198E2C

Function 0030CB60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2bbf1c9e4930d35458fda86bee75dc8a34a8ec0f75ff2e4212e5bf2ca1a858
Instruction ID: e9339982bfbed642e4ab323d7f29f2df2e9a3a6c9714687af20f5799a5166c9a
Opcode Fuzzy Hash: 8a2bbf1c9e4930d35458fda86bee75dc8a34a8ec0f75ff2e4212e5bf2ca1a858
Instruction Fuzzy Hash: 83B01130A082008BA208CF00C8828B0F3B8EB8B220F00B808E0882B000C230E8008A0C

Function 002F7751 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234f341a0de99eb837a0fc85b6ed289acf0f5ba556e7ea080cfdc2f494f6fc9c
Instruction ID: fe3dd7fff2b5326232fff847e9f46e0532e682d7c888bd5e9edf5c6bb8e31541
Opcode Fuzzy Hash: 234f341a0de99eb837a0fc85b6ed289acf0f5ba556e7ea080cfdc2f494f6fc9c
Instruction Fuzzy Hash: C0A00235949200CEC741DFD4DD40575F6B5574B101F1478159158E3121D621D510575D

Function 0030DDC4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb70397eb4077f329cb6cd14b7b254a6e83837cf21ec43ede8c7868d86ca9b1
Instruction ID: eddda113ae00648caa7684ce5186575580cea7c413e3255082749c4c7a2c97c6
Opcode Fuzzy Hash: 7cb70397eb4077f329cb6cd14b7b254a6e83837cf21ec43ede8c7868d86ca9b1
Instruction Fuzzy Hash: 9BA00228E6C000868A08EF21E894471E2F97B5F304F513828C005B7455D911D400C50C

Function 002A516A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002A5170
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 002A517E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002A518F
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002A51A0

Strings

kernel32.dll, xrefs: 002A516B
GetCurrentPackageId, xrefs: 002A5178
GetSystemTimePreciseAsFileTime, xrefs: 002A5184
GetTempPath2W, xrefs: 002A5195

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 42f9171c93060340d1e13bed08e41270b6aa2a62a62ed1973c22006866e5666c
Instruction ID: 22aa0c7812a32fe7d455105b67f3f9e0759bf006ff196ae39ad88d7bfc593e45
Opcode Fuzzy Hash: 42f9171c93060340d1e13bed08e41270b6aa2a62a62ed1973c22006866e5666c
Instruction Fuzzy Hash: E4E0E6B1595760EFC3055F71BC0EE953BACBA0B741304417AFD05D2366DBF444648B50

Function 002A86D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A8707
___except_validate_context_record.LIBVCRUNTIME ref: 002A870F
_ValidateLocalCookies.LIBCMT ref: 002A8798
__IsNonwritableInCurrentImage.LIBCMT ref: 002A87C3
_ValidateLocalCookies.LIBCMT ref: 002A8818

Strings

csm, xrefs: 002A87AD
4=*, xrefs: 002A87DC

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 4=*$csm
API String ID: 1170836740-2210737230
Opcode ID: f2823b01758d4e0e0e03296bd85600c0fb1b4b442fcec42618dc10f14b17dd04
Instruction ID: 7c49f1b01d334e03d1b8ad64a86afd55f536e89a49a08db6b284eed9b6962425
Opcode Fuzzy Hash: f2823b01758d4e0e0e03296bd85600c0fb1b4b442fcec42618dc10f14b17dd04
Instruction Fuzzy Hash: 0541C338E20209DFCF10DF69CC85A9EBBA5AF06314F248155E9189B392DF759A25CF90

Function 002A35FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A3603
std::_Lockit::_Lockit.LIBCPMT ref: 002A360D
int.LIBCPMT ref: 002A3624

Part of subcall function 002A166A: std::_Lockit::_Lockit.LIBCPMT ref: 002A167B
Part of subcall function 002A166A: std::_Lockit::~_Lockit.LIBCPMT ref: 002A1695

std::_Facet_Register.LIBCPMT ref: 002A365E
std::_Lockit::~_Lockit.LIBCPMT ref: 002A367E
Concurrency::cancel_current_task.LIBCPMT ref: 002A368B

Strings

4=*, xrefs: 002A366B

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: 4=*
API String ID: 55977855-1836062006
Opcode ID: 34d0bcd568d6039dd08f3f7f415050bac933042cc5258a25e889cd8512b73378
Instruction ID: c6ccd39ca21cbd0346a31060d5d314637fd486f848a63af7596c401e20ab5a37
Opcode Fuzzy Hash: 34d0bcd568d6039dd08f3f7f415050bac933042cc5258a25e889cd8512b73378
Instruction Fuzzy Hash: 4C11DF71920225DFCB05EF64D946BAEB7A9AF86720F14050DF401A7381DFB4AE20CF90

Function 002A8C38 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 002A8D57
___TypeMatch.LIBVCRUNTIME ref: 002A8E65
CallUnexpected.LIBVCRUNTIME ref: 002A8FD2

Strings

csm, xrefs: 002A8C75
csm, xrefs: 002A8D8E
csm, xrefs: 002A8CE2

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: d5942f16ac32baed65c5b1311498f9c27fa0e759169838382143f06668bb8a7a
Instruction ID: 7bd515567dfb44a12c3fa2bc9f57e5a8b651bbdcf3a4a8232d081d81a411feca
Opcode Fuzzy Hash: d5942f16ac32baed65c5b1311498f9c27fa0e759169838382143f06668bb8a7a
Instruction Fuzzy Hash: 89B18A71C2020AEFCF15DFA4C9859AEBBB6BF16310B54415AE910AB242DF34DA71CF91

Function 002A32C5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A32CC
std::_Lockit::_Lockit.LIBCPMT ref: 002A32D7
std::locale::_Setgloballocale.LIBCPMT ref: 002A32F2
_Yarn.LIBCPMT ref: 002A3308
std::_Lockit::~_Lockit.LIBCPMT ref: 002A3345

Strings

4=*, xrefs: 002A3314, 002A3338

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID: 4=*
API String ID: 156189095-1836062006
Opcode ID: f158dbf7cec12bb29f45f1e22de902b00797a513e8228ebc6ccc5939a51ed24c
Instruction ID: 60dce55dce6217a94dc419d12a347551f41906ccbc348f4706858d51a5647c40
Opcode Fuzzy Hash: f158dbf7cec12bb29f45f1e22de902b00797a513e8228ebc6ccc5939a51ed24c
Instruction Fuzzy Hash: 73015A75A10261DBCB06EB60E84597DBB65BF8A760B144049E90167381DF346E66CFC1

Function 002AF4E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9A4ECB85,?,?,00000000,002C060C,000000FF,?,002AF478,00000002,?,002AF44C,002AC216), ref: 002AF51D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002AF52F
FreeLibrary.KERNEL32(00000000,?,?,00000000,002C060C,000000FF,?,002AF478,00000002,?,002AF44C,002AC216), ref: 002AF551

Strings

CorExitProcess, xrefs: 002AF527
4=*, xrefs: 002AF540
mscoree.dll, xrefs: 002AF516

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 4=*$CorExitProcess$mscoree.dll
API String ID: 4061214504-2885867720
Opcode ID: 6b9fc6dd9d419a0e70db983bded3f249e26a4cea96bfe51941551fcbe03bc0db
Instruction ID: 429702d33a5a4240b7390d244975e19d21eb559782295c676ea3e8e9ec84908b
Opcode Fuzzy Hash: 6b9fc6dd9d419a0e70db983bded3f249e26a4cea96bfe51941551fcbe03bc0db
Instruction Fuzzy Hash: BA01DB71950659EFCB019F90DC09FBE77B8FB06715F040229F811E2290DB749960CA40

Function 002BD3ED Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a00d24ef22eca55304e5165bb9772c6448881a6d4fe4df43f472894e3d0eb16
Instruction ID: cd22232791cf47cf63dc2c1303dc29ddf75e7cf76aa2773fc28d94f98a8c9754
Opcode Fuzzy Hash: 5a00d24ef22eca55304e5165bb9772c6448881a6d4fe4df43f472894e3d0eb16
Instruction Fuzzy Hash: D3B13A70E2424AAFDB11DF98D840BFDBBB5AF49380F148159E4096B392EB709D61CF60

