Edit tour

Windows Analysis Report
5LEXIucyEP.exe

Overview

General Information

Sample name:	5LEXIucyEP.exe renamed because original name is a hash value
Original sample name:	42a5c60fadb3b94505babe3561507a50.exe
Analysis ID:	1558094
MD5:	42a5c60fadb3b94505babe3561507a50
SHA1:	ade46a914ffefa4b1d8b791fbfdf07531c362e44
SHA256:	a39cb2c31b6724eaa78f60fe29ced83e50ffad7e39efd604a7debdac63a2a80e
Tags:	exeMeduzaStealeruser-abuse_ch
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5LEXIucyEP.exe (PID: 3344 cmdline: "C:\Users\user\Desktop\5LEXIucyEP.exe" MD5: 42A5C60FADB3B94505BABE3561507A50)

5LEXIucyEP.exe (PID: 4040 cmdline: C:\Users\user\Desktop\5LEXIucyEP.exe MD5: 42A5C60FADB3B94505BABE3561507A50)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "enew", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: 5LEXIucyEP.exe PID: 4040	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: 5LEXIucyEP.exe PID: 4040	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.5LEXIucyEP.exe.140000000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
2.2.5LEXIucyEP.exe.140000000.0.raw.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T23:47:14.323644+0100	2049441	1	A Network Trojan was detected	192.168.2.8	49705	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T23:47:14.323644+0100	2050806	1	A Network Trojan was detected	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.328691+0100	2050806	1	A Network Trojan was detected	192.168.2.8	49705	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T23:47:14.323644+0100	2050807	1	A Network Trojan was detected	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.328691+0100	2050807	1	A Network Trojan was detected	192.168.2.8	49705	193.3.19.151	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.5LEXIucyEP.exe.140000000.0.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "enew", "links": "", "port": 15666}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: 5LEXIucyEP.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140077BA0 CryptUnprotectData,LocalFree,	2_2_0000000140077BA0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140078020 BCryptDecrypt,BCryptDecrypt,	2_2_0000000140078020
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400783C0 BCryptCloseAlgorithmProvider,	2_2_00000001400783C0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140078440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,Concurrency::cancel_current_task,	2_2_0000000140078440
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5688 BCryptSetProperty,	2_2_00000001400D5688
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140033A30 BCryptDestroyKey,	2_2_0000000140033A30
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140037C20 CryptUnprotectData,LocalFree,	2_2_0000000140037C20
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140077EC0 CryptProtectData,LocalFree,	2_2_0000000140077EC0

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: 5LEXIucyEP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BB500 FindClose,FindFirstFileExW,GetLastError,	2_2_00000001400BB500
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	2_2_00000001400BB5B0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5100 FindFirstFileW,	2_2_00000001400D5100
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D54A0 FindFirstFileExW,	2_2_00000001400D54A0

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400873F0 GetLogicalDriveStringsW,

2_2_00000001400873F0

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.8:49705 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.8:49705 -> 193.3.19.151:15666

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 193.3.19.151:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.8:49705 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_0000000140085240 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

2_2_0000000140085240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: 5LEXIucyEP.exe, 00000002.00000003.1450618694.00000276317E1000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540209214.00000276317F0000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540179135.00000276317F0000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540293246.00000276317F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: 5LEXIucyEP.exe, 00000002.00000003.1465139750.0000027632175000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1467258643.00000276327AE000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632120000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.000002763137D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632118000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631358000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632088000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631375000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.0000027631515000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464707186.0000027632048000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.000002763216D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.000002763151D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631350000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: 5LEXIucyEP.exe, 00000002.00000003.1465139750.0000027632175000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1467258643.00000276327AE000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632120000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.000002763137D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632118000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631358000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632088000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631375000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.0000027631515000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464707186.0000027632048000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.000002763216D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.000002763151D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631350000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 5LEXIucyEP.exe, 00000002.00000003.1464214839.000002763217C000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1468125473.0000027632B87000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.0000027631525000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.000002763135F000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632128000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_0000000140085B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0000000140085B70

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014008A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	2_2_000000014008A430
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D56F8 NtQuerySystemInformation,	2_2_00000001400D56F8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140089D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	2_2_0000000140089D30

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014007F020	2_2_000000014007F020
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140088030	2_2_0000000140088030
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014008D050	2_2_000000014008D050
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014006D080	2_2_000000014006D080
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400320B0	2_2_00000001400320B0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400520F6	2_2_00000001400520F6
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009918C	2_2_000000014009918C
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140085240	2_2_0000000140085240
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140045310	2_2_0000000140045310
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140066350	2_2_0000000140066350
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140030450	2_2_0000000140030450
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003D570	2_2_000000014003D570
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BB5B0	2_2_00000001400BB5B0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014008C5CB	2_2_000000014008C5CB
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003E610	2_2_000000014003E610
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400C0658	2_2_00000001400C0658
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400876A0	2_2_00000001400876A0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014002F730	2_2_000000014002F730
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140086860	2_2_0000000140086860
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140065970	2_2_0000000140065970
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003CA10	2_2_000000014003CA10
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140085B70	2_2_0000000140085B70
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140034B70	2_2_0000000140034B70
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140031B90	2_2_0000000140031B90
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140032CA0	2_2_0000000140032CA0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003ECB0	2_2_000000014003ECB0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014002FE20	2_2_000000014002FE20
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A2E3C	2_2_00000001400A2E3C
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140049F80	2_2_0000000140049F80
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A30B8	2_2_00000001400A30B8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009F0D8	2_2_000000014009F0D8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400070E0	2_2_00000001400070E0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005C0F0	2_2_000000014005C0F0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400AC128	2_2_00000001400AC128
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140093150	2_2_0000000140093150
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140096164	2_2_0000000140096164
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140006180	2_2_0000000140006180
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A71D8	2_2_00000001400A71D8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140091220	2_2_0000000140091220
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400702C0	2_2_00000001400702C0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014007E2F0	2_2_000000014007E2F0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140095394	2_2_0000000140095394
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400763A6	2_2_00000001400763A6
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400283D0	2_2_00000001400283D0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400AA3C8	2_2_00000001400AA3C8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014007B420	2_2_000000014007B420
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005C420	2_2_000000014005C420
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014008A430	2_2_000000014008A430
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400AA44F	2_2_00000001400AA44F
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005B480	2_2_000000014005B480
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A14E4	2_2_00000001400A14E4
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140026510	2_2_0000000140026510
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140025520	2_2_0000000140025520
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140086540	2_2_0000000140086540
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140095598	2_2_0000000140095598
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140006610	2_2_0000000140006610
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009666C	2_2_000000014009666C
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A8674	2_2_00000001400A8674
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A36A8	2_2_00000001400A36A8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A46E4	2_2_00000001400A46E4
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140054720	2_2_0000000140054720
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140062750	2_2_0000000140062750
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014008A780	2_2_000000014008A780
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005B780	2_2_000000014005B780
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009579C	2_2_000000014009579C
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009F7E6	2_2_000000014009F7E6
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400398CD	2_2_00000001400398CD
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014007C8E0	2_2_000000014007C8E0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014009A924	2_2_000000014009A924
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140033A30	2_2_0000000140033A30
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400A6A68	2_2_00000001400A6A68
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140030A80	2_2_0000000140030A80
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140075AB0	2_2_0000000140075AB0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005BAB0	2_2_000000014005BAB0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140060AC0	2_2_0000000140060AC0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140051AF0	2_2_0000000140051AF0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140078B00	2_2_0000000140078B00
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400ABB90	2_2_00000001400ABB90
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140057CEB	2_2_0000000140057CEB
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140090D14	2_2_0000000140090D14
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140074D40	2_2_0000000140074D40
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140098D50	2_2_0000000140098D50
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140005DB0	2_2_0000000140005DB0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014005BDD0	2_2_000000014005BDD0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003ADD0	2_2_000000014003ADD0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140037E70	2_2_0000000140037E70
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140030E80	2_2_0000000140030E80
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140080E90	2_2_0000000140080E90
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140075EF0	2_2_0000000140075EF0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_000000014003BF40	2_2_000000014003BF40
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BFFBC	2_2_00000001400BFFBC

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: String function: 000000014002E1D0 appears 33 times
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: String function: 0000000140036940 appears 41 times
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: String function: 00000001400486B0 appears 57 times
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: String function: 000000014002BA80 appears 32 times
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: String function: 0000000140098254 appears 34 times

Source: 5LEXIucyEP.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/2

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014008B9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

2_2_000000014008B9B0

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014003E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_000000014003E610

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_0000000140074D40 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysStringByteLen,SysFreeString,SysFreeString,

2_2_0000000140074D40

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E696370FEBEA2

Source: 5LEXIucyEP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5LEXIucyEP.exe "C:\Users\user\Desktop\5LEXIucyEP.exe"
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Process created: C:\Users\user\Desktop\5LEXIucyEP.exe C:\Users\user\Desktop\5LEXIucyEP.exe
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Process created: C:\Users\user\Desktop\5LEXIucyEP.exe C:\Users\user\Desktop\5LEXIucyEP.exe	Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 5LEXIucyEP.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 5LEXIucyEP.exe

Static file information: File size 4270080 > 1048576

Source: 5LEXIucyEP.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x38c000

Source: 5LEXIucyEP.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 5LEXIucyEP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5LEXIucyEP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5LEXIucyEP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5LEXIucyEP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5LEXIucyEP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014003D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_000000014003D570

Source: 5LEXIucyEP.exe	Static PE information: section name: .00cfg
Source: 5LEXIucyEP.exe	Static PE information: section name: .gxfg
Source: 5LEXIucyEP.exe	Static PE information: section name: .retplne
Source: 5LEXIucyEP.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D50F0 push rsi; retf	2_2_00000001400D5103
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5100 push rsi; retf	2_2_00000001400D5103
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D50F8 push rsi; retf	2_2_00000001400D5103
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5110 push rbp; retf	2_2_00000001400D511B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5108 push rsi; retf	2_2_00000001400D510B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5120 push rsi; retf	2_2_00000001400D5123
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5118 push rbp; retf	2_2_00000001400D511B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5140 push rsi; retf	2_2_00000001400D5143
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5140 push rbp; retf	2_2_00000001400D518B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5138 push rsi; retf	2_2_00000001400D513B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5150 push rbp; retf	2_2_00000001400D515B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5160 push rbp; retf	2_2_00000001400D5163
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5170 push rbp; retf	2_2_00000001400D517B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5168 push rbp; retf	2_2_00000001400D516B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5190 push rsi; retf	2_2_00000001400D5193
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51B0 push rsi; retf	2_2_00000001400D51CB
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51A8 push rsi; retf	2_2_00000001400D51CB
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51D0 push rsi; retf	2_2_00000001400D51D3
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51E0 push rbp; retf	2_2_00000001400D51E3
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51D8 push rsi; retf	2_2_00000001400D51DB
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51F0 push rsi; retf	2_2_00000001400D51F3
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51F0 push rbp; retf	2_2_00000001400D5243
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51E8 push rsi; retf	2_2_00000001400D51F3
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51F8 push rbp; retf	2_2_00000001400D5203
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D51F8 push r14; retf	2_2_00000001400D525B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5210 push rbp; retf	2_2_00000001400D5213
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5220 push rsi; retf	2_2_00000001400D51F3
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5220 push rsi; retf	2_2_00000001400D522B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5218 push rbp; retf	2_2_00000001400D521B
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5230 push r14; retf	2_2_00000001400D5233
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5228 push rsi; retf	2_2_00000001400D522B

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014007C600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

2_2_000000014007C600

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-68365

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-68007

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BB500 FindClose,FindFirstFileExW,GetLastError,	2_2_00000001400BB500
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400BB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	2_2_00000001400BB5B0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D5100 FindFirstFileW,	2_2_00000001400D5100
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D54A0 FindFirstFileExW,	2_2_00000001400D54A0

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400873F0 GetLogicalDriveStringsW,

2_2_00000001400873F0

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_0000000140099038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

2_2_0000000140099038

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: 5LEXIucyEP.exe	Binary or memory string: VBoxGuest
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: 5LEXIucyEP.exe	Binary or memory string: VBoxMouse
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 5LEXIucyEP.exe	Binary or memory string: VBoxTray
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F4CC000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1451202145.000002762F4E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 5LEXIucyEP.exe	Binary or memory string: VBoxMRXNP
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 5LEXIucyEP.exe	Binary or memory string: VBoxHook
Source: 5LEXIucyEP.exe	Binary or memory string: VBoxSF
Source: 5LEXIucyEP.exe, 00000002.00000003.1457163680.0000027632093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	API call chain: ExitProcess graph end node			graph_2-67944
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	API call chain: ExitProcess graph end node			graph_2-67949

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014008A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

2_2_000000014008A430

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400AF2B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00000001400AF2B8

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400BD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

2_2_00000001400BD804

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014003D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_000000014003D570

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400A9EEC GetProcessHeap,

2_2_00000001400A9EEC

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D52C0 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,	2_2_00000001400D52C0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400AF2B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00000001400AF2B8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400D52E0 SetUnhandledExceptionFilter,	2_2_00000001400D52E0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_00000001400AF498 SetUnhandledExceptionFilter,	2_2_00000001400AF498
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: 2_2_0000000140097F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0000000140097F68

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Memory written: C:\Users\user\Desktop\5LEXIucyEP.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Thread register set: target process: 4040

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_000000014007B420 ShellExecuteW,

2_2_000000014007B420

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Process created: C:\Users\user\Desktop\5LEXIucyEP.exe C:\Users\user\Desktop\5LEXIucyEP.exe

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400ADF10 cpuid

2_2_00000001400ADF10

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,	2_2_000000014009E020
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: EnumSystemLocalesW,	2_2_00000001400A9030
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00000001400A90C8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoEx,FormatMessageA,	2_2_00000001400BB170
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,	2_2_00000001400A9310
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,	2_2_00000001400D53A0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: EnumSystemLocalesW,	2_2_00000001400D53B8
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00000001400A9468
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: GetLocaleInfoW,	2_2_00000001400A9518
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00000001400A964C
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: EnumSystemLocalesW,	2_2_000000014009DAE0
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00000001400A8C04
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Code function: EnumSystemLocalesW,	2_2_00000001400A8F60

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 0_2_00007FF607DC0214 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF607DC0214

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_0000000140086150 GetUserNameW,

2_2_0000000140086150

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Code function: 2_2_00000001400876A0 GetTimeZoneInformation,

2_2_00000001400876A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: 5LEXIucyEP.exe PID: 4040, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 2.2.5LEXIucyEP.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5LEXIucyEP.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5LEXIucyEP.exe PID: 4040, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: CExodus
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: 5LEXIucyEP.exe, 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\5LEXIucyEP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\5LEXIucyEP.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: 5LEXIucyEP.exe PID: 4040, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 2.2.5LEXIucyEP.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.5LEXIucyEP.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5LEXIucyEP.exe PID: 4040, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	211 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Email Collection	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	35 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5LEXIucyEP.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://support.mozilla.org	5LEXIucyEP.exe, 00000002.00000003.1465139750.0000027632175000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1467258643.00000276327AE000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632120000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.000002763137D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.0000027632118000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631358000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632088000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631375000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.0000027631515000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464707186.0000027632048000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464214839.000002763216D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1465335650.000002763151D000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631350000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1464476407.0000027632090000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ns.microsoft.t/Regi	5LEXIucyEP.exe, 00000002.00000003.1450618694.00000276317E1000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540209214.00000276317F0000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540179135.00000276317F0000.00000004.00000020.00020000.00000000.sdmp, 5LEXIucyEP.exe, 00000002.00000003.1540293246.00000276317F4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	5LEXIucyEP.exe, 00000002.00000003.1464016665.0000027631385000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.3.19.151	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558094
Start date and time:	2024-11-18 23:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5LEXIucyEP.exe renamed because original name is a hash value
Original Sample Name:	42a5c60fadb3b94505babe3561507a50.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 65% Number of executed functions: 82 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 5LEXIucyEP.exe, PID 3344 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 5LEXIucyEP.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.3.19.151	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	spacers.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	[Inquiry] mv Palmela - CE replacement at your port, oa Nov. 22nd.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	SOA.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	95.87.151.60
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	194.249.92.194
	HRU6b08mmd.exe	Get hash	malicious	Amadey, Healer AV Disabler, PureLog Stealer, RedLine	Browse	193.3.19.154
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	95.87.138.87
	h0r0zx00x.x86.elf	Get hash	malicious	Mirai	Browse	141.255.194.230
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	95.87.151.62
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Ailurophile Stealer, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://viewstripo.email/680864d7-5609-4e6a-8914-c4d257d4c5ee1731949744848	Get hash	malicious	Unknown	Browse	188.114.97.3
	Play audio message wav from Ann & Cory Ellis (Work).pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	Ailurophile Stealer	Browse	104.26.8.59
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://experteau.lawgovexperts.com/Fp0c8/	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Fluor RFQ1475#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	Statement_of_account.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	P6uSqL3TTL.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	172.67.74.152
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.077605010295228
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5LEXIucyEP.exe
File size:	4'270'080 bytes
MD5:	42a5c60fadb3b94505babe3561507a50
SHA1:	ade46a914ffefa4b1d8b791fbfdf07531c362e44
SHA256:	a39cb2c31b6724eaa78f60fe29ced83e50ffad7e39efd604a7debdac63a2a80e
SHA512:	d98f41807a0fa8edb5a2f2b054985d753e18deaa06e768045dcab7a108e15ae95dabb0c35506e652dd61d039da43d71d9576638d3ec85ffe46d21e4d18285611
SSDEEP:	49152:/xGK0l3e3ubXWCC5JJhZs0wFF2d1vJ2Z:/xGK09yuZZ
TLSH:	F916E067FD4065FED874903488970777A67BB480873287DB1698262A2E5BBD42F3BF40
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...z.9g.........."...........9................@..............................A...........`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140050200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6739EB7A [Sun Nov 17 13:11:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	78c9da53bf2d072d61b49d02beb24690

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F198C6DA4E0h
dec eax
add esp, 28h
jmp 00007F198C6DA34Fh
int3
int3
dec eax
mov dword ptr [esp+18h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [003B6E18h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F198C6DA546h
dec eax
and dword ptr [ebp+10h], 00000000h
dec eax
lea ecx, dword ptr [ebp+10h]
call dword ptr [003AC17Ah]
dec eax
mov eax, dword ptr [ebp+10h]
dec eax
mov dword ptr [ebp-10h], eax
call dword ptr [003AC0CCh]
mov eax, eax
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [003AC0B8h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+18h]
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [003AC228h]
mov eax, dword ptr [ebp+18h]
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+18h]
dec eax
xor eax, dword ptr [ebp-10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3fbdd8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x419000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x40b000	0x65e8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x41a000	0x1e18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3efd80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe60a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3fc208	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x79546	0x79600	186e011cfbf8022fa84d5f0ef4ee3df7	False	0.4946133174562307	data	6.440568316909284	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7b000	0x38bf44	0x38c000	fb086edab81677abac65333d32e442ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x407000	0x36f8	0x1c00	7568d2f08f4ac81dae4d5e33ab60923a	False	0.17047991071428573	zlib compressed data	3.5531018656709605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x40b000	0x65e8	0x6600	4edc9593f97b9b4e42d309e7db70aca7	False	0.48330269607843135	data	5.764133465668278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x412000	0x38	0x200	c8b156cca6c1f20e90ecbf8f3612fd39	False	0.072265625	data	0.4716713977505448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gxfg	0x413000	0x2200	0x2200	a3fb3e1da377202334d413fbe0e439a4	False	0.4314108455882353	data	5.230691552229934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retplne	0x416000	0x8c	0x200	8c950f651287cbc1296bcb4e8cd7e990	False	0.126953125	data	1.050583247971927
.tls	0x417000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x418000	0x1f4	0x200	b9c7c28bbb6fccd97a8b522b747b58b7	False	0.541015625	data	4.238899079513315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x419000	0x1a8	0x200	d38b4cd68eb239a7aa6a06b6f8091e1d	False	0.484375	data	4.179663701400347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x41a000	0x1e18	0x2000	13f065f7aeef4dbbab821942b99113ab	False	0.6956787109375	data	6.3753774469932685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x419060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Imports

DLL	Import
USER32.dll	GetRawInputDeviceInfoW, GetRawInputDeviceList
KERNEL32.dll	AcquireSRWLockExclusive, AreFileApisANSI, CloseHandle, CreateFileMappingW, CreateFileW, CreateProcessW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindFirstFileW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeProcess, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoEx, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetUserDefaultLCID, GlobalAlloc, GlobalFree, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, K32EnumDeviceDrivers, K32GetDeviceDriverBaseNameW, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LocalFree, MapViewOfFile, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReadProcessMemory, ReleaseSRWLockExclusive, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadContext, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualAllocEx, VirtualFree, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteProcessMemory
MPR.dll	WNetCloseEnum, WNetEnumResourceA, WNetOpenEnumA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T23:47:14.323644+0100	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.323644+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.323644+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.328691+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.8	49705	193.3.19.151	15666	TCP
2024-11-18T23:47:14.328691+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.8	49705	193.3.19.151	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 23:47:07.221446991 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:07.226459980 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:07.226538897 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:08.251432896 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:08.251461029 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:08.251688957 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:08.396130085 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:08.396162987 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.639226913 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.639338017 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.691795111 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.691809893 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.692781925 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.692866087 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.693902016 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.735321999 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.895489931 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.895561934 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.895575047 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.895620108 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.895664930 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:09.895715952 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.895838976 CET	49706	443	192.168.2.8	172.67.74.152
Nov 18, 2024 23:47:09.895852089 CET	443	49706	172.67.74.152	192.168.2.8
Nov 18, 2024 23:47:14.323643923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328613043 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328638077 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328664064 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328676939 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328691006 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328720093 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328744888 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328757048 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328783035 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328799009 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328814030 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328814983 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328830957 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.328849077 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328860044 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328882933 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.328979015 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.329029083 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.335585117 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335601091 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335695982 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335700989 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.335709095 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335716009 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335721016 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335799932 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.335829973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.335874081 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.336241961 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.336322069 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.336357117 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.336414099 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.336874008 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.336930037 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.340677023 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.340769053 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.341017008 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.341090918 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.341099024 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.341156960 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.341186047 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.341227055 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.341233969 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.341289997 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.341864109 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342026949 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.342480898 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342494011 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342509031 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342531919 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342551947 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.342566013 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.342580080 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342590094 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.342592955 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342624903 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342637062 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342643023 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.342648029 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.342693090 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.343365908 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.343379021 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.343416929 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.343426943 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.343429089 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.343441963 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.343480110 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346012115 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346076965 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346288919 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346302986 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346327066 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346339941 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346348047 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346365929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346385002 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346402884 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346412897 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346415043 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346466064 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346499920 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346506119 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346556902 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346628904 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346678019 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346714020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346726894 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346745014 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346757889 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346769094 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346782923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346807003 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346853018 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346867085 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346878052 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346892118 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346904993 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346910000 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346920967 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.346930981 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346959114 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.346985102 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347110033 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347161055 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347563028 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347620010 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347656012 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347703934 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347784042 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347796917 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347820044 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347831964 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347832918 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347841978 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347866058 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347878933 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347889900 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347908020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347915888 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347920895 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.347949028 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347966909 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.347978115 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.348032951 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.348032951 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.348081112 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349330902 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349356890 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349380016 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349389076 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349402905 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349432945 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349451065 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349456072 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349469900 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349499941 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349503994 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349515915 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349522114 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349549055 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349565983 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349566936 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349580050 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349616051 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349627018 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349628925 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349642038 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349657059 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349675894 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349689007 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349699020 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349709034 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349723101 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349735022 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349739075 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349767923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349792957 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349802971 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349817038 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349848032 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349858999 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349880934 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349893093 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349926949 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349936962 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.349953890 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349966049 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.349981070 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.350009918 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.350023985 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351625919 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351639032 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351664066 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351675987 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351681948 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351701975 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351716995 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351728916 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351730108 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351773024 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351798058 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351810932 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351824999 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351847887 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351861000 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351874113 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.351878881 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.351918936 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352272034 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352287054 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352334976 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352335930 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352349043 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352360964 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352380991 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352385044 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352391005 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352397919 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352426052 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352427959 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352451086 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352458000 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352472067 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.352473974 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352503061 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352525949 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.352997065 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353022099 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353049994 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353065968 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353086948 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353099108 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353136063 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353147984 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353182077 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353195906 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353207111 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353230953 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353236914 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353244066 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353255987 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353264093 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353269100 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353281021 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353285074 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353302002 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353307009 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353318930 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353336096 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353342056 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353348970 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353354931 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353389025 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353442907 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353456020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353487968 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353491068 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353501081 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353504896 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353538036 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353539944 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353553057 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353553057 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353586912 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353590965 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353596926 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353604078 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353615999 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353638887 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353641033 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353652000 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353656054 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353663921 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353684902 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353722095 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353723049 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353734970 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353770971 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353796959 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353807926 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353833914 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353882074 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353897095 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353910923 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353923082 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353945017 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.353952885 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.353967905 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.354023933 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355046988 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355058908 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355071068 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355093002 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355104923 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355130911 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355139017 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355143070 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355158091 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355170965 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355196953 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355220079 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355221987 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355232954 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355247974 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355253935 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355281115 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355321884 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355326891 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355340958 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355375051 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355396986 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355494976 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355509043 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355531931 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355539083 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355559111 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355575085 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355582952 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355587959 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355624914 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355624914 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355638981 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355638981 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355650902 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355667114 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355669975 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355696917 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355714083 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355931044 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355942965 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.355988979 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.355994940 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356020927 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356048107 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356065989 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356110096 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356170893 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356199980 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356213093 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356225014 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356245995 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356267929 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356278896 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356281042 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356304884 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356317043 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356317997 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356348038 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356360912 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356373072 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356383085 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356389999 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356396914 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356414080 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356419086 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356426954 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356451035 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356488943 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356494904 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356512070 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356522083 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356554985 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356565952 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356579065 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356580973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356590033 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356616020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356616974 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356628895 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356657982 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356673956 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356682062 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356686115 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356694937 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356707096 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356719017 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356729031 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356746912 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356760025 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356764078 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356772900 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356786013 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356802940 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356811047 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356823921 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356832981 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356836081 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356848001 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356848955 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356873989 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356888056 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356890917 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356899023 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356915951 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356915951 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356928110 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.356950045 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.356971979 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357089996 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357127905 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357139111 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357177019 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357177973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357223034 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357302904 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357316017 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357327938 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357340097 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357350111 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357352018 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357372999 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357378006 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357388973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357391119 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357403994 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357405901 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357418060 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357439995 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357445955 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357451916 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357465029 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357476950 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357489109 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357490063 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357501030 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357505083 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357517004 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.357527018 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357553005 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.357578993 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.358865023 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.358877897 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.358890057 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.358905077 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.358935118 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.358952045 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.358957052 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.358969927 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359005928 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359009981 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359019995 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359023094 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359057903 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359061956 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359071016 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359075069 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359095097 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359110117 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359111071 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359124899 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359141111 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359152079 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359188080 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359200954 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359213114 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359226942 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359241009 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359251976 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359261036 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359266043 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359278917 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359292984 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359323978 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359325886 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359339952 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359344006 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.359352112 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359365940 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.359395027 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360109091 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360124111 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360147953 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360160112 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360172033 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360188007 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360193014 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360205889 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360217094 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360230923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360240936 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360253096 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360260010 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360275984 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360287905 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360291004 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360318899 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360335112 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360384941 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360398054 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360411882 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360424995 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360433102 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360450983 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360450983 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360464096 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360476971 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360482931 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360488892 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360502005 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360513926 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360526085 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360538006 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360538960 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360551119 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360568047 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360575914 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360589027 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360601902 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360605001 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360619068 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360625982 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360644102 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360656977 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360667944 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360685110 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360696077 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360697985 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360709906 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360723972 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360738993 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360750914 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360758066 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360764980 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360775948 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360807896 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360814095 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360826015 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360829115 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360837936 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360850096 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360861063 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360883951 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360892057 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360897064 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360955954 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360951900 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.360970020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360982895 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.360996008 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361000061 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361008883 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361021996 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361022949 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361038923 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361056089 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361066103 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361079931 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361093998 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361107111 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361133099 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361150026 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361155033 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361171007 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361212015 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361212015 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361223936 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361248970 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361255884 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361263037 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361268997 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361285925 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361295938 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361299038 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361311913 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361325026 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361335039 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361346960 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361347914 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361358881 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361393929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361524105 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361536980 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361574888 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361579895 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361588955 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361593008 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361625910 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361639977 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361653090 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361675978 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361699104 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361707926 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361715078 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361738920 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361759901 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361783981 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361900091 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361912966 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361924887 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361938000 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361959934 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.361967087 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361989021 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.361999989 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362011909 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362021923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.362025023 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362049103 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.362063885 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362075090 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.362076044 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362113953 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.362127066 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.362128973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.362174034 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.406480074 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.406766891 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.406861067 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.406919956 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.406984091 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407042027 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407103062 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407156944 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407239914 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407322884 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407407045 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407461882 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.407525063 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.446429014 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.446726084 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.446808100 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.446856022 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.446913958 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.446929932 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.452085018 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.452327967 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.452408075 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.452447891 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.494368076 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.494509935 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.546369076 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.546478033 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.562870979 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.563143015 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563218117 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563270092 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563328981 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563388109 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563456059 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563507080 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563565969 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563617945 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563677073 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563731909 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563800097 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.563831091 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.571644068 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.571712971 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.614365101 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.614715099 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.614842892 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.614914894 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.614993095 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615057945 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615151882 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615222931 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615305901 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615389109 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.615473032 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.621877909 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.622109890 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.622222900 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.622271061 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.662507057 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.662713051 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.662810087 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.705455065 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.705543041 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.705590010 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.705703020 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.705755949 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.705852032 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.705926895 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706006050 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706082106 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706154108 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706226110 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706307888 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.706356049 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.710773945 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.710962057 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.754302025 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.754463911 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.802449942 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.802524090 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.803462982 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.803642988 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804059982 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804116011 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804116011 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804171085 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804230928 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804279089 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804337025 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804387093 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804441929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804492950 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804555893 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804615021 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804678917 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.804692984 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.807533979 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.807594061 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808604956 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808651924 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808701038 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808723927 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808725119 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808756113 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808790922 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808809042 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808837891 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808856010 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808871984 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.808875084 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808897018 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808928967 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.808990955 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809040070 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809047937 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809068918 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809094906 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809103966 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809120893 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809123039 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809149027 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809149981 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809176922 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809178114 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809201956 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809205055 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809231997 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809233904 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809264898 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809266090 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809292078 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809313059 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809319019 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.809339046 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.809362888 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.850372076 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.850640059 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851063967 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851114988 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851159096 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851216078 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851258039 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851330042 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851382017 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851438999 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851490021 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851552963 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.851592064 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872093916 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.872168064 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872286081 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.872500896 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872581005 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872638941 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872684956 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.872710943 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872766972 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872838020 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872895002 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.872956991 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.873017073 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.873086929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.873147011 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.877548933 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.877791882 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.877876043 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.877919912 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.918332100 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.918442011 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949224949 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.949346066 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.949482918 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949572086 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949626923 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949646950 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.949704885 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949752092 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949806929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949856997 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949912071 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.949968100 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950045109 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950114012 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950180054 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950237036 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950303078 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.950345039 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.954477072 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.954540968 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.998425007 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:14.998785973 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.998872995 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.998933077 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.998986959 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999030113 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999089003 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999133110 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999182940 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999231100 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:14.999291897 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.017532110 CET	15666	49705	193.3.19.151	192.168.2.8
Nov 18, 2024 23:47:15.017848969 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.017918110 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.017968893 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.018018007 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.018065929 CET	49705	15666	192.168.2.8	193.3.19.151
Nov 18, 2024 23:47:15.018110037 CET	49705	15666	192.168.2.8	193.3.19.151

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 23:47:08.235263109 CET	192.168.2.8	1.1.1.1	0xbd21	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 23:47:08.242255926 CET	1.1.1.1	192.168.2.8	0xbd21	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 18, 2024 23:47:08.242255926 CET	1.1.1.1	192.168.2.8	0xbd21	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 18, 2024 23:47:08.242255926 CET	1.1.1.1	192.168.2.8	0xbd21	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	172.67.74.152	443	4040	C:\Users\user\Desktop\5LEXIucyEP.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 22:47:09 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-11-18 22:47:09 UTC	398	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 22:47:09 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8e4b802e19785390-DEN server-timing: cfL4;desc="?proto=TCP&rtt=22546&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=738&delivery_rate=128591&cwnd=32&unsent_bytes=0&cid=394970f4fa6f53d4&ts=818&x=0"
2024-11-18 22:47:09 UTC	14	IN	Data Raw: 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 Data Ascii: 155.94.241.187

Target ID:	0
Start time:	17:47:05
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\5LEXIucyEP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5LEXIucyEP.exe"
Imagebase:	0x7ff607d70000
File size:	4'270'080 bytes
MD5 hash:	42A5C60FADB3B94505BABE3561507A50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:47:05
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\5LEXIucyEP.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\5LEXIucyEP.exe
Imagebase:	0x7ff607d70000
File size:	4'270'080 bytes
MD5 hash:	42A5C60FADB3B94505BABE3561507A50
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000002.00000002.1540891848.000002762F467000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF607DC0214 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF607DC0240
GetCurrentThreadId.KERNEL32 ref: 00007FF607DC024E
GetCurrentProcessId.KERNEL32 ref: 00007FF607DC025A
QueryPerformanceCounter.KERNEL32 ref: 00007FF607DC026A

Memory Dump Source

Source File: 00000000.00000002.1423341625.00007FF607D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF607D70000, based on PE: true

Associated: 00000000.00000002.1423321450.00007FF607D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423389477.00007FF607DEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423389477.00007FF607E04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423389477.00007FF60815F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423606697.00007FF608177000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423627912.00007FF60817B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423627912.00007FF608183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1423666914.00007FF608188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff607d70000_5LEXIucyEP.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b7ee5f73d21c22f4c3e3b841111f855bb87ab456a378e60018242c68feb33e76
Instruction ID: 5e52f6137d7a06b7a951f38158256eaf7ca8628a2c666363cbd48b6253fe6d6f
Opcode Fuzzy Hash: b7ee5f73d21c22f4c3e3b841111f855bb87ab456a378e60018242c68feb33e76
Instruction Fuzzy Hash: AE111832B14B028AEB00CB70E8542B833B4FB59758F541E35EAAD867A4DF7CD1A4C380