Function 002A88CA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002A88C1,002A6E81,002A6170), ref: 002A88D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002A88E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002A88FF
SetLastError.KERNEL32(00000000,002A88C1,002A6E81,002A6170), ref: 002A8951

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 54c9a9698eb015940eafead703c6e094289e5122fc93201f46cdf3e82b2989dd
Instruction ID: e0670a9d5457d0489e245fe7e382fa176f447998acc2b7ae297aa22452716aa7
Opcode Fuzzy Hash: 54c9a9698eb015940eafead703c6e094289e5122fc93201f46cdf3e82b2989dd
Instruction Fuzzy Hash: 6A01243223931BAFA7152E767C8EE3B2788EB13374B20022AF120512E1FF528C709591

Function 002A89E1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 002A8AA8
___AdjustPointer.LIBCMT ref: 002A8ACB
___AdjustPointer.LIBCMT ref: 002A8B67

Strings

4=*, xrefs: 002A8A40

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: AdjustPointer
String ID: 4=*
API String ID: 1740715915-1836062006
Opcode ID: 30d93ebab09d89df5a0f2053f667e827beed5d63844ef77a0186675af0990d50
Instruction ID: 87d0b3a34d8d37638cf751600d1d48bdee566d67febceb1abea212417787427f
Opcode Fuzzy Hash: 30d93ebab09d89df5a0f2053f667e827beed5d63844ef77a0186675af0990d50
Instruction Fuzzy Hash: FE51D6B26206029FDB298F14C845B7A77A4FF06314F14452EEC0597192DF71AC71CBA0

Function 002A4FC5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002A4FD9
AcquireSRWLockExclusive.KERNEL32(?), ref: 002A4FF8
AcquireSRWLockExclusive.KERNEL32(?), ref: 002A5026
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 002A5081
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 002A5098

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 5a34289ca1f3c2f28e682e42bcf9702c12a81b7939fd7d27d2de6b926f8b5771
Instruction ID: 986f385aa03eb4cb781533e7c0bc6299d04004629b786fd111d4ffa5ac7b840e
Opcode Fuzzy Hash: 5a34289ca1f3c2f28e682e42bcf9702c12a81b7939fd7d27d2de6b926f8b5771
Instruction Fuzzy Hash: FC416A31520E27DFCB20DF65C4859ABB3F4FF0A310B20492AE556D7640EB30E9A5CB91

Function 002A2A9F Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A2AAB
int.LIBCPMT ref: 002A2ABE

Part of subcall function 002A166A: std::_Lockit::_Lockit.LIBCPMT ref: 002A167B
Part of subcall function 002A166A: std::_Lockit::~_Lockit.LIBCPMT ref: 002A1695

std::_Facet_Register.LIBCPMT ref: 002A2AF1
std::_Lockit::~_Lockit.LIBCPMT ref: 002A2B07
Concurrency::cancel_current_task.LIBCPMT ref: 002A2B12

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 37e9cb0042b43a20cddf928f803eccf3eb8681b1d8eb1e7c3c204139590abe8a
Instruction ID: 8cf398504e0602e310a1bead15301180e0dc2447ecfa9457a37bcd4ca9ed5c8f
Opcode Fuzzy Hash: 37e9cb0042b43a20cddf928f803eccf3eb8681b1d8eb1e7c3c204139590abe8a
Instruction Fuzzy Hash: 0D01A732920124EFCB19EF58D8069ED7778EF86774F240559F901972A1DF30AE65CB90

Function 002B5E17 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B5FAF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B5FC2

Strings

]+, xrefs: 002B5E96
]+, xrefs: 002B5EB8

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: ]+$]+
API String ID: 885266447-125985914
Opcode ID: db0a3313aa33906d62cda2a5bc41acc47aa0e93b12f5fb00bbfa7d9e36d9f348
Instruction ID: 47a7cacd622019eaefcbd60dffd800b123749e9430c2d03c657cb70e18a925eb
Opcode Fuzzy Hash: db0a3313aa33906d62cda2a5bc41acc47aa0e93b12f5fb00bbfa7d9e36d9f348
Instruction Fuzzy Hash: 99516B71A20659AFCB14CF98C881EFEBBB2EB49390F188059F855AB351D2309E61CB50

Function 002A4C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,?,?,002A2152,?,?,00000000), ref: 002A4C84
GetExitCodeThread.KERNEL32(?,00000000,?,?,002A2152,?,?,00000000), ref: 002A4C9D
CloseHandle.KERNEL32(?,?,?,002A2152,?,?,00000000), ref: 002A4CAF

Strings

R!*, xrefs: 002A4C8F

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: R!*
API String ID: 2551024706-3344826361
Opcode ID: 3e56d02ac64f18ddef889b4733e3cc072d7030f3fc227492db21b5b356350ce3
Instruction ID: 89e24df519e0bdbda01e13e5bc30c711b05b4f665c291bf1a9807a24097aed94
Opcode Fuzzy Hash: 3e56d02ac64f18ddef889b4733e3cc072d7030f3fc227492db21b5b356350ce3
Instruction Fuzzy Hash: 2BF08272511115BBDB105F64EC0AFA93BA9EB02770F240711FD29D62F0DBB0DEA19A80

Function 002A9A12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,002A99C3,00000000,00000001,0031F4EC,?,?,?,002A9B66,00000004,InitializeCriticalSectionEx,002C2C58,InitializeCriticalSectionEx), ref: 002A9A1F
GetLastError.KERNEL32(?,002A99C3,00000000,00000001,0031F4EC,?,?,?,002A9B66,00000004,InitializeCriticalSectionEx,002C2C58,InitializeCriticalSectionEx,00000000,?,002A991D), ref: 002A9A29
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,002A8833), ref: 002A9A51

Strings

api-ms-, xrefs: 002A9A36

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 7a1a74d1eb36c1c794db5af80e58a20a04f7b3faf43e03bd189594843fb83273
Instruction ID: 0d1219f383e17a07f59f7a920857bcf907c3556a808d8d4fa20c9a53903b7bad
Opcode Fuzzy Hash: 7a1a74d1eb36c1c794db5af80e58a20a04f7b3faf43e03bd189594843fb83273
Instruction Fuzzy Hash: 01E04F30390249B7EF105FA1EC0BF593F55AB02B95F504022FE0CA84E3EF62A8F49985

Function 002B5131 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9A4ECB85,00000000,00000000,00000000), ref: 002B5194

Part of subcall function 002B75F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,002B69BD,?,00000000,-00000008), ref: 002B769E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002B53EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002B5437
GetLastError.KERNEL32 ref: 002B54DA

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2c71696df3029de4f968f5ca1185ae4298086240b71ade03172a0f027ddd8c5a
Instruction ID: 0ee63b13d660c976be1b58a906a8f206c69fcbf4a5301d0ecbbf3a85e0f29657
Opcode Fuzzy Hash: 2c71696df3029de4f968f5ca1185ae4298086240b71ade03172a0f027ddd8c5a
Instruction Fuzzy Hash: 0ED17A75E146589FCB15CFA8D880AEDBBB4FF49340F28816AE856EB351D730A851CF50

Function 002BED0F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,002BD7AA,00000000,00000001,00000000,00000000,?,002B552E,00000000,00000000,00000000), ref: 002BED26
GetLastError.KERNEL32(?,002BD7AA,00000000,00000001,00000000,00000000,?,002B552E,00000000,00000000,00000000,00000000,00000000,?,002B5AB5,?), ref: 002BED32

Part of subcall function 002BECF8: CloseHandle.KERNEL32(FFFFFFFE,002BED42,?,002BD7AA,00000000,00000001,00000000,00000000,?,002B552E,00000000,00000000,00000000,00000000,00000000), ref: 002BED08

___initconout.LIBCMT ref: 002BED42

Part of subcall function 002BECBA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002BECE9,002BD797,00000000,?,002B552E,00000000,00000000,00000000,00000000), ref: 002BECCD

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,002BD7AA,00000000,00000001,00000000,00000000,?,002B552E,00000000,00000000,00000000,00000000), ref: 002BED57

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 274d4c6891056ec79b5861075da46d068802c14691bd34ea85a93f4dc23c6970
Instruction ID: aed38afad73b424e463306591de17bac58c7ea546e7022aa93d8fc0354b8ebc7
Opcode Fuzzy Hash: 274d4c6891056ec79b5861075da46d068802c14691bd34ea85a93f4dc23c6970
Instruction Fuzzy Hash: 00F09836510159BBCF221FA5AC09DDA3E6AFB493A1F054411FE1D95132D7328CB0EB91

Function 002BF6A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,002BF00F), ref: 002BF6BC

Strings

4=*, xrefs: 002BF786, 002BF830, 002BF876
DP,, xrefs: 002BF851

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: DecodePointer
String ID: 4=*$DP,
API String ID: 3527080286-578113835
Opcode ID: 414ec406b7365def2e9db3aa0151965e18e8a7245d4a38f4c66d47e30d0315dc
Instruction ID: e96cbb9257076060990ed4916a912ecf60ef92ed9153e5b784ee9e0092368599
Opcode Fuzzy Hash: 414ec406b7365def2e9db3aa0151965e18e8a7245d4a38f4c66d47e30d0315dc
Instruction Fuzzy Hash: 9051BE7092090BCBCF548FA8EE4C6ECBB74FF09384F5141A9D481AA224CBB49975DB40

Function 002A40EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 002A41C7

Strings

4=*, xrefs: 002A41A6

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Fputc
String ID: 4=*
API String ID: 3078413507-1836062006
Opcode ID: 230321d69462c4d9c4799b42ab0c22605de73a50c49d813fc20d3f9e1ff9d499
Instruction ID: b44931a109b97c4ffe93218e032a817ee9ad9af5786bde14e5173a34b8dcb517
Opcode Fuzzy Hash: 230321d69462c4d9c4799b42ab0c22605de73a50c49d813fc20d3f9e1ff9d499
Instruction Fuzzy Hash: 1241A27692061AAFCF14EF64C8809EEB7B8FF9A310B540116E506A7640DF71EDA5CF90

Function 002A8FDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 002A9002

Strings

MOC, xrefs: 002A9014
RCC, xrefs: 002A901C

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8cff73997e54cbfa7d8e368206992171d4a7aaaba2d3d69dc5558ae45563b40b
Instruction ID: a8f3caa6277a7088fcb248dfd29527e881ca8a6856f4b8c3592c0049e20ebd7a
Opcode Fuzzy Hash: 8cff73997e54cbfa7d8e368206992171d4a7aaaba2d3d69dc5558ae45563b40b
Instruction Fuzzy Hash: 75418C7190020AAFCF16DF95CC85AEE7BB5FF4A340F144099F90867211DB3599A0CF50

Function 002A3352 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A335E
std::_Lockit::~_Lockit.LIBCPMT ref: 002A33BA

Strings

4=*, xrefs: 002A3385, 002A339F

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 4=*
API String ID: 593203224-1836062006
Opcode ID: c2c70c8878639b063b76814256cd861920700b4bb5a9f8aaf87589651fdff919
Instruction ID: 498638ee4d2560045b232f3e4b36033996098518a26ec85c7ed265d6fb656a9b
Opcode Fuzzy Hash: c2c70c8878639b063b76814256cd861920700b4bb5a9f8aaf87589651fdff919
Instruction Fuzzy Hash: F3019E35A10215EFCF01DF19C899EAD77B8EF86760B040099E5019B361DF71EE55CB90

Function 002A1595 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A159C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002A15D4

Part of subcall function 002A33C3: _Yarn.LIBCPMT ref: 002A33E2
Part of subcall function 002A33C3: _Yarn.LIBCPMT ref: 002A3406

Strings

bad locale name, xrefs: 002A15E2

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 83d1ede08f17ec5ba4feca0c26067a832db58b83c654a3ad71993a56eb1f38b1
Instruction ID: aec345667dd873a27348c3cd0af2b6bd8fcee74a8760e6a28fe76d7bba9fb61f
Opcode Fuzzy Hash: 83d1ede08f17ec5ba4feca0c26067a832db58b83c654a3ad71993a56eb1f38b1
Instruction Fuzzy Hash: 5DF0F971515B809F83219F6A8481447FBE4BE293207908A6EE1DEC3A11DB34A554CFA9

Function 002B1FCE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 002B200E

Strings

InitializeCriticalSectionEx, xrefs: 002B1FDE
4=*, xrefs: 002B1FFE

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 4=*$InitializeCriticalSectionEx
API String ID: 2593887523-4231691927
Opcode ID: 1acda4b3519fa2c05fe54c75b984d7561a0ed606813fa811a8b73b0ae84fb2f3
Instruction ID: e7508851d18a4905fcf1710fe48e6347482a6bca517c514e62b7da3d431ef601
Opcode Fuzzy Hash: 1acda4b3519fa2c05fe54c75b984d7561a0ed606813fa811a8b73b0ae84fb2f3
Instruction Fuzzy Hash: 54E0923659026CF7CB112F51EC0AFCE7F11EB157A1B044511FD1825161CAB29971DBD0

Function 002B1E51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 002B1E85

Strings

FlsAlloc, xrefs: 002B1E61
4=*, xrefs: 002B1E7B

Memory Dump Source

Source File: 00000000.00000002.2239798039.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000000.00000002.2239784639.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239817995.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239831145.00000000002CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239860356.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239873404.000000000031F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2239885004.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a0000_SoftWare.jbxd

Similarity

API ID: Alloc
String ID: 4=*$FlsAlloc
API String ID: 2773662609-1162105761
Opcode ID: bd89aa316e154859df3ec01ddb185a4ef175bfabee26348a7d1c38af5012f92f
Instruction ID: 0c03513cf087463127c888e86624534f1677e0a9c5c008b6ce32d37dec83ff7e
Opcode Fuzzy Hash: bd89aa316e154859df3ec01ddb185a4ef175bfabee26348a7d1c38af5012f92f
Instruction Fuzzy Hash: D8E02B366E027477C62037A1AC2FEDF7E14CF42BA0B450221FE0955282DEF58D7186D5

Analysis Process: SoftWare.exePID: 4900, Parent PID: 2032COMMON

Non-executed Functions

Function 002BAA80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,00000008,002B3F2B), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000,002CA378,00000024,002AC1E3), ref: 002B28D4

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 002BAB8C
IsValidCodePage.KERNEL32(00000000), ref: 002BABD5
IsValidLocale.KERNEL32(?,00000001), ref: 002BABE4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002BAC2C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002BAC4B

Strings

L],, xrefs: 002BAAE5

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: L],
API String ID: 415426439-3138183756
Opcode ID: 2d251b2ae6ee63a2813a2ab10e0471f642a98e08fd2ab71ddb4928e83537e2ac
Instruction ID: f0ae750915236a6620d25ecfcfedd8593b738db1f0879c8cbb15e15c67e70171
Opcode Fuzzy Hash: 2d251b2ae6ee63a2813a2ab10e0471f642a98e08fd2ab71ddb4928e83537e2ac
Instruction Fuzzy Hash: 7851A271A20206AFDF10DFA8CC45EEE73B9FF14784F044469A921E7191E770D964CB62

Function 002BA11C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 002B282E: GetLastError.KERNEL32(?,00000008,002B3F2B), ref: 002B2832
Part of subcall function 002B282E: SetLastError.KERNEL32(00000000,002CA378,00000024,002AC1E3), ref: 002B28D4

GetACP.KERNEL32(?,?,?,?,?,?,002AFDE0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002BA1DD
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,002AFDE0,?,?,?,00000055,?,-00000050,?,?), ref: 002BA208
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 002BA36B

Strings

utf8, xrefs: 002BA2DA
L],, xrefs: 002BA15E

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: L],$utf8
API String ID: 607553120-159459496
Opcode ID: 25792ccebb7fd460110561c904e6e8c2b566db624b424c8c858a022776349ebe
Instruction ID: 9ff2df18e00ca0b55b94d7dfa89d8a92f04fec0459619ed53ab09e17ccdd26ba
Opcode Fuzzy Hash: 25792ccebb7fd460110561c904e6e8c2b566db624b424c8c858a022776349ebe
Instruction Fuzzy Hash: B471E731A30202AADB24AF74CC46BEA73E8EF45790F144069F955D7181FBB5ED60CB52