Analysis Process: 5LEXIucyEP.exePID: 4040, Parent PID: 3344COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	0.1%
Signature Coverage:	26.3%
Total number of Nodes:	1779
Total number of Limit Nodes:	58

Executed Functions

Function 0000000140085B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 0000000140085BB1
GetSystemMetrics.USER32 ref: 0000000140085BBF
GetSystemMetrics.USER32 ref: 0000000140085BCD
GetSystemMetrics.USER32 ref: 0000000140085BDB
GetDC.USER32 ref: 0000000140085BE5
GetDeviceCaps.GDI32 ref: 0000000140085BFB
GetDeviceCaps.GDI32 ref: 0000000140085C0B
CreateCompatibleDC.GDI32 ref: 0000000140085C18
CreateCompatibleBitmap.GDI32 ref: 0000000140085C30
SelectObject.GDI32 ref: 0000000140085C46
BitBlt.GDI32 ref: 0000000140085C7C
SHCreateMemStream.SHLWAPI ref: 0000000140085CB2
SelectObject.GDI32 ref: 0000000140085CC8
DeleteDC.GDI32 ref: 0000000140085CD1
ReleaseDC.USER32 ref: 0000000140085CDC
DeleteObject.GDI32 ref: 0000000140085CE5
EnterCriticalSection.KERNEL32 ref: 0000000140085DDC
LeaveCriticalSection.KERNEL32 ref: 0000000140085DEE
IStream_Size.SHLWAPI ref: 0000000140085E25
IStream_Reset.SHLWAPI ref: 0000000140085E36
IStream_Read.SHLWAPI ref: 0000000140085EBB
SelectObject.GDI32 ref: 0000000140085F15
DeleteDC.GDI32 ref: 0000000140085F1E
ReleaseDC.USER32 ref: 0000000140085F2B
DeleteObject.GDI32 ref: 0000000140085F34

Strings

, xrefs: 0000000140085C51

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: 7880575e5be1866883f8c11694f0fa3bcd234d90e74b5da47c063ed087dc07b9
Instruction ID: 29d90ec41e240c3377c711dae59ac155e8499d0f3b0558b6758983a8074ab864
Opcode Fuzzy Hash: 7880575e5be1866883f8c11694f0fa3bcd234d90e74b5da47c063ed087dc07b9
Instruction Fuzzy Hash: A2B12E32208BC086E761DB22E8543DEB7A5FB8DBC1F408515EB8A43B69DF38C1858B40

Function 00000001400BB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00000001400BB65D
GetLastError.KERNEL32 ref: 00000001400BB667
FindFirstFileW.KERNEL32 ref: 00000001400BB67E
GetLastError.KERNEL32 ref: 00000001400BB68A
FindClose.KERNEL32 ref: 00000001400BB698
__std_fs_open_handle.LIBCPMT ref: 00000001400BB72B
CloseHandle.KERNEL32 ref: 00000001400BB741
CloseHandle.KERNEL32 ref: 00000001400BB8B4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction ID: fde7f6f548f3d5d2f6b779677d4d0ac92ef93c0439d4cbf494ca9037cd0bf826
Opcode Fuzzy Hash: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction Fuzzy Hash: 50918E32204E0147E6769FA7A8047AA23A4AB8D7F5F584714FBB6476F4DFB8CA05C740

Function 0000000140088030 Relevance: 22.6, APIs: 3, Strings: 9, Instructions: 1600COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140086C70: GetCurrentHwProfileW.ADVAPI32 ref: 0000000140086CAC

Part of subcall function 0000000140086540: EnumDisplayDevicesW.USER32 ref: 0000000140086657
Part of subcall function 0000000140086540: EnumDisplayDevicesW.USER32 ref: 00000001400866FB

Part of subcall function 0000000140086460: RegGetValueA.ADVAPI32 ref: 00000001400864C9

Part of subcall function 0000000140086150: GetUserNameW.ADVAPI32 ref: 0000000140086195

Part of subcall function 00000001400861F0: GetComputerNameW.KERNEL32 ref: 0000000140086235

GlobalMemoryStatusEx.KERNEL32 ref: 00000001400887BC
wcsftime.LIBCMT ref: 0000000140088FB2
GetModuleFileNameA.KERNEL32 ref: 0000000140089146

Strings

timezone, xrefs: 0000000140089454
system, xrefs: 0000000140088424, 0000000140088513, 0000000140088609, 0000000140088703, 000000014008884B, 0000000140088945, 0000000140088A38, 0000000140088BBF, 0000000140088DB0, 0000000140089031, 00000001400891F4, 000000014008940E, 00000001400895AD, 0000000140089757, 000000014008981D
ram, xrefs: 000000014008889B
%d-%m-%Y, %H:%M:%S, xrefs: 0000000140088F9F
cpu, xrefs: 0000000140088658
time, xrefs: 0000000140089081
gpu, xrefs: 0000000140088562
user_name, xrefs: 000000014008846F
computer_name, xrefs: 0000000140088994

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Name$DevicesDisplayEnum$ComputerCurrentFileGlobalMemoryModuleProfileStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 2509368203-1182675529
Opcode ID: 286886150a149220558eda05bb1874823fa911463f34d60d30cc8f1aee4a1d55
Instruction ID: d620e18de0984a8e39bfa124ec3d4ddc85dfef93ce126abce4a28bff5dd582f2
Opcode Fuzzy Hash: 286886150a149220558eda05bb1874823fa911463f34d60d30cc8f1aee4a1d55
Instruction Fuzzy Hash: EDF25A33614BC085EB22DB26E8903DD77A1F799798F419616FB9D47BA9DB38C284C700

Function 000000014003D570 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000000014003D65C
GetProcAddress.KERNEL32 ref: 000000014003D767
GetProcAddress.KERNEL32 ref: 000000014003D829
GetProcAddress.KERNEL32 ref: 000000014003D8A3
GetProcAddress.KERNEL32 ref: 000000014003D925
GetProcAddress.KERNEL32 ref: 000000014003D99F
GetProcAddress.KERNEL32 ref: 000000014003DA23
FreeLibrary.KERNEL32 ref: 000000014003E551

Strings

system, xrefs: 000000014003E35D
cannot use push_back() with , xrefs: 000000014003E59F
vault, xrefs: 000000014003E3B3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2449869053-1741236777
Opcode ID: c000e3d45510e42f7568d5470ac037552d3d6c9599d3bb9b565b5fb69ffb7507
Instruction ID: 696e51854e3c29299793d402c575ee2136e7098d30157e86c4ca4cc0287c11fa
Opcode Fuzzy Hash: c000e3d45510e42f7568d5470ac037552d3d6c9599d3bb9b565b5fb69ffb7507
Instruction Fuzzy Hash: E0924C72205BC489DB628F26E8843DE77B4F749798F504216EB9D4BBA9EF74C684C700

Function 0000000140065970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

status, xrefs: 000000014006A5B5, 000000014006A600, 000000014006A6D9, 000000014006A790, 000000014006A863, 000000014006A885, 000000014006A89B, 000000014006A8BD, 000000014006CA99, 000000014006DE11, 000000014006DE33, 000000014006DE5B, 000000014006DE83, 000000014006F764
@, xrefs: 000000014006A32B
recursive_directory_iterator::operator++, xrefs: 000000014006A678, 000000014006A745, 000000014006A808
directory_iterator::directory_iterator, xrefs: 000000014006A5A5, 000000014006A853, 000000014006A875, 000000014006A8AD, 000000014006CA83, 000000014006DE23, 000000014006F4A4, 000000014006F78C
exists, xrefs: 0000000140065F90, 000000014006A58E, 000000014006A5DE, 000000014006A6AC, 000000014006A76E, 000000014006A83C, 000000014006CA70, 000000014006D060, 000000014006F48D, 000000014006F779
content, xrefs: 0000000140066EB7, 00000001400679CA, 000000014006845D, 0000000140068F0A, 00000001400698AE, 000000014006A03E, 000000014006D6B3, 000000014006DB94
., xrefs: 0000000140065C70
cannot use push_back() with , xrefs: 000000014006A625, 000000014006A6FE, 000000014006A7B5, 000000014006DDD5
filename, xrefs: 0000000140066D9C, 00000001400678E3, 0000000140068376, 0000000140068E23, 0000000140069793, 0000000140069F35, 000000014006D5FC, 000000014006DAE0
chrome_key, xrefs: 000000014006C851, 000000014006C97F
recursive_directory_iterator::recursive_directory_iterator, xrefs: 000000014006A68F, 000000014006A6C9, 000000014006A81F
@, xrefs: 0000000140069B9B
prefs.js, xrefs: 000000014006E5E2
key, xrefs: 000000014006C60E, 000000014006C740

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: .$@$@$cannot use push_back() with $chrome_key$content$directory_iterator::directory_iterator$exists$filename$key$prefs.js$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 0-4287193513
Opcode ID: d85864b6336acd62be5f7280330fa91da0aadc80efc30bd9caf6eb99ab158536
Instruction ID: 76d522da9c60edd065d321252c96f4a617312223c2e0a99c55d01cc88780bd8f
Opcode Fuzzy Hash: d85864b6336acd62be5f7280330fa91da0aadc80efc30bd9caf6eb99ab158536
Instruction Fuzzy Hash: 40C18232200B8586EB62EF26D8843ED63A2F76C7D5F644A11FB9D437A5DB78C941C740

Function 000000014007C600 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007F820: GetCurrentProcess.KERNEL32 ref: 000000014007F85B
Part of subcall function 000000014007F820: OpenProcessToken.ADVAPI32 ref: 000000014007F86E
Part of subcall function 000000014007F820: GetTokenInformation.ADVAPI32 ref: 000000014007F8AA
Part of subcall function 000000014007F820: CloseHandle.KERNEL32 ref: 000000014007F8CB

ExitProcess.KERNEL32 ref: 000000014007C647
OpenMutexA.KERNEL32 ref: 000000014007C762
ExitProcess.KERNEL32 ref: 000000014007C772
CreateMutexA.KERNEL32 ref: 000000014007C791
ExitProcess.KERNEL32 ref: 000000014007C7B7

Part of subcall function 000000014007FB60: GetModuleFileNameW.KERNEL32 ref: 000000014007FBAA

Part of subcall function 000000014008A780: CoInitializeEx.OLE32 ref: 000000014008A7EA

Strings

SeImpersonatePrivilege, xrefs: 000000014007C65A
SeDebugPrivilege, xrefs: 000000014007C64E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Process$Exit$MutexOpenToken$CloseCreateCurrentFileHandleInformationInitializeModuleName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 4279366119-3768118664
Opcode ID: 06ac85763f9a18a1cc96000ce891c6a5429a7b4bc90ff6d88ec2da73067e368e
Instruction ID: 3ae122bd098ee7b8381494ed92cbdbbf6973114b6c4fbea328cfc20ec3a2cbb6
Opcode Fuzzy Hash: 06ac85763f9a18a1cc96000ce891c6a5429a7b4bc90ff6d88ec2da73067e368e
Instruction Fuzzy Hash: 34619F32618A8481FA62AB66E4523EE63A0FB8D7C0F505615FB8D476F6DF3CC1418B11

Function 0000000140034B70 Relevance: 15.3, APIs: 3, Strings: 5, Instructions: 1343registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014003509B
RegQueryValueExA.ADVAPI32 ref: 00000001400350E9
RegCloseKey.ADVAPI32 ref: 0000000140035186

Strings

content, xrefs: 00000001400355A3, 0000000140035BF6, 0000000140036120
status, xrefs: 0000000140036403, 0000000140036413
filename, xrefs: 000000014003549A, 0000000140035A28, 0000000140035F59
exists, xrefs: 0000000140036398, 00000001400363E3, 000000014003647A
directory_iterator::directory_iterator, xrefs: 0000000140036441

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: 035a063e41ede83a0fd5412019dce75b81cb3214d819aa95f3ac2bc1dd272a41
Instruction ID: 7b7ad4ccabc59f41d35c00ebb4a54e0cc5e1f704924bbbbd3f86ce4379df2c1a
Opcode Fuzzy Hash: 035a063e41ede83a0fd5412019dce75b81cb3214d819aa95f3ac2bc1dd272a41
Instruction Fuzzy Hash: F7E24B72615BC08AEB729F36D8803DD73A5F789798F505216EB9C4BAA9DF74C684C300

Function 0000000140032CA0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 789
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140033022
RegQueryValueExA.ADVAPI32 ref: 000000014003306A
RegCloseKey.ADVAPI32 ref: 00000001400330F7

Strings

content, xrefs: 0000000140033694
status, xrefs: 00000001400339F9
filename, xrefs: 0000000140033500
exists, xrefs: 00000001400339BE
directory_iterator::directory_iterator, xrefs: 00000001400339DD

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: a866973bd759222d398105693641a06b5bd7560993289929aca12bb0f0a5aea5
Instruction ID: 47e475a853bf6280244d8020a7fc99c2c981a6738fa49efe3c1ad0c059e6ac7a
Opcode Fuzzy Hash: a866973bd759222d398105693641a06b5bd7560993289929aca12bb0f0a5aea5
Instruction Fuzzy Hash: 7C824A72611BC48AEB628F3AD8803DE73A1F789798F505216EB9D57BA9DF34C584C340

Function 00000001400A2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00000001400A2E81

Part of subcall function 00000001400A24E8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A24FC

Part of subcall function 000000014009D3C8: HeapFree.KERNEL32 ref: 000000014009D3DE
Part of subcall function 000000014009D3C8: GetLastError.KERNEL32 ref: 000000014009D3E8

Part of subcall function 00000001400ABA84: _invalid_parameter_noinfo.LIBCMT ref: 00000001400AB9CF

_get_daylight.LIBCMT ref: 00000001400A2E70

Part of subcall function 00000001400A2548: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A255C

_get_daylight.LIBCMT ref: 00000001400A30E6
_get_daylight.LIBCMT ref: 00000001400A30F7
_get_daylight.LIBCMT ref: 00000001400A3108
GetTimeZoneInformation.KERNEL32 ref: 00000001400A312F

Strings

Eastern Standard Time, xrefs: 00000001400A31D5
Eastern Summer Time, xrefs: 00000001400A31ED

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 355007559-239921721
Opcode ID: d27e707e32a7a668b79f18f39980f86f66c1361dc0c94ac41fd5faca01788e5a
Instruction ID: 33c1b94af872691e134a774f96405fbf90e61f0c3ac2d4846b7876194704bd86
Opcode Fuzzy Hash: d27e707e32a7a668b79f18f39980f86f66c1361dc0c94ac41fd5faca01788e5a
Instruction Fuzzy Hash: 93D1A03271024086EB26EF37D8517E967A1F7ACBD4F448236FF5947AA6DB38C4818B40

Function 0000000140085240 Relevance: 13.9, APIs: 9, Instructions: 408
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000000014008540B
InternetOpenUrlA.WININET ref: 00000001400854E8
HttpQueryInfoW.WININET ref: 0000000140085549
HttpQueryInfoW.WININET ref: 00000001400855E2
InternetQueryDataAvailable.WININET ref: 0000000140085626
InternetReadFile.WININET ref: 00000001400856E9
InternetQueryDataAvailable.WININET ref: 00000001400857B4
InternetCloseHandle.WININET ref: 000000014008585E
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400858BB

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen$CloseConcurrency::cancel_current_taskFileHandleRead
String ID:
API String ID: 1475545111-0
Opcode ID: a1bf36862956553251bf516f1b99f75e72d1c813fc2b51caefe99fe4a895b67f
Instruction ID: fd1ac0142f7f91e5f8ef5dc0f4e92bc1219fc87fbcb7f59bf81abb0586ba325b
Opcode Fuzzy Hash: a1bf36862956553251bf516f1b99f75e72d1c813fc2b51caefe99fe4a895b67f
Instruction Fuzzy Hash: F8025A33A14B9486EB11DB6AE84039E77A5F7997D8F204215EF9857BA8DF78C181C700

Function 00000001400C0658 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400C023C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400C027D
Part of subcall function 00000001400C023C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400C02FB
Part of subcall function 00000001400C023C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400C034C

CreateFileW.KERNEL32 ref: 00000001400C075E
CreateFileW.KERNEL32 ref: 00000001400C07AE
GetLastError.KERNEL32 ref: 00000001400C07DE
GetFileType.KERNEL32 ref: 00000001400C07F3
GetLastError.KERNEL32 ref: 00000001400C07FD
CloseHandle.KERNEL32 ref: 00000001400C0830
CloseHandle.KERNEL32 ref: 00000001400C0993
CreateFileW.KERNEL32 ref: 00000001400C09C8
GetLastError.KERNEL32 ref: 00000001400C09D7