Function 002A1FEA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002A2138
GetConsoleWindow.KERNEL32(00000001), ref: 002A2167
ShowWindow.USER32(00000000), ref: 002A216E
std::_Throw_Cpp_error.LIBCPMT ref: 002A218D

Strings

@1, xrefs: 002A20D3

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Window$ConsoleCpp_errorCurrentShowThreadThrow_std::_
String ID: @1
API String ID: 3913708665-3732576216
Opcode ID: d00846eb0cd11468f6e4dd97af51a1c40deb24b1e8e17bac67f4bad231de7a02
Instruction ID: 6cdf3694fc6565e6f3dee628360152187ac0e30151a14ed61fbf8c5e9323c824
Opcode Fuzzy Hash: d00846eb0cd11468f6e4dd97af51a1c40deb24b1e8e17bac67f4bad231de7a02
Instruction Fuzzy Hash: 5741C032930216EBD3146B798C42BEFBA5DEB57710F004112BB0A971D2EF748665C690

Function 002BA8AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,002BABC9,00000002,00000000,?,?,?,002BABC9,?,00000000), ref: 002BA944
GetLocaleInfoW.KERNEL32(?,20001004,002BABC9,00000002,00000000,?,?,?,002BABC9,?,00000000), ref: 002BA96D
GetACP.KERNEL32(?,?,002BABC9,?,00000000), ref: 002BA982

Strings

OCP, xrefs: 002BA8FF
ACP, xrefs: 002BA8C9

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a3ca677b1e472196582625c5082752168c2dc8df2a47cfdd573c66ba24d85c4e
Instruction ID: e5483da6eaec86688c8a322127ecb5f72d347273be412da4f5c6dc168fc78bbd
Opcode Fuzzy Hash: a3ca677b1e472196582625c5082752168c2dc8df2a47cfdd573c66ba24d85c4e
Instruction Fuzzy Hash: 0721F532630603A6DB348F54C801EE7B3A6AF64BD0B578524E94AD7101F732DDA1E352

Function 002B2D9D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002B2E2A

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction ID: 5c0b5546876c655d2c192f3e65ec5d08c2385fffeb8584f56e66cec23c319a85
Opcode Fuzzy Hash: 02312408630170b3c25dee6112d7f3f8a09a7014db778087c09366575c92c367
Instruction Fuzzy Hash: F4B17832A24246DFDB11CF68C881BFEBBB5EF59380F14416AE801AB241D274DD25CBA0

Function 002A5F93 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002A5F9F
IsDebuggerPresent.KERNEL32 ref: 002A606B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002A6084
UnhandledExceptionFilter.KERNEL32(?), ref: 002A608E

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5c4d4a976fe741db07450c0b02742da9aad02306f6816ef6ca362b1c2024b443
Instruction ID: 1b0157a036bf50c87f5d02ab3a8dc60f73c36c7881e004a26906e029680ed235
Opcode Fuzzy Hash: 5c4d4a976fe741db07450c0b02742da9aad02306f6816ef6ca362b1c2024b443
Instruction Fuzzy Hash: 413127B5C152289BDF21DFA4D94DBCDBBB8BF09300F1041AAE50CAB250EB719A948F45

Function 002A1AC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 002A2B18: __EH_prolog3_catch.LIBCMT ref: 002A2B1F

_Deallocate.LIBCONCRT ref: 002A1C9D
_Deallocate.LIBCONCRT ref: 002A1CEA

Strings

Current val: %d, xrefs: 002A1C76

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Deallocate$H_prolog3_catch
String ID: Current val: %d
API String ID: 1212816977-1825967858
Opcode ID: 65f8f0b882eb1246e3688421a423785d4d0f7012aed0f0cf7c8ac5857c7fc8af
Instruction ID: 045a83eb2db96bcfa80b56a3f45b204fa9629e7f3f5ca4fa0a8b89229266f9f6
Opcode Fuzzy Hash: 65f8f0b882eb1246e3688421a423785d4d0f7012aed0f0cf7c8ac5857c7fc8af
Instruction Fuzzy Hash: CC61AD7252C3558FC320DF29D48026BFBE0AFCA728F150E2EF9D493242DB3599148B56

Function 002A516A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002A5170
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 002A517E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002A518F
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002A51A0

Strings

GetCurrentPackageId, xrefs: 002A5178
GetTempPath2W, xrefs: 002A5195
kernel32.dll, xrefs: 002A516B
GetSystemTimePreciseAsFileTime, xrefs: 002A5184

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 42f9171c93060340d1e13bed08e41270b6aa2a62a62ed1973c22006866e5666c
Instruction ID: 22aa0c7812a32fe7d455105b67f3f9e0759bf006ff196ae39ad88d7bfc593e45
Opcode Fuzzy Hash: 42f9171c93060340d1e13bed08e41270b6aa2a62a62ed1973c22006866e5666c
Instruction Fuzzy Hash: E4E0E6B1595760EFC3055F71BC0EE953BACBA0B741304417AFD05D2366DBF444648B50

Function 002A86D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A8707
___except_validate_context_record.LIBVCRUNTIME ref: 002A870F
_ValidateLocalCookies.LIBCMT ref: 002A8798
__IsNonwritableInCurrentImage.LIBCMT ref: 002A87C3
_ValidateLocalCookies.LIBCMT ref: 002A8818

Strings

csm, xrefs: 002A87AD
4=*, xrefs: 002A87DC

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 4=*$csm
API String ID: 1170836740-2210737230
Opcode ID: 51b505c1619c8b496996d5a8c8b17fa0baac58daeaa2cd78a123ab4933df3d6b
Instruction ID: 7c49f1b01d334e03d1b8ad64a86afd55f536e89a49a08db6b284eed9b6962425
Opcode Fuzzy Hash: 51b505c1619c8b496996d5a8c8b17fa0baac58daeaa2cd78a123ab4933df3d6b
Instruction Fuzzy Hash: 0541C338E20209DFCF10DF69CC85A9EBBA5AF06314F248155E9189B392DF759A25CF90

Function 002A35FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A3603
std::_Lockit::_Lockit.LIBCPMT ref: 002A360D
int.LIBCPMT ref: 002A3624

Part of subcall function 002A166A: std::_Lockit::_Lockit.LIBCPMT ref: 002A167B
Part of subcall function 002A166A: std::_Lockit::~_Lockit.LIBCPMT ref: 002A1695

std::_Facet_Register.LIBCPMT ref: 002A365E
std::_Lockit::~_Lockit.LIBCPMT ref: 002A367E
Concurrency::cancel_current_task.LIBCPMT ref: 002A368B

Strings

4=*, xrefs: 002A366B

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: 4=*
API String ID: 55977855-1836062006
Opcode ID: 34d0bcd568d6039dd08f3f7f415050bac933042cc5258a25e889cd8512b73378
Instruction ID: c6ccd39ca21cbd0346a31060d5d314637fd486f848a63af7596c401e20ab5a37
Opcode Fuzzy Hash: 34d0bcd568d6039dd08f3f7f415050bac933042cc5258a25e889cd8512b73378
Instruction Fuzzy Hash: 4C11DF71920225DFCB05EF64D946BAEB7A9AF86720F14050DF401A7381DFB4AE20CF90

Function 002A8C38 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 002A8D57
___TypeMatch.LIBVCRUNTIME ref: 002A8E65
CallUnexpected.LIBVCRUNTIME ref: 002A8FD2

Strings

csm, xrefs: 002A8CE2
csm, xrefs: 002A8C75
csm, xrefs: 002A8D8E

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: e5f23b8ceb5e6bc954a9a4230b18e4a55aebef8cda416044f9b7ee5ecd3ee71e
Instruction ID: 7bd515567dfb44a12c3fa2bc9f57e5a8b651bbdcf3a4a8232d081d81a411feca
Opcode Fuzzy Hash: e5f23b8ceb5e6bc954a9a4230b18e4a55aebef8cda416044f9b7ee5ecd3ee71e
Instruction Fuzzy Hash: 89B18A71C2020AEFCF15DFA4C9859AEBBB6BF16310B54415AE910AB242DF34DA71CF91

Function 002B1C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,002B1D3C,?,?,00000000,00000000,?,?,002B1F2A,00000021,FlsSetValue,002C4A04,002C4A0C,00000000), ref: 002B1CF0

Strings

api-ms-, xrefs: 002B1C86
ext-ms-, xrefs: 002B1C9A

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c42033a11f6dfd31762e8d0a671be2d6dfdd7633f28f3ff5409712cf43e26e0f
Instruction ID: ee41973101a0a4f24c0f41505da70cb818f0aa28599fe68a2a1de4317a713497
Opcode Fuzzy Hash: c42033a11f6dfd31762e8d0a671be2d6dfdd7633f28f3ff5409712cf43e26e0f
Instruction Fuzzy Hash: 8F210D71A60252ABC7229F25EC65FDB7B68EB417E4F640222ED05E7291D730ED30C6D1

Function 002A32C5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A32CC
std::_Lockit::_Lockit.LIBCPMT ref: 002A32D7
std::locale::_Setgloballocale.LIBCPMT ref: 002A32F2
_Yarn.LIBCPMT ref: 002A3308
std::_Lockit::~_Lockit.LIBCPMT ref: 002A3345

Strings

4=*, xrefs: 002A3314, 002A3338

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID: 4=*
API String ID: 156189095-1836062006
Opcode ID: f158dbf7cec12bb29f45f1e22de902b00797a513e8228ebc6ccc5939a51ed24c
Instruction ID: 60dce55dce6217a94dc419d12a347551f41906ccbc348f4706858d51a5647c40
Opcode Fuzzy Hash: f158dbf7cec12bb29f45f1e22de902b00797a513e8228ebc6ccc5939a51ed24c
Instruction Fuzzy Hash: 73015A75A10261DBCB06EB60E84597DBB65BF8A760B144049E90167381DF346E66CFC1

Function 002AF4E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,002C060C,000000FF,?,002AF478,002AF5A8,?,002AF44C,00000000), ref: 002AF51D
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,002C060C,000000FF,?,002AF478,002AF5A8,?,002AF44C,00000000), ref: 002AF52F
FreeLibrary.KERNEL32(00000000,?,?,00000000,002C060C,000000FF,?,002AF478,002AF5A8,?,002AF44C,00000000), ref: 002AF551

Strings

mscoree.dll, xrefs: 002AF516
CorExitProcess, xrefs: 002AF527
4=*, xrefs: 002AF540

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 4=*$CorExitProcess$mscoree.dll
API String ID: 4061214504-2885867720
Opcode ID: 6b9fc6dd9d419a0e70db983bded3f249e26a4cea96bfe51941551fcbe03bc0db
Instruction ID: 429702d33a5a4240b7390d244975e19d21eb559782295c676ea3e8e9ec84908b
Opcode Fuzzy Hash: 6b9fc6dd9d419a0e70db983bded3f249e26a4cea96bfe51941551fcbe03bc0db
Instruction Fuzzy Hash: BA01DB71950659EFCB019F90DC09FBE77B8FB06715F040229F811E2290DB749960CA40

Function 002BD3ED Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581f5ecca3ca233f15a1fbf1cf5a7ab8cce641f9809bea2760463a3957e0cc34
Instruction ID: cd22232791cf47cf63dc2c1303dc29ddf75e7cf76aa2773fc28d94f98a8c9754
Opcode Fuzzy Hash: 581f5ecca3ca233f15a1fbf1cf5a7ab8cce641f9809bea2760463a3957e0cc34
Instruction Fuzzy Hash: D3B13A70E2424AAFDB11DF98D840BFDBBB5AF49380F148159E4096B392EB709D61CF60

Function 002A88CA Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002A88C1,002A6E81,002A6170), ref: 002A88D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002A88E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002A88FF
SetLastError.KERNEL32(00000000,002A88C1,002A6E81,002A6170), ref: 002A8951

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 54c9a9698eb015940eafead703c6e094289e5122fc93201f46cdf3e82b2989dd
Instruction ID: e0670a9d5457d0489e245fe7e382fa176f447998acc2b7ae297aa22452716aa7
Opcode Fuzzy Hash: 54c9a9698eb015940eafead703c6e094289e5122fc93201f46cdf3e82b2989dd
Instruction Fuzzy Hash: 6A01243223931BAFA7152E767C8EE3B2788EB13374B20022AF120512E1FF528C709591

Function 002A89E1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 002A8AA8
___AdjustPointer.LIBCMT ref: 002A8ACB
___AdjustPointer.LIBCMT ref: 002A8B67

Strings

4=*, xrefs: 002A8A40

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: AdjustPointer
String ID: 4=*
API String ID: 1740715915-1836062006
Opcode ID: 8e6c2590a821574fef6ae735e2b59f049eb05342a08f84fa4705ae6a2bd6c567
Instruction ID: 87d0b3a34d8d37638cf751600d1d48bdee566d67febceb1abea212417787427f
Opcode Fuzzy Hash: 8e6c2590a821574fef6ae735e2b59f049eb05342a08f84fa4705ae6a2bd6c567
Instruction Fuzzy Hash: FE51D6B26206029FDB298F14C845B7A77A4FF06314F14452EEC0597192DF71AC71CBA0

Function 002A4FC5 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(002CB00C), ref: 002A4FD9
AcquireSRWLockExclusive.KERNEL32(?), ref: 002A4FF8
AcquireSRWLockExclusive.KERNEL32(?), ref: 002A5026
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 002A5081
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 002A5098

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 5a34289ca1f3c2f28e682e42bcf9702c12a81b7939fd7d27d2de6b926f8b5771
Instruction ID: 986f385aa03eb4cb781533e7c0bc6299d04004629b786fd111d4ffa5ac7b840e
Opcode Fuzzy Hash: 5a34289ca1f3c2f28e682e42bcf9702c12a81b7939fd7d27d2de6b926f8b5771
Instruction Fuzzy Hash: FC416A31520E27DFCB20DF65C4859ABB3F4FF0A310B20492AE556D7640EB30E9A5CB91

Function 002A2A9F Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A2AAB
int.LIBCPMT ref: 002A2ABE

Part of subcall function 002A166A: std::_Lockit::_Lockit.LIBCPMT ref: 002A167B
Part of subcall function 002A166A: std::_Lockit::~_Lockit.LIBCPMT ref: 002A1695

std::_Facet_Register.LIBCPMT ref: 002A2AF1
std::_Lockit::~_Lockit.LIBCPMT ref: 002A2B07
Concurrency::cancel_current_task.LIBCPMT ref: 002A2B12

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 37e9cb0042b43a20cddf928f803eccf3eb8681b1d8eb1e7c3c204139590abe8a
Instruction ID: 8cf398504e0602e310a1bead15301180e0dc2447ecfa9457a37bcd4ca9ed5c8f
Opcode Fuzzy Hash: 37e9cb0042b43a20cddf928f803eccf3eb8681b1d8eb1e7c3c204139590abe8a
Instruction Fuzzy Hash: 0D01A732920124EFCB19EF58D8069ED7778EF86774F240559F901972A1DF30AE65CB90

Function 002A9EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,002A9D5F,00000000,00000000,?,00000000,?,?,?,002A2129,00000000,00000000,002A2C5B,00000000,00000000), ref: 002A9F04
GetLastError.KERNEL32(?,002A2129,00000000,00000000,002A2C5B,00000000,00000000), ref: 002A9F10
__dosmaperr.LIBCMT ref: 002A9F17

Strings

[,*, xrefs: 002A9F2C

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: [,*
API String ID: 2744730728-2099427899
Opcode ID: ff6ce87abaed6d02c08749656f6428c73bb47831d3b6e335eb4fbfb58092735b
Instruction ID: 566b28eda55a41f8ebb5969b5ca156038572eda2679ca560a49a62b66ec97451
Opcode Fuzzy Hash: ff6ce87abaed6d02c08749656f6428c73bb47831d3b6e335eb4fbfb58092735b
Instruction Fuzzy Hash: EC019E7252121AEFCF15AFA2DC06AAE7BA4EF02360F104159F901D6151EF74CDA0DF90

Function 002A4C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,?,?,002A2152,?,?,00000000), ref: 002A4C84
GetExitCodeThread.KERNEL32(?,00000000,?,?,002A2152,?,?,00000000), ref: 002A4C9D
CloseHandle.KERNEL32(?,?,?,002A2152,?,?,00000000), ref: 002A4CAF