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction ID: 83644b67ebb14751364ddfbcc329ed2d9831cfd477b754813198fa2ff24e4f8c
Opcode Fuzzy Hash: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction Fuzzy Hash: FBC19B36724B448AEB15DFAAC4907AD3761F78DBE8F015215EF2A9B7A5CB38C056C340

Function 0000000140066350 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

cannot use push_back() with , xrefs: 000000014006A625, 000000014006A6FE, 000000014006A7B5
status, xrefs: 000000014006A600, 000000014006A6D9, 000000014006A790, 000000014006A863, 000000014006A885, 000000014006A89B, 000000014006A8BD
recursive_directory_iterator::operator++, xrefs: 000000014006A678, 000000014006A745, 000000014006A808
recursive_directory_iterator::recursive_directory_iterator, xrefs: 000000014006A68F, 000000014006A6C9, 000000014006A81F
exists, xrefs: 000000014006A5DE, 000000014006A6AC, 000000014006A76E, 000000014006A83C
directory_iterator::directory_iterator, xrefs: 000000014006A853, 000000014006A875, 000000014006A8AD

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 3645842244-1862120484
Opcode ID: b85098497e29e174e5e0d125e38a865b4444aacdb133920c5e87522b3c1c6480
Instruction ID: bba8860d3aa9c0501a6704626c2c7e4aee42dfacbccf4a7121c085916f1dd74c
Opcode Fuzzy Hash: b85098497e29e174e5e0d125e38a865b4444aacdb133920c5e87522b3c1c6480
Instruction Fuzzy Hash: 1BD21272519BC886D6718B1AE88139BB3A1F7DC784F505625EBCC53B69EB7CC294CB00

Function 00000001400320B0 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 684
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140032409
RegQueryValueExA.ADVAPI32 ref: 000000014003244E
RegCloseKey.ADVAPI32 ref: 00000001400324F7

Strings

content, xrefs: 0000000140032915
filename, xrefs: 0000000140032787
exists, xrefs: 0000000140032C42
directory_iterator::directory_iterator, xrefs: 0000000140032C64

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 3677997916-1400943384
Opcode ID: c196d407989b81333d886e25abeafa7d94654d4dc94241b5b3d364c7fe9aab29
Instruction ID: b2277efa446f2c05384135a9c60ce1ef2baabbbcc2b81f88aec781cb829a3c55
Opcode Fuzzy Hash: c196d407989b81333d886e25abeafa7d94654d4dc94241b5b3d364c7fe9aab29
Instruction Fuzzy Hash: 46723A72611BC48AEB228F36D8803DD77A0F789798F509215EB9D5BBA9DF34C685C340

Function 000000014007F020 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSize.KERNEL32 ref: 000000014007F261
SetFilePointer.KERNEL32 ref: 000000014007F314
ReadFile.KERNEL32 ref: 000000014007F343

Strings

ios_base::eofbit set, xrefs: 000000014007F784
ios_base::failbit set, xrefs: 000000014007F77D
exists, xrefs: 000000014007F7CA
ios_base::badbit set, xrefs: 000000014007F771, 000000014007F7EF

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: File$PointerReadSize
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 404940565-15404121
Opcode ID: d909d95e84f980d109caea5088e6d2dfa24c646e34c152c1621861f1e02e4fac
Instruction ID: 5edcf1363d10bf31a9295209213c7a3ef359e081411608d1d95c6d83a7e8165e
Opcode Fuzzy Hash: d909d95e84f980d109caea5088e6d2dfa24c646e34c152c1621861f1e02e4fac
Instruction Fuzzy Hash: 76321632614BC489EB21CF35D8807ED37A1F789B88F548226EB4D5BBA9EB74C645D700

Function 00000001400A30B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00000001400A30E6

Part of subcall function 00000001400A2548: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A255C

_get_daylight.LIBCMT ref: 00000001400A30F7

Part of subcall function 00000001400A24E8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A24FC

_get_daylight.LIBCMT ref: 00000001400A3108

Part of subcall function 00000001400A2518: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A252C

Part of subcall function 000000014009D3C8: HeapFree.KERNEL32 ref: 000000014009D3DE
Part of subcall function 000000014009D3C8: GetLastError.KERNEL32 ref: 000000014009D3E8

GetTimeZoneInformation.KERNEL32 ref: 00000001400A312F

Strings

Eastern Standard Time, xrefs: 00000001400A31D5
Eastern Summer Time, xrefs: 00000001400A31ED

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: a0b2f147c5ed72e73a9ba99eccd64d774068bd057930b9dd808764ab5dc4e304
Instruction ID: db0e2232302c0215c246f8571b916b6a2febf07c2da0425627d7512260a1f4b0
Opcode Fuzzy Hash: a0b2f147c5ed72e73a9ba99eccd64d774068bd057930b9dd808764ab5dc4e304
Instruction Fuzzy Hash: 68514D3261064086F722EF37E8917D96761F79CBC4F44922AFB4D47AB6DB38C5818B40

Function 000000014009918C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400991AE
_get_daylight.LIBCMT ref: 000000014009920E
_get_daylight.LIBCMT ref: 000000014009921F
_get_daylight.LIBCMT ref: 0000000140099230
_isindst.LIBCMT ref: 0000000140099281
_isindst.LIBCMT ref: 00000001400992D4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction ID: af26a4f8801793d3ce11611fdac42a3e64f2a46bd35c7c59f6a568dcc363727b
Opcode Fuzzy Hash: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction Fuzzy Hash: D681C7B27003454BEB598F6AC9417E873A5F75CBC8F449129FB098B7A9EB38D541CB40

Function 0000000140049F80 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A134
__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A142
__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A3C5
__std_exception_destroy.LIBVCRUNTIME ref: 000000014004A3D3

Strings

value, xrefs: 000000014004A05A, 000000014004A2F3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: 28c4b3bc701e466bd5711a0ceea654ecdee2709dad8495dceb75c89a78f1cb91
Instruction ID: c134aa0dda924bc4b970d5ee2dd0dc65a73e33e1cb439c775f43115319f3d1dd
Opcode Fuzzy Hash: 28c4b3bc701e466bd5711a0ceea654ecdee2709dad8495dceb75c89a78f1cb91
Instruction Fuzzy Hash: 90028C72A14BC085EB12DB7AD4803ED6761E78A7E4F515222FB9D03AEADF78C185C700

Function 000000014003E610 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003E65A
Process32FirstW.KERNEL32 ref: 000000014003E69C
Process32NextW.KERNEL32 ref: 000000014003E893
CloseHandle.KERNEL32 ref: 000000014003EB0A

Strings

[PID: , xrefs: 000000014003E6DE

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 420147892-2210602247
Opcode ID: 5c646c2d2df9c617ccf451bf1d1df64f478098079caff3c2746eb4228344e502
Instruction ID: 45f4196ded283f1e18013c362ac568805eef84480359320777d6e4bf442c09c4
Opcode Fuzzy Hash: 5c646c2d2df9c617ccf451bf1d1df64f478098079caff3c2746eb4228344e502
Instruction Fuzzy Hash: 0AE16E72614BC085EB22DB26E8943DE67A5F7897E8F504215FB9D07BA9DF38C284C700

Function 000000014008B9B0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014008B9FE
OpenProcessToken.ADVAPI32 ref: 000000014008BA11
LookupPrivilegeValueW.ADVAPI32 ref: 000000014008BA32
AdjustTokenPrivileges.ADVAPI32 ref: 000000014008BA78
CloseHandle.KERNEL32 ref: 000000014008BA98

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction ID: 8e4f8d06d2c4ddfc7e806934d087d01799faa900bb6cc1b317aeea0d8f8b28af
Opcode Fuzzy Hash: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction Fuzzy Hash: CC214832218B8086E761DB22F45439AB7A4FB8CB90F958125FB8947B68DF7DC5458B40

Function 000000014006D080 Relevance: 6.8, Strings: 5, Instructions: 599COMMON

Download Yara Rule

Strings

cannot use push_back() with , xrefs: 000000014006DDD5
status, xrefs: 000000014006DE11, 000000014006DE33, 000000014006DE5B, 000000014006DE83
prefs.js, xrefs: 000000014006E5E2
exists, xrefs: 000000014006F48D
directory_iterator::directory_iterator, xrefs: 000000014006DE23, 000000014006F4A4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$prefs.js$status
API String ID: 0-2713369562
Opcode ID: 1f751f410187eb2bf2fc780715a3c0ec628b43c1dfaf6962dcb179a5cab95473
Instruction ID: b3fbb8dc4d3b89ba37a16b28408050db1824bf19221a002499ec192a306ffaa8
Opcode Fuzzy Hash: 1f751f410187eb2bf2fc780715a3c0ec628b43c1dfaf6962dcb179a5cab95473
Instruction Fuzzy Hash: 35522732509FC485E6B29B16E8813DAB3A5F7C9784F505626EBCC43B69EF78C594CB00

Function 000000014003CA10 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32 ref: 000000014003CA72
CredFree.ADVAPI32 ref: 000000014003D496

Strings

cannot use push_back() with , xrefs: 000000014003D4E4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 3403564193-4122110429
Opcode ID: a6f83ea36ffb6469ba2f6bf6e30f276aa89bc0932f97559575f5da80fd1756ef
Instruction ID: 2c83be45eaec0f7e1f6fdbb8577fcf9ca2a588b67551cccb8e55b4ba6c2ec1dd
Opcode Fuzzy Hash: a6f83ea36ffb6469ba2f6bf6e30f276aa89bc0932f97559575f5da80fd1756ef
Instruction Fuzzy Hash: 1F625D72614BC489EB22CF26E8803DD7761F789798F505316EBAD57BA9DB38C294C700

Function 00000001400520F6 Relevance: 5.4, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

object separator, xrefs: 000000014005272E
array, xrefs: 00000001400525C4
object, xrefs: 0000000140052679
object key, xrefs: 00000001400527E3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: array$object$object key$object separator
API String ID: 0-2277530871
Opcode ID: 6012d09d474b2333cd91f5f681015ede13b4298f3621dc023fd4363f35e55689
Instruction ID: 10886125acb42317efe394ce9d9c91d2a19ed0983e554a2ccb1fded512390b1f
Opcode Fuzzy Hash: 6012d09d474b2333cd91f5f681015ede13b4298f3621dc023fd4363f35e55689
Instruction Fuzzy Hash: 4102D572625A8496EB12DF76D8403ED2321FB9A7C8F816212FB4D57ABADF74C244C304

Function 00000001400876A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00000001400879D0

Strings

[UTC, xrefs: 00000001400879A3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: ff8f9ba26bcffe8c05b90d1ef0870ef0f10df0f0925d13163bcd4731c4f8a772
Instruction ID: 6538b487e3ff0e772b9f649e36bcf6dd55672f6dc7371b4f2e2c26f31a93ba50
Opcode Fuzzy Hash: ff8f9ba26bcffe8c05b90d1ef0870ef0f10df0f0925d13163bcd4731c4f8a772
Instruction Fuzzy Hash: 44B12B32614BC88AD7718F2AE84139AB7A4F79D788F105315EBCC57B69EB78C250CB44

Function 0000000140077BA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0000000140077BF8
LocalFree.KERNEL32 ref: 0000000140077C8A

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction ID: 4296086251868e59c58a0d25c4c96546d3d1b8368fdcc8e5a20c42b548a3eb4e
Opcode Fuzzy Hash: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction Fuzzy Hash: 8D414232614B80CAE3229F35E4407ED37A4F75978CF484229BB8C07E9ADB79C6A4C754

Function 00000001400873F0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 0000000140087461

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: a2c0b518ff976965a78bb2ac48e525d95efc5b07f2ad389012d5fbfb45ca8168
Instruction ID: f2cab6ee8911013723ff3d4b8f532fa1eef750fceda41a605a97ef7ce25926e1
Opcode Fuzzy Hash: a2c0b518ff976965a78bb2ac48e525d95efc5b07f2ad389012d5fbfb45ca8168
Instruction Fuzzy Hash: E1519C33A18B8082E711CF2AE48039EB7B5F789798F505215EB9C13AB9DB78D591DB40

Function 0000000140086150 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0000000140086195

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: abf913a544c6f9fdd308559da787f240108ca61f3614bb29fccc85bbbd2848d6
Instruction ID: 6386a9c63b89e62e1e7c53e5db0f7fdfe8938b55c0afa06648929fea26598edc
Opcode Fuzzy Hash: abf913a544c6f9fdd308559da787f240108ca61f3614bb29fccc85bbbd2848d6
Instruction Fuzzy Hash: 67011E3251878086EB62DF26E85539AA3A4F79C788F541215FB8D43659DBBCC1948B40

Function 0000000140086860 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

cores, xrefs: 0000000140086ABE

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: cores
API String ID: 0-2370456839
Opcode ID: 1c40f6ad5bdc51a9c1b0c674cd2da14632dd5b60f373a0aefe37a6fc72cd6771
Instruction ID: ab4aa3aeeaa4015b19261fa9ad63172245a6ad4ae734fbbfc8efca39b2fda2a7
Opcode Fuzzy Hash: 1c40f6ad5bdc51a9c1b0c674cd2da14632dd5b60f373a0aefe37a6fc72cd6771
Instruction Fuzzy Hash: 5CC1DC73E14B808AFB11CB7AD4403ED7761F3997A8F105715EBA817AAADB78C285C344

Function 000000014008D050 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\u%04x, xrefs: 000000014008D242

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: \u%04x
API String ID: 0-2916071157
Opcode ID: b2b871009dddb1a89fd49cebdd6041a976c6c630323626df0c68259fe89b00fc
Instruction ID: b071fa8c3cc924bcfca147f78a4ec5d1de903bcd583fa06fe28e0671e0746f18
Opcode Fuzzy Hash: b2b871009dddb1a89fd49cebdd6041a976c6c630323626df0c68259fe89b00fc
Instruction Fuzzy Hash: 3981FF33204A9492EA56DB66E554BEE7760F789BC0F848622EF4A43BA5DF38C615C300

Function 000000014008C5CB Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

": , xrefs: 000000014008C6B1, 000000014008C75E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: ":
API String ID: 0-3662656813
Opcode ID: 44d721b99f2493e28cbbaba1f3a7e6a84bc52b14feb101429c6fd78baff2fb3e
Instruction ID: 028190e1dd898fe98b913e6efbb6f356ab67162368aeb52ca58740fe67f46a41
Opcode Fuzzy Hash: 44d721b99f2493e28cbbaba1f3a7e6a84bc52b14feb101429c6fd78baff2fb3e
Instruction Fuzzy Hash: 2091F276314A8582DB209F2AE194B9E77B1F789FC8F459002DB9E0BB65CF39C559CB00

Function 0000000140045310 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 0000000140045399

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 0-1713319389
Opcode ID: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction ID: 014310bfbc4a3b67612d0ff5db8dcfc52a4721cd440e8a7597f65d7e1b9a6290
Opcode Fuzzy Hash: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction Fuzzy Hash: 0041B2736196E04AD702CB3A84113BD7FB2E36AB89F1D8162E7D48B757D62DC216CB10

Function 000000014003ECB0 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91f39c6efebc377b76e34f356a85ea52b44a23e4a0e22303bc0d3bcec94c178
Instruction ID: 556bcc8ed2f7d60abd17131f05911de347896ff4eb0ddc75f3b6a310c9ffcf8e
Opcode Fuzzy Hash: c91f39c6efebc377b76e34f356a85ea52b44a23e4a0e22303bc0d3bcec94c178
Instruction Fuzzy Hash: 64722A72615BC489EB228B6AE8803DE73A1F78D798F504315EF9C57BA9DB78C244C704

Function 000000014002F730 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd73655a0c81fc9314b118eddbb9b1d4c53b5500ac22bbce3de83d419bd80632
Instruction ID: 03daaffc5176fd34d6a237ea16f9a65ad3a006eedbab0854a5589905b6fbd824
Opcode Fuzzy Hash: fd73655a0c81fc9314b118eddbb9b1d4c53b5500ac22bbce3de83d419bd80632
Instruction Fuzzy Hash: E4F15F72A15B888AEB218B6AE44139D77A0F78C7D8F104315FFDC57B99EB78C1908B44

Function 0000000140030450 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4011a34db5286b4b69f2cfab335337d5f2f6ce234c6a964d4ce4cd86b9fb1119
Instruction ID: d70d8380272f1e84909289ee9d254a953fcbb73b845ed7599bc871076c2ed8be
Opcode Fuzzy Hash: 4011a34db5286b4b69f2cfab335337d5f2f6ce234c6a964d4ce4cd86b9fb1119
Instruction Fuzzy Hash: 9CF14F72A05F888AEB218B69E44139E77A4F78C798F104315EFDC57B99EF38C1908744

Function 000000014002FE20 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b272e4576cf18dbc449fc0bdcdae423230c3b19c1bc01ebe469c71b41ecfb90c
Instruction ID: e195251967ede27e933614341cb3951eab469dfc4d3952c9acab197e11283930
Opcode Fuzzy Hash: b272e4576cf18dbc449fc0bdcdae423230c3b19c1bc01ebe469c71b41ecfb90c
Instruction Fuzzy Hash: F7F15E72A05F848AEB618B6AE44139E77A4F38C798F104315FFDC57B99EB78C1908B44

Function 0000000140031B90 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88234163e079f4f2b54b1430b154383b426ed80cca2f8c579d4e4444d8e579f2
Instruction ID: 5a828c8658ee2566b42684f6f63458d35a1f44f6e631e7672213f541f063fe8d
Opcode Fuzzy Hash: 88234163e079f4f2b54b1430b154383b426ed80cca2f8c579d4e4444d8e579f2
Instruction Fuzzy Hash: 64D16932B14B8089F712CBB5D4403ED37B2E79D78CF015619AF8C27AAADB749595C384

Function 000000014007EBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007E970: InitializeCriticalSectionEx.KERNEL32 ref: 000000014007E9C1
Part of subcall function 000000014007E970: GetLastError.KERNEL32 ref: 000000014007E9CB

EnterCriticalSection.KERNEL32 ref: 000000014007EC31
GdiplusStartup.GDIPLUS ref: 000000014007EC58
LeaveCriticalSection.KERNEL32 ref: 000000014007EC66
LeaveCriticalSection.KERNEL32 ref: 000000014007EC94
GdipGetImageEncodersSize.GDIPLUS ref: 000000014007ECA2
GdipGetImageEncoders.GDIPLUS ref: 000000014007ED36
GdipCreateBitmapFromScan0.GDIPLUS ref: 000000014007EE00
GdipSaveImageToStream.GDIPLUS ref: 000000014007EE1E
GdipDisposeImage.GDIPLUS ref: 000000014007EE83
GdipDisposeImage.GDIPLUS ref: 000000014007EE97

Strings

&, xrefs: 000000014007EDFA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: bf0236f101f8e21e317088f3cb88ff4920e04948ae26449d129670ccf4dc63a8
Instruction ID: 2933ea3cba5f62bacf30a145d024c6610061d140e98bafc5b8ee222a0d569d1d
Opcode Fuzzy Hash: bf0236f101f8e21e317088f3cb88ff4920e04948ae26449d129670ccf4dc63a8
Instruction Fuzzy Hash: B8916D32201B809AEB22DF22E8407D9B7A4F75DBD8F558615FF0947BA4DB38C996C340

Function 000000014007FCA0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 226
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400858D0: GetUserGeoID.KERNEL32 ref: 00000001400858F7
Part of subcall function 00000001400858D0: GetGeoInfoA.KERNEL32 ref: 0000000140085911
Part of subcall function 00000001400858D0: GetGeoInfoA.KERNEL32 ref: 0000000140085961

WSAStartup.WS2_32 ref: 000000014007FDBE
socket.WS2_32 ref: 000000014007FDDB
htons.WS2_32 ref: 000000014007FE00
inet_pton.WS2_32 ref: 000000014007FE42
connect.WS2_32 ref: 000000014007FE5C
closesocket.WS2_32 ref: 000000014007FE7B
WSACleanup.WS2_32 ref: 000000014007FE81

Strings

system, xrefs: 000000014007FD2A
geo, xrefs: 000000014007FD6B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 213021568-2364779556
Opcode ID: 9fc8b1dc3755d2dd2f71b7bebfedc2c2060b7ea47fe900d8aba93de43415e169
Instruction ID: 5e39d1486933869d33645940fa38852fb8bad04618512b41e1a6983fc6e90819
Opcode Fuzzy Hash: 9fc8b1dc3755d2dd2f71b7bebfedc2c2060b7ea47fe900d8aba93de43415e169
Instruction Fuzzy Hash: 30B16B72B11A4089FB02DB76D4503EC33B2AB9DBE8F415626EB59176F9DE38C54AC340

Function 00000001400A092C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400A0D59

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f3fc50aa6c1617f97820c214b6f357f8593fa625a947542fe4ec2dfdbb2d532b
Instruction ID: 1587d5abd9b319571573c48e8f8a5ca4e906ccd50f109f1cac320b02b794b413
Opcode Fuzzy Hash: f3fc50aa6c1617f97820c214b6f357f8593fa625a947542fe4ec2dfdbb2d532b
Instruction Fuzzy Hash: A1C1F03221478982F7639B1794403EE7BA4F7A9BD4F564211FB4A077B2CB79C885CB11

Function 000000014007EA50 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000000014007EA93
EnterCriticalSection.KERNEL32 ref: 000000014007EAA5
EnterCriticalSection.KERNEL32 ref: 000000014007EAB5
GdiplusShutdown.GDIPLUS ref: 000000014007EAC3
LeaveCriticalSection.KERNEL32 ref: 000000014007EAD0
LeaveCriticalSection.KERNEL32 ref: 000000014007EADA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 46c865431367d1bada0cd35fb3685f35713bfb53898f18d72c1e296ca1b3c958
Instruction ID: dcfb53e97d05e3396d4aa64d1b67aeea8fd7a19c85708699b0c64b346d41ba89
Opcode Fuzzy Hash: 46c865431367d1bada0cd35fb3685f35713bfb53898f18d72c1e296ca1b3c958
Instruction Fuzzy Hash: A411E932112B5091EB119F26E85439D7364FB4CFA9F684615AB59076B4DF38C897C350

Function 0000000140084A30 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000000140084C0C
recv.WS2_32 ref: 00000001400850EC
closesocket.WS2_32 ref: 00000001400850FE
WSACleanup.WS2_32 ref: 0000000140085104

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: recv$Cleanupclosesocket
String ID:
API String ID: 146070474-0
Opcode ID: 07e8817331f4b7f7d2307bbab4c7b93adc3b1d2574686ccc64d097425d429bbe
Instruction ID: b946d2c26836d9b1051e74beb1b184431b09a1050fca472289d527709f65e4e4
Opcode Fuzzy Hash: 07e8817331f4b7f7d2307bbab4c7b93adc3b1d2574686ccc64d097425d429bbe
Instruction Fuzzy Hash: E8126E73618BC081EA229B16E4543DEA761F79D7E0F504612FBAD47AEADF78C584CB00

Function 000000014007F820 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014007F85B
OpenProcessToken.ADVAPI32 ref: 000000014007F86E
GetTokenInformation.ADVAPI32 ref: 000000014007F8AA
CloseHandle.KERNEL32 ref: 000000014007F8CB

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction ID: 4ac3f93d2f4e81bd50ee8aef4ea7470c81fa649bc502074349a2660f854164c1
Opcode Fuzzy Hash: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction Fuzzy Hash: 8911FB32618B8082E7519F16F85039AB7A0FB89B81F549125FB9987B68CF3CC455CB40

Function 0000000140086460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32 ref: 00000001400864C9

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00000001400864BB
ProductName, xrefs: 00000001400864B4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Value
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3702945584-1787575317
Opcode ID: 4adfbbe0f3484cc7a5acaefcbce83f0c94fb9759dd9dfdb56e9eff7cc340b344
Instruction ID: 0a7fd6b673f61970bf2da1044729ec967914b747b3f2b276bd9284bd5dc68a64
Opcode Fuzzy Hash: 4adfbbe0f3484cc7a5acaefcbce83f0c94fb9759dd9dfdb56e9eff7cc340b344
Instruction Fuzzy Hash: 71115B32208B8082EB22CF22F45139AB3B4F79DB88F514215EB9847B69DFBCC155CB40

Function 0000000140084DB7 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00000001400850EC
closesocket.WS2_32 ref: 00000001400850FE
WSACleanup.WS2_32 ref: 0000000140085104

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: 3cfb61bbb7f42aecc48a81a155c639fa34dc00802dd39597d14376df0ee440c9
Instruction ID: f1a95010fa3eeab52f1984fc64572a1107dc8f99f3060c579d6027e39eb340be
Opcode Fuzzy Hash: 3cfb61bbb7f42aecc48a81a155c639fa34dc00802dd39597d14376df0ee440c9
Instruction Fuzzy Hash: 80917E73A14BC081EA229B26E4543DE6761F79A7E1F505311EBAD07AFADF78C5808740

Function 0000000140087151 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140087169
RegEnumKeyExA.ADVAPI32 ref: 00000001400871AE
RegCloseKey.ADVAPI32 ref: 00000001400873A4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 14ce9f3599971ef2d804a2baaaa07d37dcc18f1f1a4c232d1080b1493289a220
Instruction ID: 4eb1fa3da8fed86ec807e8835bf4fdbc3ecb00f2d9d20f4819ab5aef128a13a5
Opcode Fuzzy Hash: 14ce9f3599971ef2d804a2baaaa07d37dcc18f1f1a4c232d1080b1493289a220
Instruction Fuzzy Hash: 75717A73A04B8486EB21CB66E48479E6760F7897E8F204215FFAD17AE9DB78C1C1D700

Function 00000001400870E0 Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140087169
RegEnumKeyExA.ADVAPI32 ref: 00000001400871AE

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 69580b2b5a3aab25ec6d1d344f29727ed6fdfb6e770ce3ab2c6c0fb9dc78db39
Instruction ID: b10b6130942ee25d8504e7b0700fe5892cfaace6609e80b330833a4265116e58
Opcode Fuzzy Hash: 69580b2b5a3aab25ec6d1d344f29727ed6fdfb6e770ce3ab2c6c0fb9dc78db39
Instruction Fuzzy Hash: 37318D32610B8486FB21CFA6E854B9E77A4F7887D8F204215EF9917B68DF78C596C700

Function 0000000140086E1B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140086E37
RegQueryValueExA.ADVAPI32 ref: 0000000140086E76
RegCloseKey.ADVAPI32 ref: 0000000140086F14

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ce7efc3fb5e817364906e3e123d1b6842e8b95f0194340855c4c668cc93a66f3
Instruction ID: 177ab1ecef40ef2106ab0c510ad3af320b8a7d9225c3425d0499ead86d1d285a
Opcode Fuzzy Hash: ce7efc3fb5e817364906e3e123d1b6842e8b95f0194340855c4c668cc93a66f3
Instruction Fuzzy Hash: BE218073614B8481EA619B26F49139EA760FBD97D4F505226FB8D43AA9DF3CC184CB40

Function 00000001400858D0 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 00000001400858F7
GetGeoInfoA.KERNEL32 ref: 0000000140085911
GetGeoInfoA.KERNEL32 ref: 0000000140085961

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction ID: 0d4333e7acfcd10664b751b764566d9c33a0389198715772ff2fcd180fd2e377
Opcode Fuzzy Hash: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction Fuzzy Hash: 36119D3261878182D7119F62E41075EB3A2FB84BC8F455125EF8503B69DF7CD5908B44

Function 00000001400A4F60 Relevance: 4.5, APIs: 3, Instructions: 15COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000001400A4F71
TerminateProcess.KERNEL32 ref: 00000001400A4F7C
ExitProcess.KERNEL32 ref: 00000001400A4F8B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3909df8ddc6717e2b276abcc8b7868d121cee5230461283d2778d4ce90183b93
Instruction ID: e805d3ee5994ab50d8ddfbed6d232eb1317883b916c6c6f4e9f617acb090b269
Opcode Fuzzy Hash: 3909df8ddc6717e2b276abcc8b7868d121cee5230461283d2778d4ce90183b93
Instruction Fuzzy Hash: CBD06C383007049AEB1A7B7258953AC12656BAD782F902938AA02077A3CD39C88A4A50

Function 0000000140041EB0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014004209C

Strings

, xrefs: 0000000140041F33

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-3916222277
Opcode ID: 97cec123c8346849d4184d8998ea2100f4717973dead3215a377ca64f46489bd
Instruction ID: 41a150dcf48049a776dd81e3d5e3e1f932dfb0020c84a720df1c1764346652b8
Opcode Fuzzy Hash: 97cec123c8346849d4184d8998ea2100f4717973dead3215a377ca64f46489bd
Instruction Fuzzy Hash: BD516772304B4496EB168F2AD49439C73A0F788BD4F954622EF5D43BA5CF79D4A6C304

Function 0000000140086C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 0000000140086CAC

Strings

Unknown, xrefs: 0000000140086D66

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 06a2002a681cff94550a8657f83e2f7043b557fe8d82a80efd137201800bb89d
Instruction ID: b6cc9aea20a80e93beb496bcb72e8d94e9cb8475d7b391023006ee514db896da
Opcode Fuzzy Hash: 06a2002a681cff94550a8657f83e2f7043b557fe8d82a80efd137201800bb89d
Instruction Fuzzy Hash: 2131AD33628BC086E712CF22E5507DAA760F799B84F546215FBC907A6ADB7CC695CB00

Function 0000000140048560 Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400486A0
Concurrency::cancel_current_task.LIBCPMT ref: 000000014004879F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0cbc12d84685bf8e214339f5dbce44343e83f3b68aedd7f3af7637bb9f21f461
Instruction ID: e93fd745ff60857ba182d59ca98009fa74ac710b246677c65970d569aa4b7534
Opcode Fuzzy Hash: 0cbc12d84685bf8e214339f5dbce44343e83f3b68aedd7f3af7637bb9f21f461
Instruction Fuzzy Hash: BB51A472305B8485FE76AB13A5043DD6255A70CBE4F594A35FF6D0BBE6DE38C4928304

Function 000000014007EED0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 000000014007EF29
CoTaskMemFree.OLE32 ref: 000000014007EFEA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: FolderFreeKnownPathTask
String ID:
API String ID: 969438705-0
Opcode ID: 333fc223f9b054ba6e049bbb425f8fab9b3b69f3c61af62c074ad23a6e04584a
Instruction ID: f3a443ffc45d68b8a04bfef255194bc9535a02ef0ceabe897b21db104d40ac75
Opcode Fuzzy Hash: 333fc223f9b054ba6e049bbb425f8fab9b3b69f3c61af62c074ad23a6e04584a
Instruction Fuzzy Hash: E8313272A14B8481E621CF26E44135EB761F79D7F4F645316FBAC03AA5DB7CC1818B40

Function 0000000140094648 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009466F

Part of subcall function 0000000140094604: _invalid_parameter_noinfo.LIBCMT ref: 000000014009461B

_invalid_parameter_noinfo.LIBCMT ref: 0000000140094723

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction ID: 32101a8edefa4219d4514f40ed930cbc4104b78895ab28f0dc7b75847b3e3112
Opcode Fuzzy Hash: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction Fuzzy Hash: 3431BD72215A4882EF62DB56E450BE963A1A79EBD4F960111F74A473F2EB38C101C700

Function 000000014007D510 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007D561
RegCloseKey.ADVAPI32 ref: 000000014007D573

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction ID: 743a173df9f0781bb695bac75db67ed2816ca8ec26105740734809d53537134b
Opcode Fuzzy Hash: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction Fuzzy Hash: EB21A132714A8486FE519B27E8507DAB760EB9CBD8F585222FB4D47BA9DE3CC481C700

Function 000000014007C7CC Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003E610: CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003E65A
Part of subcall function 000000014003E610: Process32FirstW.KERNEL32 ref: 000000014003E69C

Part of subcall function 000000014003CA10: CredEnumerateA.ADVAPI32 ref: 000000014003CA72

Part of subcall function 0000000140084A30: recv.WS2_32 ref: 0000000140084C0C

ReleaseMutex.KERNEL32 ref: 000000014007C83B
CloseHandle.KERNEL32 ref: 000000014007C844

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: 2717296065379288539656974ed68afdf34ee7c6f5dd5d5dbc0f70cd0f16b3b5
Instruction ID: 403e803b9b323844cf0a0617732988bee78891b9a5a501bf0cd230f62815154a
Opcode Fuzzy Hash: 2717296065379288539656974ed68afdf34ee7c6f5dd5d5dbc0f70cd0f16b3b5
Instruction Fuzzy Hash: 7221BF3262468041FAA3B7B7A4177EE6340AF8D7D0F145A15FB9A076F39E3CC0819623

Function 000000014007C7FD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140084A30: recv.WS2_32 ref: 0000000140084C0C

ReleaseMutex.KERNEL32 ref: 000000014007C83B
CloseHandle.KERNEL32 ref: 000000014007C844

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: d3635f6417aa2acf95da66740d6acfca195d23c3850ed3244a80d30dad7b3eb8
Instruction ID: 5b403d4752e08caa1fd44bd5fe61bc700b12f65057323a6ab7abb2728d133e11
Opcode Fuzzy Hash: d3635f6417aa2acf95da66740d6acfca195d23c3850ed3244a80d30dad7b3eb8
Instruction Fuzzy Hash: B411C432A146C042FAA3B777A4167EE5350AF8D7D0F045615FB99076F79F3CC0819612

Function 00000001400A0E9C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00000001400A0EE8
GetLastError.KERNEL32 ref: 00000001400A0EF2

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction ID: 5e2eb42aa467ccbe49ae57b1676c20c6150fa8cb973f64d98be1cd83441f6eb1
Opcode Fuzzy Hash: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction Fuzzy Hash: 61119E72214B8482DA21DB26A404399A3A1E758BF4F584321FF791BBE9CF78C4918B40

Function 00000001400AE888 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400AE8B8

Part of subcall function 00000001400AF8DC: std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400AF8E5

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400AE8BE

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction ID: 69ec061bac81c01873d89cb0c3132a81b38bc9c219e0f41160fcd813fe823014
Opcode Fuzzy Hash: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction Fuzzy Hash: 97E04260A1228959FD6A26A715163F911840B6D7F0F2C1B24BF794B2E3AE3889D58A50