Strings

R!*, xrefs: 002A4C8F

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID: R!*
API String ID: 2551024706-3344826361
Opcode ID: 3e56d02ac64f18ddef889b4733e3cc072d7030f3fc227492db21b5b356350ce3
Instruction ID: 89e24df519e0bdbda01e13e5bc30c711b05b4f665c291bf1a9807a24097aed94
Opcode Fuzzy Hash: 3e56d02ac64f18ddef889b4733e3cc072d7030f3fc227492db21b5b356350ce3
Instruction Fuzzy Hash: 2BF08272511115BBDB105F64EC0AFA93BA9EB02770F240711FD29D62F0DBB0DEA19A80

Function 002A9A12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002A99C3,00000000,?,0031F4EC,?,?,?,002A9B66,00000004,InitializeCriticalSectionEx,002C2C58,InitializeCriticalSectionEx), ref: 002A9A1F
GetLastError.KERNEL32(?,002A99C3,00000000,?,0031F4EC,?,?,?,002A9B66,00000004,InitializeCriticalSectionEx,002C2C58,InitializeCriticalSectionEx,00000000,?,002A991D), ref: 002A9A29
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 002A9A51

Strings

api-ms-, xrefs: 002A9A36

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 7a1a74d1eb36c1c794db5af80e58a20a04f7b3faf43e03bd189594843fb83273
Instruction ID: 0d1219f383e17a07f59f7a920857bcf907c3556a808d8d4fa20c9a53903b7bad
Opcode Fuzzy Hash: 7a1a74d1eb36c1c794db5af80e58a20a04f7b3faf43e03bd189594843fb83273
Instruction Fuzzy Hash: 01E04F30390249B7EF105FA1EC0BF593F55AB02B95F504022FE0CA84E3EF62A8F49985

Function 002B5131 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,016E13CA), ref: 002B5194

Part of subcall function 002B75F2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,002B69BD,?,00000000,-00000008), ref: 002B769E

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002B53EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002B5437
GetLastError.KERNEL32 ref: 002B54DA

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2c71696df3029de4f968f5ca1185ae4298086240b71ade03172a0f027ddd8c5a
Instruction ID: 0ee63b13d660c976be1b58a906a8f206c69fcbf4a5301d0ecbbf3a85e0f29657
Opcode Fuzzy Hash: 2c71696df3029de4f968f5ca1185ae4298086240b71ade03172a0f027ddd8c5a
Instruction Fuzzy Hash: 0ED17A75E146589FCB15CFA8D880AEDBBB4FF49340F28816AE856EB351D730A851CF50

Function 002BED0F Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,002BD7AA,00000000,00000001,00000000,016E13CA,?,002B552E,016E13CA,00000000,00000000), ref: 002BED26
GetLastError.KERNEL32(?,002BD7AA,00000000,00000001,00000000,016E13CA,?,002B552E,016E13CA,00000000,00000000,016E13CA,016E13CA,?,002B5AB5,00000000), ref: 002BED32

Part of subcall function 002BECF8: CloseHandle.KERNEL32(FFFFFFFE,002BED42,?,002BD7AA,00000000,00000001,00000000,016E13CA,?,002B552E,016E13CA,00000000,00000000,016E13CA,016E13CA), ref: 002BED08

___initconout.LIBCMT ref: 002BED42

Part of subcall function 002BECBA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002BECE9,002BD797,016E13CA,?,002B552E,016E13CA,00000000,00000000,016E13CA), ref: 002BECCD

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,002BD7AA,00000000,00000001,00000000,016E13CA,?,002B552E,016E13CA,00000000,00000000,016E13CA), ref: 002BED57

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 274d4c6891056ec79b5861075da46d068802c14691bd34ea85a93f4dc23c6970
Instruction ID: aed38afad73b424e463306591de17bac58c7ea546e7022aa93d8fc0354b8ebc7
Opcode Fuzzy Hash: 274d4c6891056ec79b5861075da46d068802c14691bd34ea85a93f4dc23c6970
Instruction Fuzzy Hash: 00F09836510159BBCF221FA5AC09DDA3E6AFB493A1F054411FE1D95132D7328CB0EB91

Function 002BF6A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,002BF00F), ref: 002BF6BC

Strings

DP,, xrefs: 002BF851
4=*, xrefs: 002BF786, 002BF830, 002BF876

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: DecodePointer
String ID: 4=*$DP,
API String ID: 3527080286-578113835
Opcode ID: 225c20f9b8e38a0f9265be0be48b763c11f2a4c509d613f742bbb4d162ce163a
Instruction ID: e96cbb9257076060990ed4916a912ecf60ef92ed9153e5b784ee9e0092368599
Opcode Fuzzy Hash: 225c20f9b8e38a0f9265be0be48b763c11f2a4c509d613f742bbb4d162ce163a
Instruction Fuzzy Hash: 9051BE7092090BCBCF548FA8EE4C6ECBB74FF09384F5141A9D481AA224CBB49975DB40

Function 002A40EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 002A41C7

Strings

4=*, xrefs: 002A41A6

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Fputc
String ID: 4=*
API String ID: 3078413507-1836062006
Opcode ID: 230321d69462c4d9c4799b42ab0c22605de73a50c49d813fc20d3f9e1ff9d499
Instruction ID: b44931a109b97c4ffe93218e032a817ee9ad9af5786bde14e5173a34b8dcb517
Opcode Fuzzy Hash: 230321d69462c4d9c4799b42ab0c22605de73a50c49d813fc20d3f9e1ff9d499
Instruction Fuzzy Hash: 1241A27692061AAFCF14EF64C8809EEB7B8FF9A310B540116E506A7640DF71EDA5CF90

Function 002A8FDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 002A9002

Strings

RCC, xrefs: 002A901C
MOC, xrefs: 002A9014

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: c155c311966e4faaf77b3e012db2a775fda77c126f6c888e760d73d05728c43a
Instruction ID: a8f3caa6277a7088fcb248dfd29527e881ca8a6856f4b8c3592c0049e20ebd7a
Opcode Fuzzy Hash: c155c311966e4faaf77b3e012db2a775fda77c126f6c888e760d73d05728c43a
Instruction Fuzzy Hash: 75418C7190020AAFCF16DF95CC85AEE7BB5FF4A340F144099F90867211DB3599A0CF50

Function 002A3352 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A335E
std::_Lockit::~_Lockit.LIBCPMT ref: 002A33BA

Strings

4=*, xrefs: 002A3385, 002A339F

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 4=*
API String ID: 593203224-1836062006
Opcode ID: c2c70c8878639b063b76814256cd861920700b4bb5a9f8aaf87589651fdff919
Instruction ID: 498638ee4d2560045b232f3e4b36033996098518a26ec85c7ed265d6fb656a9b
Opcode Fuzzy Hash: c2c70c8878639b063b76814256cd861920700b4bb5a9f8aaf87589651fdff919
Instruction Fuzzy Hash: F3019E35A10215EFCF01DF19C899EAD77B8EF86760B040099E5019B361DF71EE55CB90

Function 002A9D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(002C9F68,0000000C), ref: 002A9D72
ExitThread.KERNEL32 ref: 002A9D79

Strings

4=*, xrefs: 002A9DAF

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: 4=*
API String ID: 1611280651-1836062006
Opcode ID: 05c24aeacbdae502eb51c35340665f1172e161c321434d3b5eba9af71980fb1c
Instruction ID: 99b759bd319cecc557c51d069d22ddfc86b4ed4e5a64dd7af6747eb3a8602f52
Opcode Fuzzy Hash: 05c24aeacbdae502eb51c35340665f1172e161c321434d3b5eba9af71980fb1c
Instruction Fuzzy Hash: 44F08770A20605AFDB10AFB4D80AAAE3B74FF02341F100149F40597292CF34A9A6CFA1

Function 002A1595 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002A159C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002A15D4

Part of subcall function 002A33C3: _Yarn.LIBCPMT ref: 002A33E2
Part of subcall function 002A33C3: _Yarn.LIBCPMT ref: 002A3406

Strings

bad locale name, xrefs: 002A15E2

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 83d1ede08f17ec5ba4feca0c26067a832db58b83c654a3ad71993a56eb1f38b1
Instruction ID: aec345667dd873a27348c3cd0af2b6bd8fcee74a8760e6a28fe76d7bba9fb61f
Opcode Fuzzy Hash: 83d1ede08f17ec5ba4feca0c26067a832db58b83c654a3ad71993a56eb1f38b1
Instruction Fuzzy Hash: 5DF0F971515B809F83219F6A8481447FBE4BE293207908A6EE1DEC3A11DB34A554CFA9