Function 000000014009D3C8 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014009D3DE
GetLastError.KERNEL32 ref: 000000014009D3E8

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction ID: 4fb8939859dd21c30d764fca774206093a9adc15e80cf677a28c9fe662fd02f8
Opcode Fuzzy Hash: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction Fuzzy Hash: 34E01275B0260492FF1A67F398453E922916F9C7C2F4484246B05932B2ED3485958210

Function 000000014008F150 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014008F3A0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 9f69786d5a460bd10a7ebb6aefb8860d3e8c2c6fdcd2507370922641760e25d3
Instruction ID: 13db419113c6498c631838fdc6ddb0dd70937527e49e167ce5f06a1b8afcd3c4
Opcode Fuzzy Hash: 9f69786d5a460bd10a7ebb6aefb8860d3e8c2c6fdcd2507370922641760e25d3
Instruction Fuzzy Hash: F8618977300A8485EA169E26D1543BD27A1F318FD8F548611EF6E0B7E9DB38CA96E300

Function 000000014002E2A0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 000000014002E3D3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: 62a6befd59e95e6be22f98e3a4ebfeb412ed4c535db2cb07cb418f979dd58634
Instruction ID: 6d6699e32af5188d03e7646770fb91dd7afc69d8a0446cbf3df081f31a3d3197
Opcode Fuzzy Hash: 62a6befd59e95e6be22f98e3a4ebfeb412ed4c535db2cb07cb418f979dd58634
Instruction Fuzzy Hash: 7761A472B50A8086FB12DF6AD4903ED23A1E75C7E8F404629FF1957BE5EE34C9958340

Function 0000000140048E80 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140049015

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0258579371ac84c030b687d8f3e9e53793be201047a4711ff45b69c63e3a0462
Instruction ID: 0e68d78e60faff21098140196ff033a2ffaaea4e00a4f5682bb80e4d4b41ae0d
Opcode Fuzzy Hash: 0258579371ac84c030b687d8f3e9e53793be201047a4711ff45b69c63e3a0462
Instruction Fuzzy Hash: 9841AC72304B8485EA229F12A1043DEA262B74DBD4F580A35FFAD0B7AADE39C4858304

Function 0000000140059FB0 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005A157

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 475dc834707bf9b69a2ed6ca5fbd2d93d1c4a33ad04622696f275e0343da7bf5
Instruction ID: 8ad1302b10b5acce4aa3e19f4b665ff3ecb338c093a195a91599cca128cde541
Opcode Fuzzy Hash: 475dc834707bf9b69a2ed6ca5fbd2d93d1c4a33ad04622696f275e0343da7bf5
Instruction Fuzzy Hash: 09418E76215B8481DA2ACB66E5443AEB3A1F74DBD0F548625BFAD03BA5DF3DC081C700

Function 0000000140049030 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400491AC

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b06bf60d8942ac0ae74babd23b73743ac7a4ad5b3f4cb2543b6c0d650ae8d781
Instruction ID: 2922c6a58d100b8567e20699b5a529503332b7a2c0142c3a3a15086411293361
Opcode Fuzzy Hash: b06bf60d8942ac0ae74babd23b73743ac7a4ad5b3f4cb2543b6c0d650ae8d781
Instruction Fuzzy Hash: AF41C27230578585EE26EB17A5083D9A251A34CBD4F544635BF6D0BBEADE38C582C308

Function 0000000140044600 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140044751

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4ce40286f8a82187cbf7b249125b8b0654a91aa63af007f30e70285513720961
Instruction ID: 5efaee97d33e2a13fb32646ab95501abf4c72ec9c3bcc73401235e526073e405
Opcode Fuzzy Hash: 4ce40286f8a82187cbf7b249125b8b0654a91aa63af007f30e70285513720961
Instruction Fuzzy Hash: 9931E172701A9444FF16AB17E5403E92281A70AFE9F564631AF2D07BE6EE78C4828348

Function 000000014009D8C8 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009D8F0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction ID: 970956ea101780b6a44bc08ac7971c10be475c9fcb23d85d0426192894f7542c
Opcode Fuzzy Hash: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction Fuzzy Hash: 4D41AE3224474487EB76DB1EE5413EA73A0E76ABD4F140206EB9A876A1DB39D402CB91

Function 0000000140048D10 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140048E6B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5181ff7c5b0a20993f7b1f1c64d4329c6f17784107f59b165e945c5c85f77bf9
Instruction ID: 2fe0f6833032918ed672ed661f9a947b9c0af5482e27d8a0f5cd47c8c693ff77
Opcode Fuzzy Hash: 5181ff7c5b0a20993f7b1f1c64d4329c6f17784107f59b165e945c5c85f77bf9
Instruction Fuzzy Hash: A331D27270578095EE269B27A5443DDA395E718BD4F590A35BF6D0BBE6DE38C081C304

Function 0000000140086290 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 0000000140086320

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 8839ae8f2d204f0763335732def2ff357d2a61c9c8b2f45dea9007f0933f9e1b
Instruction ID: dffcfb9f37b1a82ad039c49107d9a5130808b69e0a0edaedede7712015ce3c59
Opcode Fuzzy Hash: 8839ae8f2d204f0763335732def2ff357d2a61c9c8b2f45dea9007f0933f9e1b
Instruction Fuzzy Hash: F7517C33A14B808AE712CF79D4403DE77A0F799788F505612EB8C53AA9DF78C684CB40

Function 00000001400429B0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140042AB8

Part of subcall function 000000014002B820: __std_exception_copy.LIBVCRUNTIME ref: 000000014002B868

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 317858897-0
Opcode ID: 6049d514389b2d53e4139fc56efaf05ab899489269bfb5c352801ce2b5228899
Instruction ID: e0c424e73107c798dbe20568d75892bd8762e32d7f1318d59332ad997fcd64de
Opcode Fuzzy Hash: 6049d514389b2d53e4139fc56efaf05ab899489269bfb5c352801ce2b5228899
Instruction Fuzzy Hash: 3D21D732701B4042EE2AEB16E5403E96290E758BE4F654731AF7C07BE5EE78C4E2C345

Function 00000001400A080C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400A0892

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction ID: eadfb93546a9950693f2aa7559f4ccf8f1f0c25cf7c605596cfe9b5c909f97bf
Opcode Fuzzy Hash: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction Fuzzy Hash: D1316B3261065886F753AB6798413ED2B90B7ACFE5F920305BB99073F2DB7CC4818B55

Function 00000001400A4E91 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400A4EBF

Part of subcall function 00000001400A4FB8: GetModuleHandleExW.KERNEL32 ref: 00000001400A4FDD
Part of subcall function 00000001400A4FB8: GetProcAddress.KERNEL32 ref: 00000001400A4FF3
Part of subcall function 00000001400A4FB8: FreeLibrary.KERNEL32 ref: 00000001400A501A

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction ID: 0e4b959f2545b9961c939cfac364bfd3be1b5b2320958e1345833199399ed5d7
Opcode Fuzzy Hash: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction Fuzzy Hash: BD217A36A006408EEB268F65C4403EC37A0E3D875DF54173AE72947EEAEB34C485CB40

Function 00000001400BE200 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BE15D

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction ID: 824ad48f941a611458d9d107f1ba3892ee12638fd4db84a9ea3f894c29f76267
Opcode Fuzzy Hash: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction Fuzzy Hash: 03116632215A8081EB629F97D4003EEA3B4B79DFC4F554821FB895B7B6DB7CC9418740

Function 00000001400BFEF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BFF1B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction ID: 608a15f6eaf0ef5a496612af3e2485e25ca9acab7b6d14a4bfcd21ba336913f7
Opcode Fuzzy Hash: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction Fuzzy Hash: 0A21A532214A8187EB629F6AD4407B977B0FBD9BD4F544224FB5D476EADB38C400CB00

Function 00000001400A54B4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400A54DF

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 42dcc955d4fd3197300f6b05653cf2d2f457e7ff6d65b15765544b4f1739082b
Instruction ID: fd783d6a1e17b455ac1502cd21968fac34f3ce32d3c1f1488e06dd847f71ef0d
Opcode Fuzzy Hash: 42dcc955d4fd3197300f6b05653cf2d2f457e7ff6d65b15765544b4f1739082b
Instruction Fuzzy Hash: AE11A072525A40C2F312AB26E4507DDB3A2F79CBC5F450625FB96477B2CB38C8908F00

Function 0000000140080E00 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000140080E48

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction ID: 324eafc6b56467617a0271dfae881c0dd6149dee2f0a2b88ad16501ffcdce3d5
Opcode Fuzzy Hash: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction Fuzzy Hash: 1D01AD32714A8486EB518F1BF94075AA7A0F78CFD4F485230EF5D43B68DB38C9818700

Function 0000000140037633 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140037676

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction ID: 198944faf61d7ec3d1a427db0a2f838cdd5696eaf073c2c50a60053681fd637d
Opcode Fuzzy Hash: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction Fuzzy Hash: 5701FB36218AC081EA72DB57F49579BA364F78CBD4F444026EF8D43B69DE39C886CB00

Function 0000000140097374 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140097393

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction ID: 10117cc0a24eac238d1afa44782b5dd388175b2725dd5008568661bd113a274c
Opcode Fuzzy Hash: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction Fuzzy Hash: 2BE0D832215B4481EF666BBB91417EC71506B5CBF4F548321BF38033E6DB3484905711

Function 00000001400AE9D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000001400AE9E4

Part of subcall function 00000001400B0E6C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00000001400B0E74
Part of subcall function 00000001400B0E6C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00000001400B0E79

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: 552cadb944fbfa7d273d14e6333c601f02b0659bfbb50ac822d976667c4bc77c
Instruction ID: bac56e61feae0d415a5fce5064964b513ab6c5bfd6be6e63147963a24a6523ee
Opcode Fuzzy Hash: 552cadb944fbfa7d273d14e6333c601f02b0659bfbb50ac822d976667c4bc77c
Instruction Fuzzy Hash: 34E012705057C040FEA77AB315473FE13502B3D3C4F500649BB95431F3963648C61A22

Function 00000001400BB4C0 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00000001400BB4C4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction ID: 55b9ab2d4f23c47d731a4d9c5ea1b4a63ef8b7b9423aaadfc0eff3470f8c37f6
Opcode Fuzzy Hash: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction Fuzzy Hash: 65C09B39F15941D2E6553F775C823C611E06B5C792F440030DB0481170DE7CC5D78721

Function 00000001400BD0B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00000001400BD0BD

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction ID: fd872328199e54ae9bef307987e8fd57df0d4d182fee6eb87dab4ff849822d36
Opcode Fuzzy Hash: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction Fuzzy Hash: 0BB09236A148C0C3C612FB04E8422497331FB98B0FFD00000E78E42624CE2CCA2A8E00

Function 000000014009DA30 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009DA85

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 9ae9f8af891c0b94514e7ea55ed6623f4eb6cc8682cd7ae55c8d48968416ecb5
Instruction ID: 07a5c3aa508a4e6947d003ddc055f1739cb4df8b9625e4c5651f4d540c93f396
Opcode Fuzzy Hash: 9ae9f8af891c0b94514e7ea55ed6623f4eb6cc8682cd7ae55c8d48968416ecb5
Instruction Fuzzy Hash: F6F0547438560585FE5B57A754513E923806B9DBC0F4C95326F0A873F2EE3CC9A08211

Function 000000014009E8BC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009E8FA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction ID: 9f1c80e48db00bc7a01722dd14718bcfc10f7deb6eb96187868d3df548336582
Opcode Fuzzy Hash: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction Fuzzy Hash: 97F01C3130128945FE9666B398457EB12806B9DBF5F4947347F2A872E2DA38C8808620

Non-executed Functions

Function 0000000140091220 Relevance: 49.1, APIs: 25, Strings: 2, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140091557
_invalid_parameter_noinfo.LIBCMT ref: 00000001400917BA
_invalid_parameter_noinfo.LIBCMT ref: 0000000140091A7D
_invalid_parameter_noinfo.LIBCMT ref: 0000000140091D1D
memcpy_s.LIBCPMT ref: 0000000140091F2A
memcpy_s.LIBCPMT ref: 0000000140091FC6
memcpy_s.LIBCPMT ref: 000000014009247E
memcpy_s.LIBCPMT ref: 00000001400924B9
memcpy_s.LIBCPMT ref: 00000001400925E5
memcpy_s.LIBCPMT ref: 000000014009270C
memcpy_s.LIBCPMT ref: 00000001400927B7
memcpy_s.LIBCPMT ref: 00000001400927FF
memcpy_s.LIBCPMT ref: 0000000140092829
memcpy_s.LIBCPMT ref: 00000001400928DA
memcpy_s.LIBCPMT ref: 0000000140092ADA
memcpy_s.LIBCPMT ref: 0000000140092B1F
memcpy_s.LIBCPMT ref: 0000000140092BD6
memcpy_s.LIBCPMT ref: 0000000140092D03
memcpy_s.LIBCPMT ref: 00000001400923CE

Part of subcall function 0000000140093664: _invalid_parameter_noinfo.LIBCMT ref: 0000000140093696

memcpy_s.LIBCPMT ref: 0000000140092449
memcpy_s.LIBCPMT ref: 0000000140092EBD

Strings

, xrefs: 0000000140092C83
, xrefs: 0000000140092DB0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction ID: a657bb27cda1b9a1f0199fcee91b942ba265a0f8779d78ad39ddf276b9d33eb5
Opcode Fuzzy Hash: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction Fuzzy Hash: 1503AE727146808BE7768F2AD950BEE77A1F3987C8F405119FB06A7BA8D735DA00CB40

Function 000000014008A430 Relevance: 34.3, APIs: 18, Strings: 1, Instructions: 1015stringmemorynativeCOMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 000000014008A473
NtAllocateVirtualMemory.NTDLL ref: 000000014008A4AB
lstrcpyW.KERNEL32 ref: 000000014008A50D
lstrcatW.KERNEL32 ref: 000000014008A5C2
NtAllocateVirtualMemory.NTDLL ref: 000000014008A649
lstrcpyW.KERNEL32 ref: 000000014008A6FC
RtlInitUnicodeString.NTDLL ref: 000000014008A711
RtlInitUnicodeString.NTDLL ref: 000000014008A726
LdrEnumerateLoadedModules.NTDLL ref: 000000014008A739
RtlReleasePebLock.NTDLL ref: 000000014008A73F

Part of subcall function 000000014007EED0: SHGetKnownFolderPath.SHELL32 ref: 000000014007EF29
Part of subcall function 000000014007EED0: CoTaskMemFree.OLE32 ref: 000000014007EFEA

CoInitializeEx.OLE32 ref: 000000014008A7EA
lstrcpyW.KERNEL32 ref: 000000014008A9C9
lstrcatW.KERNEL32 ref: 000000014008ABCE
CoGetObject.OLE32 ref: 000000014008ABEC
lstrcpyW.KERNEL32 ref: 000000014008B269
lstrcatW.KERNEL32 ref: 000000014008B48C
CoGetObject.OLE32 ref: 000000014008B4AA
CoUninitialize.OLE32 ref: 000000014008B972

Strings

0, xrefs: 000000014008B0AA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocateInitLockMemoryObjectStringUnicodeVirtual$AcquireEnumerateFolderFreeInitializeKnownLoadedModulesPathReleaseTaskUninitialize
String ID: 0
API String ID: 1424456515-4108050209
Opcode ID: 492b338820f99169d463ac70aaee31110251a50e0b91b4a597eba9b31ec53d8b
Instruction ID: 9810c761cc7ca390209fb3240a0556aa890f9a692ead07930317e79a6d183194
Opcode Fuzzy Hash: 492b338820f99169d463ac70aaee31110251a50e0b91b4a597eba9b31ec53d8b
Instruction Fuzzy Hash: EFC2B736626F988AD7908F69E88169DB3B5F788B88F106215FFCD57B18EB38C154C740

Function 0000000140006180 Relevance: 30.2, Strings: 24, Instructions: 238COMMON

Download Yara Rule

Strings

ntuser.dat.log, xrefs: 000000014000632D
ntuser.ini, xrefs: 0000000140006359
d3d9caps.dat, xrefs: 00000001400063E6
iconcache.db, xrefs: 00000001400062DE
gdipfontcachev1.dat, xrefs: 00000001400063B7
winre.wim, xrefs: 0000000140006500
boot.ini, xrefs: 00000001400061D1
autorun.inf, xrefs: 00000001400061A8
ntldr, xrefs: 0000000140006292
bootstat.dat, xrefs: 0000000140006415
wpsettings.dat, xrefs: 00000001400064A2
BOOTNXT, xrefs: 000000014000658D
indexervolumeguid, xrefs: 0000000140006473
ntuser.dat, xrefs: 0000000140006304
bootmgfw.efi, xrefs: 00000001400061F9
boot.sdi, xrefs: 00000001400064D1
winsipolicy.p7b, xrefs: 00000001400062B8
thumbs.db, xrefs: 0000000140006388
mib.bin, xrefs: 0000000140006444
reagent.xml, xrefs: 000000014000652F
bootfont.bin, xrefs: 0000000140006220
bootmgr, xrefs: 000000014000655E
bootsect.bak, xrefs: 0000000140006246
desktop.ini, xrefs: 000000014000626C

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: BOOTNXT$autorun.inf$boot.ini$boot.sdi$bootfont.bin$bootmgfw.efi$bootmgr$bootsect.bak$bootstat.dat$d3d9caps.dat$desktop.ini$gdipfontcachev1.dat$iconcache.db$indexervolumeguid$mib.bin$ntldr$ntuser.dat$ntuser.dat.log$ntuser.ini$reagent.xml$thumbs.db$winre.wim$winsipolicy.p7b$wpsettings.dat
API String ID: 118556049-850610325
Opcode ID: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction ID: 9af6f5fb2451f039e3f2e29efcbad565e8741d3969121260d1ea1181c48c6de1
Opcode Fuzzy Hash: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction Fuzzy Hash: 64C14562D60BC985E722DF36D8823E65361F7EE784F50A7067A8866866EF74D3C4C340

Function 000000014007B420 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 465COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000014007B9A7

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;', xrefs: 000000014007B5B4
ios_base::eofbit set, xrefs: 000000014007BBCC
runas, xrefs: 000000014007B926
open, xrefs: 000000014007B91D
.exe, xrefs: 000000014007B56D
ios_base::failbit set, xrefs: 000000014007BBC5
.cmd, xrefs: 000000014007B4E3
.vbs, xrefs: 000000014007B512
.exe, xrefs: 000000014007B485
.ps1, xrefs: 000000014007B4B4
ios_base::badbit set, xrefs: 000000014007BBBA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: .cmd$.exe$.exe$.ps1$.vbs$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
API String ID: 587946157-4093014531
Opcode ID: cf2e034ccb18eb849afbb46964981302c4c49454c863ee7058ab8314e97cd049
Instruction ID: 516ac978d7accc54b9b25feff891efd212d5c6658e4279db0455b6b17bdc8b69
Opcode Fuzzy Hash: cf2e034ccb18eb849afbb46964981302c4c49454c863ee7058ab8314e97cd049
Instruction Fuzzy Hash: 15228B72A10B8489EB11DF2AE8803DD67A1F788798F509216FB9D47AB9DF78C584C740

Function 00000001400AA3C8 Relevance: 20.4, APIs: 8, Strings: 3, Instructions: 1156COMMON

Download Yara Rule

Strings

s, xrefs: 00000001400AB3F1
s, xrefs: 00000001400AB4D2
W$, xrefs: 00000001400AA530

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: s$s$W$
API String ID: 3215553584-4165748295
Opcode ID: e553887dbc6f87d1f500918ea9ab67fa44c188f06d1d991fe1d00ce5ed50287a
Instruction ID: c6463bd72b9e455ee8cfff5301bfb85f092cacec8c11eb899980e5bdc04d5d87
Opcode Fuzzy Hash: e553887dbc6f87d1f500918ea9ab67fa44c188f06d1d991fe1d00ce5ed50287a
Instruction Fuzzy Hash: CEA2D172B142908BE7768F66D440BED77A1F3697C8F405215EB0A5BAE9D738DA80CF40

Function 000000014008A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 839stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008A430: RtlAcquirePebLock.NTDLL ref: 000000014008A473
Part of subcall function 000000014008A430: NtAllocateVirtualMemory.NTDLL ref: 000000014008A4AB
Part of subcall function 000000014008A430: lstrcpyW.KERNEL32 ref: 000000014008A50D
Part of subcall function 000000014008A430: lstrcatW.KERNEL32 ref: 000000014008A5C2

CoInitializeEx.OLE32 ref: 000000014008A7EA
lstrcpyW.KERNEL32 ref: 000000014008A9C9
lstrcatW.KERNEL32 ref: 000000014008ABCE
CoGetObject.OLE32 ref: 000000014008ABEC
lstrcpyW.KERNEL32 ref: 000000014008B269
lstrcatW.KERNEL32 ref: 000000014008B48C
CoGetObject.OLE32 ref: 000000014008B4AA
CoUninitialize.OLE32 ref: 000000014008B972

Strings

0, xrefs: 000000014008B0AA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy$Object$AcquireAllocateInitializeLockMemoryUninitializeVirtual
String ID: 0
API String ID: 3636535045-4108050209
Opcode ID: 0902a0343fdc6246b23ac9e8b2963860140ecb12f80d28b06803a63a8b2f31ad
Instruction ID: 94aefb8106585e90225e2d394f927a9f5a122261c2d94df2defa09acd7d2905b
Opcode Fuzzy Hash: 0902a0343fdc6246b23ac9e8b2963860140ecb12f80d28b06803a63a8b2f31ad
Instruction Fuzzy Hash: A5B2893662AF988AD7808F69E88165EB3B5F788B84F106215FFCD57B18EB38C1548740

Function 0000000140078440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 00000001400784D8
BCryptSetProperty.BCRYPT ref: 0000000140078502
BCryptGenerateSymmetricKey.BCRYPT ref: 000000014007853B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140078661

Strings

ChainingModeGCM, xrefs: 00000001400784F0
ChainingMode, xrefs: 00000001400784F7
AES, xrefs: 00000001400784CD

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmConcurrency::cancel_current_taskGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 2222192889-1213888626
Opcode ID: 68eb506387ed3b354d136ad7ba04b3deb02d477db046592322b2241ce0ce9ea8
Instruction ID: 500f7495ef5fbc7585041441c081a52bd18aa39cbcf2a18a4df241488718b086
Opcode Fuzzy Hash: 68eb506387ed3b354d136ad7ba04b3deb02d477db046592322b2241ce0ce9ea8
Instruction Fuzzy Hash: 4461D172700B8486FB269F66E8407D96360E78DBE4F544725BFAC0BBE6DB38C5918700

Function 00000001400A8C04 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

TranslateName.LIBCMT ref: 00000001400A8C6E
TranslateName.LIBCMT ref: 00000001400A8CA9
GetACP.KERNEL32 ref: 00000001400A8CF0
IsValidCodePage.KERNEL32 ref: 00000001400A8D28
GetLocaleInfoW.KERNEL32 ref: 00000001400A8EE5

Strings

utf8, xrefs: 00000001400A8E0C

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction ID: 8349dc3027b5bf838b073474c1dbd6b6b718dd048b030d4317e83b54c1e9017f
Opcode Fuzzy Hash: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction Fuzzy Hash: 3B916A3220178186FB76EF63D4513E963A5F7ACBC0F448221AF59477A6EB39C991CB10

Function 00000001400A964C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F31

GetUserDefaultLCID.KERNEL32 ref: 00000001400A97BC

Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F5E
Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F6F
Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F80

EnumSystemLocalesW.KERNEL32 ref: 00000001400A97A3
ProcessCodePage.LIBCMT ref: 00000001400A97E6
IsValidCodePage.KERNEL32 ref: 00000001400A97F8
IsValidLocale.KERNEL32 ref: 00000001400A980E
GetLocaleInfoW.KERNEL32 ref: 00000001400A986A
GetLocaleInfoW.KERNEL32 ref: 00000001400A9886

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction ID: 7bd31282f7cea42ea7c1da278a9239bc261f869a6e572b599c6795b1d4aeb46e
Opcode Fuzzy Hash: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction Fuzzy Hash: 98716D327106508AFF52DFA2D8507ED33B4BB5CBC4F444626AF1957AA5EB38C885CB60

Function 00000001400AF2B8 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000001400AF2D4
RtlCaptureContext.KERNEL32 ref: 00000001400AF301
RtlLookupFunctionEntry.KERNEL32 ref: 00000001400AF31B
RtlVirtualUnwind.KERNEL32 ref: 00000001400AF35C
IsDebuggerPresent.KERNEL32 ref: 00000001400AF3B0
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400AF3CD
UnhandledExceptionFilter.KERNEL32 ref: 00000001400AF3D8

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 6458172863af31e20951f5f8dc1d486a5fb90de472876968ccfd77d10a4e7fe6
Instruction ID: 3eaaca77e3044fe114672d1de19e5a1b13903de1a1951330ac21f52225543186
Opcode Fuzzy Hash: 6458172863af31e20951f5f8dc1d486a5fb90de472876968ccfd77d10a4e7fe6
Instruction Fuzzy Hash: 81314376205B8086EB61DFA1E8803ED7374F799785F44412AEB4E47BA9DF38C649CB10

Function 00000001400702C0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 0000000140070474
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140070482
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140070705
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140070713

Strings

value, xrefs: 000000014007039A, 0000000140070633

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: 27440473cca6e6d5e75b1c57fb6d01a9dc46dae54849333bba3045cf441d84ae
Instruction ID: 8768895c1cc4e385d7258deaecffc048f3fa6b836c36682227525b43f7d5e3f0
Opcode Fuzzy Hash: 27440473cca6e6d5e75b1c57fb6d01a9dc46dae54849333bba3045cf441d84ae
Instruction Fuzzy Hash: 26027A72A14BC085EB52CBB6D4803EE6761E7897E4F105312FB9D13AEADE78C185C740

Function 00000001400070E0 Relevance: 8.7, Strings: 2, Instructions: 6192COMMON

Download Yara Rule

Strings

\| , xrefs: 000000014000C52D
0| , xrefs: 000000014000A83D

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: 0| $\|
API String ID: 0-2050777373
Opcode ID: c652eee9401b0b9c8a72cab74c88663788ec921b090d2d72647ffd252a966668
Instruction ID: 284daf97a714ec00d6c1b3d7287322477c9a22568bbb2eccfed623d737d0f244
Opcode Fuzzy Hash: c652eee9401b0b9c8a72cab74c88663788ec921b090d2d72647ffd252a966668
Instruction Fuzzy Hash: D904D032915FC489D7759F39EC853D977A8F79978CF106219EB8C1AB29EB3483A08305

Function 0000000140033A30 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 699COMMON

Download Yara Rule

Strings

content, xrefs: 0000000140034749
filename, xrefs: 0000000140034624
ios_base::badbit set, xrefs: 0000000140034A48, 0000000140034A8C

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmProvider$CloseGenerateOpenPropertySymmetric
String ID: content$filename$ios_base::badbit set
API String ID: 4024084497-879919306
Opcode ID: a08e05513e9dcbdee50e79aaa7ab7c7ce389d55d6263c953d6c602833b73f9ff
Instruction ID: cb0e6f9973c86f6bf7250db1a472c77474858e66594b2c0d71a0c6cf541f3bd0
Opcode Fuzzy Hash: a08e05513e9dcbdee50e79aaa7ab7c7ce389d55d6263c953d6c602833b73f9ff
Instruction Fuzzy Hash: BC82E132119BC595E6B29B15F8803DAB3A4F7C9780F505226EBCD43BA9EF78C594CB40

Function 00000001400398CD Relevance: 7.4, Strings: 5, Instructions: 1142COMMON

Download Yara Rule

Strings

content, xrefs: 0000000140039B9F, 0000000140039F27, 000000014003A844
status, xrefs: 000000014003AD67
filename, xrefs: 0000000140039B46, 0000000140039ECE, 000000014003A762
config, xrefs: 0000000140039CDD
users, xrefs: 000000014003A262

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: config$content$filename$status$users
API String ID: 0-2677590375
Opcode ID: 54d7cf4d1ff26a56666ae58331110585d2532bc34784e0666c6104c6faec9936
Instruction ID: 70acebbaa29ef06d302118f0e7c5040de1977182f0108b62d4f3236bad520155
Opcode Fuzzy Hash: 54d7cf4d1ff26a56666ae58331110585d2532bc34784e0666c6104c6faec9936
Instruction Fuzzy Hash: 57C23B72611BC589DB329F36D8903DD6361F789798F405216EB9D4BAAAEF38C684C340

Function 00000001400BD804 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400BD865
IsDebuggerPresent.KERNEL32 ref: 00000001400BD87D
OutputDebugStringW.KERNEL32 ref: 00000001400BD88E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001400BD887

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction ID: 156b50a59491b522b95133cc87a66bc9d4c90f318aca79d238700763b05f87d6
Opcode Fuzzy Hash: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction Fuzzy Hash: 5F115A32210B40A7F75A9B27E6943E933A1FB4C786F449125EB4983A70EF78D0B8C750

Function 00000001400AA44F Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

1#QNAN, xrefs: 00000001400AA4CB
1#INF, xrefs: 00000001400AA4DB
W$, xrefs: 00000001400AA530
1#IND, xrefs: 00000001400AA49F
1#SNAN, xrefs: 00000001400AA4C2

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$W$
API String ID: 3215553584-4287779413
Opcode ID: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction ID: 4d4210e12aeee8e9f5e94711e4e8cd733dc4b39c4ec79285a3ee6235da0bb1d1
Opcode Fuzzy Hash: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction Fuzzy Hash: 93711172B242414BE7228F3AD4447EDB3A1A7AD3D4F044725BB199BAE5DB3CD9818F00

Function 0000000140099038 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000014009908F
GetSystemInfo.KERNEL32 ref: 00000001400990A8
VirtualAlloc.KERNEL32 ref: 0000000140099116
VirtualProtect.KERNEL32 ref: 0000000140099131

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction ID: 2006030ddcdfcd66f6cc748a20a45c9b0152b93ab0e2963e6fa905ca9af8d5f1
Opcode Fuzzy Hash: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction Fuzzy Hash: 84311632310A859EEB21DF36D8547D923A5F74CBC8F944125AA494BB68DF38D646C740

Function 00000001400A36A8 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400A3ADE
_get_daylight.LIBCMT ref: 00000001400A3B79
_get_daylight.LIBCMT ref: 00000001400A3B92

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction ID: 4fad86f6d9d594f3f7bfe3a69b32873ea402f7dc870d61de0be478661a220898
Opcode Fuzzy Hash: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction Fuzzy Hash: 4D92E03660479087EB668F26D5503EE37A5F7A97C8F548215FB8907FA9DB38C990CB00

Function 00000001400BB170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00000001400BB196
FormatMessageA.KERNEL32 ref: 00000001400BB1C9

Strings

!x-sys-default-locale, xrefs: 00000001400BB189

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction ID: 3c92f31fd4891f13edf4352e9aacb77233aaeb4dc1a43732f9876fdfe1b241ce
Opcode Fuzzy Hash: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction Fuzzy Hash: 61018C72714B8083EB229F57B8647AA67A2F7887C5F848025EB5547AA8CB7CC606C700

Function 0000000140093150 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00000001400931B6
memcpy_s.LIBCPMT ref: 00000001400931E1

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction ID: c4b91031d082ce85d0071a6aadb3f9c9206e35f87d0b51ac34ed733270a5ee20
Opcode Fuzzy Hash: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction Fuzzy Hash: 70C1167231468487EB26CF1AE0447AEB7A1F39CBC4F459125EB5A43BA4DB39E901CF40

Function 00000001400A90C8 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F31

GetLocaleInfoW.KERNEL32 ref: 00000001400A9134

Part of subcall function 000000014008FBA0: _invalid_parameter_noinfo.LIBCMT ref: 000000014008FBBD

GetLocaleInfoW.KERNEL32 ref: 00000001400A917D

Part of subcall function 000000014008FBA0: _invalid_parameter_noinfo.LIBCMT ref: 000000014008FC16

GetLocaleInfoW.KERNEL32 ref: 00000001400A9245

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction ID: 5aa2a0d1c8725bc235ac10c78bb89a9ef32e388b198462fc47fde5f37f4abd7d
Opcode Fuzzy Hash: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction Fuzzy Hash: 3761B2327006419AEB369FA6E5503ED73A1F7AC7C5F408325EB9A936E1DB38D591CB00

Function 00000001400763A6 Relevance: 4.4, Strings: 3, Instructions: 653COMMON

Download Yara Rule

Strings

port, xrefs: 000000014007705F
VODjwXPB9OY=, xrefs: 00000001400764D1
A+FNdHLOJ1pRh/WVc9ktcAFvacDJVLqxQG8rpGdP8jA=, xrefs: 0000000140076449

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: A+FNdHLOJ1pRh/WVc9ktcAFvacDJVLqxQG8rpGdP8jA=$VODjwXPB9OY=$port
API String ID: 0-1019441935
Opcode ID: 8f66b6d62beb6f09d62d7d6dbf9b58db0025d871cf1750c111c3c0708a68f516
Instruction ID: 4dfb1dc57a1fd22eb353bb1d19b8c791d4ee670b5e9c52e80c94e9e18fc8940c
Opcode Fuzzy Hash: 8f66b6d62beb6f09d62d7d6dbf9b58db0025d871cf1750c111c3c0708a68f516
Instruction Fuzzy Hash: 00725CB2629BC481EA61CB25E4803DEB3A5F799784F505216FBCD13B69EF38C195CB04

Function 000000014009F0D8 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 000000014009F1E5
gfff, xrefs: 000000014009F262
-, xrefs: 000000014009F237

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: -$e+000$gfff
API String ID: 0-2620144452
Opcode ID: c7e19593615f5b016f33edca04d76eabfb088503034d3aa1c419b3a715446e94
Instruction ID: 5492b00e63e4a759c2255974a7dbe939dc967fd202c0368106c7b13000663624
Opcode Fuzzy Hash: c7e19593615f5b016f33edca04d76eabfb088503034d3aa1c419b3a715446e94
Instruction Fuzzy Hash: C45157767147C486E7268F36E9017A9BB91F348BD4F48D222EBA48BBE5CB79C445C700

Function 0000000140051AF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000000140051D4E

Strings

parse_error, xrefs: 0000000140051B7E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_exception_copy
String ID: parse_error
API String ID: 592178966-3903021949
Opcode ID: ad87cc4d60bf1839f79d6691cffc511a26045bc40a0068f83915665ea0575411
Instruction ID: aea208091b2139d5ef5ad6cd72c7aa8334fc7178c06fd11ac6bd6b7309e161d7
Opcode Fuzzy Hash: ad87cc4d60bf1839f79d6691cffc511a26045bc40a0068f83915665ea0575411
Instruction Fuzzy Hash: D3A16C72B10B8089EB12CB66E8403ED6361E79D7D8F109711EF9C17AAAEB79C195C340

Function 000000014009E020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000000014009E094

Strings

GetLocaleInfoEx, xrefs: 000000014009E03C, 000000014009E04D

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction ID: fb935f9c2ab31aa5e90575f03674e7bf2486afca9488b688b185203ea02026ac
Opcode Fuzzy Hash: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction Fuzzy Hash: 80016D35704A8086EB569B57F4407DAA761FB9CBC0F984426FF4913BBADE38C9428790

Function 000000014007C8E0 Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014007C943
ShellExecuteW.SHELL32 ref: 000000014007CF8A

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShell
String ID:
API String ID: 1703432166-0
Opcode ID: c6a892adb9f2c7a53ffca73c77edd6de038f5ee25c1187c1e65b41a7611e93fc
Instruction ID: 80faa615b7083efcf7ead6ba0d22ac00e946de582c303fac3d495860aaca8833
Opcode Fuzzy Hash: c6a892adb9f2c7a53ffca73c77edd6de038f5ee25c1187c1e65b41a7611e93fc
Instruction Fuzzy Hash: 41120772625FC48ADB518F2AE88079EB3A5F788794F506215FF9D57B68EB38C150C700

Function 0000000140078020 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

APIs

BCryptDecrypt.BCRYPT ref: 00000001400781E0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CryptDecrypt
String ID:
API String ID: 2620231605-0
Opcode ID: 26be2a797bee493e3ad2b3ec1d6e55a9b045376b36a316b3c0ef38d451224750
Instruction ID: f7f5fd7e2185f9db639c3601158b2a71c7d2ea5875eccf7afe32dc6e5bc30884
Opcode Fuzzy Hash: 26be2a797bee493e3ad2b3ec1d6e55a9b045376b36a316b3c0ef38d451224750
Instruction Fuzzy Hash: 7FB16A72B48B809AEB61CB66E4503AD37B5F34978CF008216EF4817BA9DB79C599D340

Function 00000001400A14E4 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00000001400A1733
RaiseException.KERNEL32 ref: 00000001400A1744

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction ID: ce3cffeaddecb57bd5aa004852814d0472f37fd234069d5227336842901e8d70
Opcode Fuzzy Hash: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction Fuzzy Hash: 82B1FD77610B848BEB56CF2AD44539C7BE0F398B98F198A15EB59877B4CB39C491CB00

Function 00000001400AC128 Relevance: 3.2, APIs: 2, Instructions: 208COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400AC1CD
_invalid_parameter_noinfo.LIBCMT ref: 00000001400AC38F

Part of subcall function 000000014009DA30: HeapAlloc.KERNEL32 ref: 000000014009DA85

Part of subcall function 000000014009D3C8: HeapFree.KERNEL32 ref: 000000014009D3DE
Part of subcall function 000000014009D3C8: GetLastError.KERNEL32 ref: 000000014009D3E8

Part of subcall function 00000001400AD894: _invalid_parameter_noinfo.LIBCMT ref: 00000001400AD8C7

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast_invalid_parameter_noinfo$AllocFree
String ID:
API String ID: 749460637-0
Opcode ID: d8e1cd86bca52aca31b961dedf47a361c02e0e7b30ea99c9b7b5689b5740aa97
Instruction ID: a0cc71780de81b772317908ff88ec895ebc3ca39ef53a965ae4e9244de46f0ae
Opcode Fuzzy Hash: d8e1cd86bca52aca31b961dedf47a361c02e0e7b30ea99c9b7b5689b5740aa97
Instruction Fuzzy Hash: 92612B3231478142EB669F67A810BEEB3D1B7DCBC0F454626BF49477A5EE38C8818B04

Function 0000000140086540 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 0000000140086657
EnumDisplayDevicesW.USER32 ref: 00000001400866FB

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: DevicesDisplayEnum
String ID:
API String ID: 2211661463-0
Opcode ID: be865eeff10d166dc6103f7ebc966a270325f175452e2d6742989484897e37eb
Instruction ID: c35878f14fd4ace50e34acaeaa391da43f012d67d0405fd52747271c3f58506e
Opcode Fuzzy Hash: be865eeff10d166dc6103f7ebc966a270325f175452e2d6742989484897e37eb
Instruction Fuzzy Hash: 7E81AB33A14B8486E721CF26E84479E77A5F388798F515215EF9C17BA9EF78C681CB00

Function 0000000140037C20 Relevance: 3.1, APIs: 2, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0000000140037CAD
LocalFree.KERNEL32 ref: 0000000140037D3F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 3c7e3a5f91e0787d7aef85fb9fbb870f2ddb1716ff9627e8817b466d935b003e
Instruction ID: 2abf1cfd20ccaa1f4459daf1535a8339dcc2a4d059cef63e2abe5a905cf5929a
Opcode Fuzzy Hash: 3c7e3a5f91e0787d7aef85fb9fbb870f2ddb1716ff9627e8817b466d935b003e
Instruction Fuzzy Hash: 39616632B14B809AEB22DF76E4403DD73B1E75978CF008229EB8D17E9ADB78C5948354

Function 0000000140078B00 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

%, xrefs: 0000000140079164
+, xrefs: 000000014007917F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: d935b501a86e25e770b94aa30a9c59d0487e3c2e5745dda8bea2a916c409a5b2
Instruction ID: eab13b880da1562538d920804dc0bc5824c51871a597d9e6891ce7a925efbbfb
Opcode Fuzzy Hash: d935b501a86e25e770b94aa30a9c59d0487e3c2e5745dda8bea2a916c409a5b2
Instruction Fuzzy Hash: 87220233B14A848AFB26CB66E8503ED67A2E7597D8F444222EF4917BE9DB3CC445C350

Function 00000001400A46E4 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

a/p, xrefs: 00000001400A49FE
am/pm, xrefs: 00000001400A4993

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: d4351435efb39c397654aac4863534f6b364d586ca34e5132229a126b3ed6b80
Instruction ID: 282e28f27db02fe1aa2beadafee1f9428e67b57fa7ec56f663f6cb2ab2f17a07
Opcode Fuzzy Hash: d4351435efb39c397654aac4863534f6b364d586ca34e5132229a126b3ed6b80
Instruction Fuzzy Hash: A0E1ED3A61468085EB668F2791547FE23A4FBB97C4F654302FB4A07FA4DB38C991CB11

Function 0000000140030A80 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

dumps, xrefs: 0000000140030AC8
emoji, xrefs: 0000000140030AF0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: dumps$emoji
API String ID: 0-2873254224
Opcode ID: 29d82e5be1900c4638639d3fad370a31d01f233272ca9202bccfa1a5ba092702
Instruction ID: de1d32d498b1603b3283e1e425eee834114ee630492cf4a12f2e42a933c28d9c
Opcode Fuzzy Hash: 29d82e5be1900c4638639d3fad370a31d01f233272ca9202bccfa1a5ba092702
Instruction Fuzzy Hash: EEB1FA32929BC486E661CB25E88039AB7A4F79D788F116315FBCD53B59DB38D290CB00

Function 0000000140060AC0 Relevance: 2.0, APIs: 1, Instructions: 470COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140060B3B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 27d41652c40ed87ce4fa114c6ff06a1910c43d14d329ed21a01f6af745dd494c
Instruction ID: 3ea09d183f0e17230624784c327211b13ac9c21796c8a57e93de2c3ba86a3c65
Opcode Fuzzy Hash: 27d41652c40ed87ce4fa114c6ff06a1910c43d14d329ed21a01f6af745dd494c
Instruction Fuzzy Hash: 9F029B72711B8585EB11CFA6D8403EE63A2E748BD8F589622EF9C177A9DF34C495C380

Function 00000001400A6A68 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00000001400A6BB0

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: c9d984f8c8e7fc2b7c1079dab074fc7b6533c509f4afde3b9d187ac96ae98361
Instruction ID: a529babc2d6e8ba6f5e828ff2b22bd3019f6cc999c29afac651c8859d6e64573
Opcode Fuzzy Hash: c9d984f8c8e7fc2b7c1079dab074fc7b6533c509f4afde3b9d187ac96ae98361
Instruction Fuzzy Hash: 06128A32A08BC486E752CF3994457ED73A4F76D788F459316EB98876A2EB34D2C4CB00

Function 00000001400A71D8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9691f68b8ced60ea536d3d4fed0bf4637ae7d36b6af0bd6711e03d238c4b0d36
Instruction ID: bb940daf5543c1f9a79ee97aaadeda5922451d7e61c1cde4f32fc15d938a2440
Opcode Fuzzy Hash: 9691f68b8ced60ea536d3d4fed0bf4637ae7d36b6af0bd6711e03d238c4b0d36
Instruction Fuzzy Hash: 4CE15036704B8086E721DB62E4417EE77A4F3A97C8F418626EF8D53B66EB78D245C700

Function 000000014005C0F0 Relevance: 1.7, APIs: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005C40B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 1e407e3260cd602129e73a8920fc50dba52ed2419a4ddb5ed1fd5ee7f82e9ea6
Instruction ID: 3367cc3590d20919b635da020e6a9838ec97f649690dd723de14dcaa02d71857
Opcode Fuzzy Hash: 1e407e3260cd602129e73a8920fc50dba52ed2419a4ddb5ed1fd5ee7f82e9ea6
Instruction Fuzzy Hash: 4DA17932715B9889EB02CBAAD4803EC37B0F359B88F548516EF8E57B69DB39C195C350

Function 000000014005BAB0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005BDC4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: f220bb455e952660eb50b0f3c2abb647a728a01879e9c52efd7d9e7b062f7765
Instruction ID: e7e758f77b730658fa2183651e0bcda9456a6a66edef94dbe68809bbbcb91688
Opcode Fuzzy Hash: f220bb455e952660eb50b0f3c2abb647a728a01879e9c52efd7d9e7b062f7765
Instruction Fuzzy Hash: 4AA18932615B98C9EB01CB6AD4803EC3BB0F359B88F548516EF8D57769DB79D191C310

Function 000000014005B780 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005BAA9

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c40fabb987ba8f5d9948d873c2a39370cc1a0d736e79898a84719bcece33613b
Instruction ID: fa854fabc025c76a206bed3a6f1c0845178dcea3b927583e1f4c4cda74e7147e
Opcode Fuzzy Hash: c40fabb987ba8f5d9948d873c2a39370cc1a0d736e79898a84719bcece33613b
Instruction Fuzzy Hash: 0FA18A32A15B98C9EB01CBAAD4803EC77B0F359B88F548516EF8D57B69DB39D095C300

Function 000000014005B480 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005B778

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a601ca1276c21b47724a3241582a9fe8544e11206b351a3787c5851274bd72f5
Instruction ID: d35a4813ebe911b3f3d06accd323ebf2fe1b7b1083f9830a8cc86ee30199d110
Opcode Fuzzy Hash: a601ca1276c21b47724a3241582a9fe8544e11206b351a3787c5851274bd72f5
Instruction Fuzzy Hash: D2A17832715B98C9EB12CB6AD4803EC67B0F359B88F648416EF8D57BA5EB39D095C300

Function 000000014005C420 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005C718

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0891f831d966b78e4d03c4c0c353bb6b9c219881d799290f37f10cb6bdff4155
Instruction ID: 854463cf17bdd6b58da1f7546ddcdbe712e6ab292ec46fef6426cf4f233b86a0
Opcode Fuzzy Hash: 0891f831d966b78e4d03c4c0c353bb6b9c219881d799290f37f10cb6bdff4155
Instruction Fuzzy Hash: 4FA19C72721B9889EB02CBAAD4907EC37B0F359B88F549416EF8E57B65DB39C191C340

Function 00000001400A9310 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

Part of subcall function 0000000140099EEC: FlsSetValue.KERNEL32 ref: 0000000140099F31

GetLocaleInfoW.KERNEL32 ref: 00000001400A9378

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction ID: a4ca8649259d75ba04167a6e259112765b42d28c6b5c3f01e538b8ae298da7d2
Opcode Fuzzy Hash: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction Fuzzy Hash: 9431713270468186EF6ADB67E4513DE73A1F79C7C4F408225BB8A876A5DF38D691CB00

Function 0000000140026510 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

QN , xrefs: 0000000140026877

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: QN
API String ID: 0-3349929942
Opcode ID: 2db597cf25c999939cc3b819fed71c1e326e74b4ad1904394b10da5a057d82d8
Instruction ID: 4f3d7730723fade62404a711111efc0fb212951dde9af45be0f290200e40d11c
Opcode Fuzzy Hash: 2db597cf25c999939cc3b819fed71c1e326e74b4ad1904394b10da5a057d82d8
Instruction Fuzzy Hash: BB02D432915BC489E7628F39E8813D977A4F7AD788F105315EBCC6BB69EB74C2908740

Function 00000001400A9518 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

GetLocaleInfoW.KERNEL32 ref: 00000001400A954F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction ID: a262072600bdabd7c0679cf6d9857ba45dbebfe756d1e7f3d1e5b58b444c0772
Opcode Fuzzy Hash: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction Fuzzy Hash: B1110A32B1495183E7778777A04179E62A1E76C7E4F548721F766477E4E636C8C18B00

Function 00000001400A9030 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140099EEC: GetLastError.KERNEL32 ref: 0000000140099EFB
Part of subcall function 0000000140099EEC: FlsGetValue.KERNEL32 ref: 0000000140099F10
Part of subcall function 0000000140099EEC: SetLastError.KERNEL32 ref: 0000000140099F9B

EnumSystemLocalesW.KERNEL32 ref: 00000001400A90AE

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction ID: 6ae5d8b3708d6626887a23f7dbcc4907dd0624352dc3dc594ae9d114bdff575e
Opcode Fuzzy Hash: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction Fuzzy Hash: 4D01D472B042808AEB128FA7E440BD976A1E768BE4F458321E765473E9CB7588C1CB00

Function 00000001400783C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT ref: 00000001400783D9

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AlgorithmCloseCryptProvider
String ID:
API String ID: 3378198380-0
Opcode ID: 65ba22bee9f219e95710a788156d61738fbf3692be3f1b4b0f6c47b5bcc97fc1
Instruction ID: 46cd3e4ecf0bf3881bc472a46e152dc7da49fa282612d15e85770da4dfb79c46
Opcode Fuzzy Hash: 65ba22bee9f219e95710a788156d61738fbf3692be3f1b4b0f6c47b5bcc97fc1
Instruction Fuzzy Hash: E901AFB2700A8481EF299B22E4583AD2361E748FC9F944410EF4C076A9DFBDC8858380

Function 000000014009DAE0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 000000014009DB2F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction ID: de712f23fd13e8c4d5100720269348e510cf31078cf0cbf84c59e1ff34ea8840
Opcode Fuzzy Hash: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction Fuzzy Hash: D8F037B2304B4083E705DB2AF8907D973A2E79DBC0F549126EB4983379CE38C9A1C300

Function 0000000140096164 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 0000000140096346

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction ID: 5985c16e8c7ee05d195531540a6d0c9df7fc115bbda66a9a795bdfadb218e8cb
Opcode Fuzzy Hash: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction Fuzzy Hash: CCB16D72204B848AEB66CF3AD0503AD3BB4F34DF88F684116EB8A473A5DB36C951C745

Function 00000001400283D0 Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60e777daeaea113d67f9bda991af49b1d649395350f0fb3635444d7023d5cec
Instruction ID: 11b7f8a1af85b3332e8e9ec774ad9aafbdc42df1fa3ac2c6f6e342fe0cafe42d
Opcode Fuzzy Hash: c60e777daeaea113d67f9bda991af49b1d649395350f0fb3635444d7023d5cec
Instruction Fuzzy Hash: 6AA27136615FD88AD7418FAAEC8129973B6F748BA8B101619EFCC57F18EBB4C164C740

Function 0000000140025520 Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2ab913b2a9c6339d4f929c5c8b4980086af9248ce40ff222e0927e827d1066
Instruction ID: beef6051a45bce1b1226442735bbb051317004564f72870a77c8f5785136e9d7
Opcode Fuzzy Hash: 5f2ab913b2a9c6339d4f929c5c8b4980086af9248ce40ff222e0927e827d1066
Instruction Fuzzy Hash: B092B432915BC88AD7718F25E8813DAB7A8F79D788F505315EACC16B19EB38D394C704

Function 0000000140062750 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction ID