Function 002B1FCE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 002B200E

Strings

InitializeCriticalSectionEx, xrefs: 002B1FDE
4=*, xrefs: 002B1FFE

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 4=*$InitializeCriticalSectionEx
API String ID: 2593887523-4231691927
Opcode ID: bf0ddd696f14d71cb23e4b8bc8ae9bd547c22751fbc1464fd6ecfe56b214f953
Instruction ID: e7508851d18a4905fcf1710fe48e6347482a6bca517c514e62b7da3d431ef601
Opcode Fuzzy Hash: bf0ddd696f14d71cb23e4b8bc8ae9bd547c22751fbc1464fd6ecfe56b214f953
Instruction Fuzzy Hash: 54E0923659026CF7CB112F51EC0AFCE7F11EB157A1B044511FD1825161CAB29971DBD0

Function 002B1E51 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 002B1E85

Strings

FlsAlloc, xrefs: 002B1E61
4=*, xrefs: 002B1E7B

Memory Dump Source

Source File: 00000001.00000002.1777837425.00000000002A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000001.00000002.1777817539.00000000002A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777863589.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777882295.00000000002CB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1777921676.0000000000321000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2a0000_SoftWare.jbxd

Similarity

API ID: Alloc
String ID: 4=*$FlsAlloc
API String ID: 2773662609-1162105761
Opcode ID: 4074ed2e78703a534b4b019cf51215d3dd2bd9b8bd2b5225a628749cc75a0bf2
Instruction ID: 0c03513cf087463127c888e86624534f1677e0a9c5c008b6ce32d37dec83ff7e
Opcode Fuzzy Hash: 4074ed2e78703a534b4b019cf51215d3dd2bd9b8bd2b5225a628749cc75a0bf2
Instruction Fuzzy Hash: D8E02B366E027477C62037A1AC2FEDF7E14CF42BA0B450221FE0955282DEF58D7186D5

Analysis Process: SoftWare.exePID: 3452, Parent PID: 2032COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.5%
Total number of Nodes:	112
Total number of Limit Nodes:	7

Executed Functions

Function 0043A429 Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 604
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(C965CB65), ref: 0043A483
SysAllocString.OLEAUT32(73BF71A3), ref: 0043A547
VariantInit.OLEAUT32(?), ref: 0043A5C5
VariantInit.OLEAUT32(?), ref: 0043A675
VariantClear.OLEAUT32(?), ref: 0043A811
VariantClear.OLEAUT32(?), ref: 0043A831
SysFreeString.OLEAUT32(?), ref: 0043A855
SysFreeString.OLEAUT32(?), ref: 0043A866
SysFreeString.OLEAUT32(?), ref: 0043A871
SysFreeString.OLEAUT32(?), ref: 0043A892
SysFreeString.OLEAUT32(?), ref: 0043A8B1
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043A8F7

Strings

!, xrefs: 0043A4ED
IK, xrefs: 0043A693

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: String$Free$Variant$AllocClearInit$InformationVolume
String ID: !$IK
API String ID: 3953524707-496506819
Opcode ID: 07e95e3edaaeb974cdd0530b4623b3f1c4e38f81be1c5641863cea7eb0ffc2f7
Instruction ID: c6ea3858bedf537f55d0b91c08b65f677030efd717191697b90d36edc04f3dfd
Opcode Fuzzy Hash: 07e95e3edaaeb974cdd0530b4623b3f1c4e38f81be1c5641863cea7eb0ffc2f7
Instruction Fuzzy Hash: DC12EF79A08300DFD714DF64D88576FBBB5FB8A304F14882DE58697290DB38D906CB9A

Function 00410B70 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00410C71
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410C93
CoUninitialize.OLE32 ref: 00410FC6
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00410FE1

Strings

}t, xrefs: 00410EDC
n&b, xrefs: 00410CD0
~{, xrefs: 00410EC7
sergei-esenin.com, xrefs: 00410F9B
=g, xrefs: 00410ECE
vr, xrefs: 00410ED5
47F84A64056185416D8FCC98A964EF0B, xrefs: 00410CA9

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: Initialize$DirectorySecuritySystemUninitialize
String ID: 47F84A64056185416D8FCC98A964EF0B$=g$n&b$sergei-esenin.com$vr$}t$~{
API String ID: 3033074019-2810409932
Opcode ID: 836cb7b8e51c6463bcba787b89bdbf2777d47dcf745653baba6d0fd8e6dc704d
Instruction ID: 3d66ede91e16acbe79e26fdc15d3b4281624e5ec11b79c3a42ba01a9d99e3f79
Opcode Fuzzy Hash: 836cb7b8e51c6463bcba787b89bdbf2777d47dcf745653baba6d0fd8e6dc704d
Instruction Fuzzy Hash: 50D1CFB49107409FD7209F39C886B57BFE0EB06310F1486ADE4D68F7A6E3749845CB96

Function 0040CE80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,61F667F5,004473DA,?,00000000,00000005), ref: 0040D069
GetCurrentThreadId.KERNEL32 ref: 0040D078
GetInputState.USER32 ref: 0040D07E
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040D088
ExitProcess.KERNEL32 ref: 0040D0A8

Strings

\_, xrefs: 0040D019

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: CurrentProcess$ExecuteExitInputShellStateThread
String ID: \_
API String ID: 288744916-2885897410
Opcode ID: 2779ce20af6b47498882e53c43679405d4b11f8180495396d802aa6d468d8d7f
Instruction ID: 9488cf3a6b8b3160aa6404eb034c09a92a31fb656c02a9718b9fe1323c94acce
Opcode Fuzzy Hash: 2779ce20af6b47498882e53c43679405d4b11f8180495396d802aa6d468d8d7f
Instruction Fuzzy Hash: 66512932A583014BD7089F759D1636F7BD29FC1318F18D53DE5C69B2C5DA7888068B8A

Function 0043A260 Relevance: 1.6, APIs: 1, Instructions: 70
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00446B30,00000000,00000001,00446B20,00000000), ref: 0043A35D

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: a629d1a80dcce7913e6589f6cbeb23c268c7f455536ff7b937f7441012b82dd9
Instruction ID: 4bfce083a0206b873a41d54eed7a08b9aec58956d0f3df3f421b9e084b8a7301
Opcode Fuzzy Hash: a629d1a80dcce7913e6589f6cbeb23c268c7f455536ff7b937f7441012b82dd9
Instruction Fuzzy Hash: FE2194B5558340AFE320CF25E844B5BBBE4FBC6744F00891CF2D85A280DBB59509CB9B

Function 00440730 Relevance: 1.6, APIs: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?), ref: 004407C2

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2b9b091379e81e22fa74ad10e6af784eb3f6aa6c0776c3b509af0d0c3dd3bc99
Instruction ID: e1a89a2b25a9a6c841ba15f3a9d35858400923d7814fd112d7915323e9080f7f
Opcode Fuzzy Hash: 2b9b091379e81e22fa74ad10e6af784eb3f6aa6c0776c3b509af0d0c3dd3bc99
Instruction Fuzzy Hash: 73119C32B5C3018BF3245E79BCD162FB79AFBD5214F0D413DE98493680D179A81653D6

Function 004407F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00443C9A,005C003F,00000006,?,?,00000018,?,?,?), ref: 0044081E

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040DF90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(77DF0993,00000000,83828980), ref: 0040E093

Strings

}({, xrefs: 0040DFFE

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: LibraryLoad
String ID: }({
API String ID: 1029625771-3992779883
Opcode ID: 1cea01f86627b4eba5b41865d9c3f7f35f7c3a649ac8e292f4fb2fabdf08c240
Instruction ID: b3965f22f27f8df03af3f913aa2323b9e47d7cb0c5b5a4ee552e9ee411c1ec21
Opcode Fuzzy Hash: 1cea01f86627b4eba5b41865d9c3f7f35f7c3a649ac8e292f4fb2fabdf08c240
Instruction Fuzzy Hash: E42148762593404BD304CFA6DDC27ABBBE0EBD6304F18493CE1D167381D2B889058B5A

Function 0043DAC0 Relevance: 1.6, APIs: 1, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043DB69

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4016dff6770d5374d53c2cab9f3e079b41551d10e1012643e26112ef623d04dc
Instruction ID: 38dcdc757562283c4e78f7fc39a408dfd97d3fa66958ab1165df528fc6c314b6
Opcode Fuzzy Hash: 4016dff6770d5374d53c2cab9f3e079b41551d10e1012643e26112ef623d04dc
Instruction Fuzzy Hash: 4D115937A153204BC314CB6CDC9566BB796DFCA221F2A463DECD89B3D1DA715C0582D1

Function 0044092A Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004409B3

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f8fb510bd3e5a3b0fef58abe62ebc34a41c8cb580e5d811e1fe8e3cb74da00ac
Instruction ID: acb57bb7029e36a2cfa67ae82a0cadfdc449d2302dc8c141d1941bd7c134922e
Opcode Fuzzy Hash: f8fb510bd3e5a3b0fef58abe62ebc34a41c8cb580e5d811e1fe8e3cb74da00ac
Instruction Fuzzy Hash: 3D114CB79887005BD3188F7DDCC2016BBD1EB92260B18423DDAA2873E5D67859598686

Function 0043DA90 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043DA95

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7fbfd94865156e4b0fd6e8cb6e1a86e035caa82a891fd86f310634aa356bd5a2
Instruction ID: 02882fa755710a24d13c8bd2f1c33f6e0405f795aca531d9f3fdeea5b9a466d5
Opcode Fuzzy Hash: 7fbfd94865156e4b0fd6e8cb6e1a86e035caa82a891fd86f310634aa356bd5a2
Instruction Fuzzy Hash: F5B09234148200CBC6084B20EC05B203639AB4A202F2000299409159A286319842DA08

Function 004409A5 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004409B3

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3a485459aebd737fd292995b8cab423c944b610c2fc192f2a2ed84bef6237fb8
Instruction ID: 1ca9de099168eef8024060dcb2edf25e7f91ab57f983ad52d9a54f24b633c009
Opcode Fuzzy Hash: 3a485459aebd737fd292995b8cab423c944b610c2fc192f2a2ed84bef6237fb8
Instruction Fuzzy Hash: 11E0C27EA44100EFE604DF29FC9243437A0FB17215304057DE143C3762C6349919CB9B

Non-executed Functions

Function 00434D70 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 210COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00434DB9
GetSystemMetrics.USER32 ref: 00434DC9

Strings

=_C, xrefs: 00435066
_`C, xrefs: 00434FAB
, xrefs: 00434EB9
|YC, xrefs: 00435137
EVC, xrefs: 00434F48
^C, xrefs: 004350F5
lVC, xrefs: 00435071
_aC, xrefs: 004350B3
8aC, xrefs: 00435019
'YC, xrefs: 004350EA
)]C, xrefs: 00434F53
O\C, xrefs: 00434F7F

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: MetricsSystem
String ID: $'YC$)]C$8aC$=_C$EVC$O\C$_`C$_aC$lVC$|YC$^C
API String ID: 4116985748-1717540546
Opcode ID: 63b62d33d191d92bbad1678b7f8463588107770f54f01b09dec81713fb427d5f
Instruction ID: 822e23ea843f65d10f9973477d1a2a645ee3078cbc025c4a83685967a36173a4
Opcode Fuzzy Hash: 63b62d33d191d92bbad1678b7f8463588107770f54f01b09dec81713fb427d5f
Instruction Fuzzy Hash: 21D158B040A3858BE3B4DF55D98A7CBBBE0BBC6708F14891ED19C5B240C7B85548CF9A

Function 00434BE0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 122clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00434BFB
GetWindowLongW.USER32 ref: 00434C26
GetClipboardData.USER32 ref: 00434C36
CloseClipboard.USER32 ref: 00434D4E

Strings

!, xrefs: 00434CB5
", xrefs: 00434C9D
", xrefs: 00434CB1
!, xrefs: 00434C95
', xrefs: 00434CA5
,, xrefs: 00434CB9

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: !$!$"$"$'$,
API String ID: 1647500905-753487525
Opcode ID: 84a0b2c49b494b8f8a7b86d8d5299ee7db7d7392dfe708abed54a59116f8ce73
Instruction ID: 8b9bd2589780c863f900245608a656f9c1c755b97534ffdc989dce108da72be9
Opcode Fuzzy Hash: 84a0b2c49b494b8f8a7b86d8d5299ee7db7d7392dfe708abed54a59116f8ce73
Instruction Fuzzy Hash: 244104709083948FDB009BFCD8483EEBFB0AB56320F15162ED4919B3C1D379554587AB

Function 00433C07 Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 105COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00433C4D

Strings

7, xrefs: 00433CBB
#, xrefs: 00433CDB
/, xrefs: 00433C93
\, xrefs: 00433D2B
U, xrefs: 00433CE3
Y, xrefs: 00433D03
=, xrefs: 00433CFB
[, xrefs: 00433CF3
C, xrefs: 00433D33
J, xrefs: 00433C9B
5, xrefs: 00433D1B
_, xrefs: 00433D13
), xrefs: 00433C83
Q, xrefs: 00433CC3
S, xrefs: 00433CB3
], xrefs: 00433D23
W, xrefs: 00433CD3
+, xrefs: 00433C73
-, xrefs: 00433CA3

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: InitVariant
String ID: #$)$+$-$/$5$7$=$C$J$Q$S$U$W$Y$[$\$]$_
API String ID: 1927566239-3571421908
Opcode ID: aa8d1dbb21d80ccf7a2206122efb04e9e4970e70a0e70da09b81915eb3913a48
Instruction ID: 348bdaf7c5ee8a607306d2dccdfdb21755f88b2cffea4ea5bf528780103e8b04
Opcode Fuzzy Hash: aa8d1dbb21d80ccf7a2206122efb04e9e4970e70a0e70da09b81915eb3913a48
Instruction Fuzzy Hash: A951077150C7C18EE3368B2888597DBBFE16BE6308F08896DC1DC4B392C7B9454A8B53

Function 0043207A Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432083
VariantInit.OLEAUT32 ref: 0043208F

Strings

Q, xrefs: 004320CC
], xrefs: 004320BC
Y, xrefs: 004320AC
[, xrefs: 004320A4
W, xrefs: 004320D4
_, xrefs: 004320B4
U, xrefs: 004320DC
S, xrefs: 004320C4

Memory Dump Source

Source File: 00000002.00000002.2277663568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_SoftWare.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Q$S$U$W$Y$[$]$_
API String ID: 2610073882-2615533518
Opcode ID: 8cea9e5101c53ea0ac8a4799e7093f77caa1ae754c1385cdca0da0c1d8115096
Instruction ID: 6a9aa0fe1846206bb4ba060474b384b45f49531577d7e97b2301dac63b4f22f3
Opcode Fuzzy Hash: 8cea9e5101c53ea0ac8a4799e7093f77caa1ae754c1385cdca0da0c1d8115096
Instruction Fuzzy Hash: 43412A60108BC18ED7159F3C88986567FA16B66324F1886DCD8E90F7DBC3B5D50AC762

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_221e44084ae96beb4141c7a593e67d6c924a1a6_7a5e3dd0_4959676f-5a9c-498b-bc13-91cb6d451dae\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_317646f4c0a3fe5f926530b7a18fc2652ea2_488e1332_88ecd21f-daf3-448f-9220-068fce0f2031\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare.exe_df20711a399579ea28ba2fbb49341fd87bf_7a5e3dd0_7c617227-d5ee-429f-92ad-86185f46aecb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB729.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB798.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7E7.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE240.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE399.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3C9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF943.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9C1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F1.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
SoftWare.exe

Function 002A1FEA Relevance: 7.7, APIs: 5, Instructions: 153
memorythreadCOMMON

Function 002B2B19 Relevance: .0, Instructions: 29
COMMON

Function 002B1C2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 002A9EBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
threadCOMMON

Function 002A9D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 002B1CFA Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 0030310E Relevance: 75.4, Strings: 60, Instructions: 369
COMMON

Function 002F2C23 Relevance: 25.5, Strings: 20, Instructions: 469
COMMON

Function 00303AA7 Relevance: 24.0, Strings: 19, Instructions: 289
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre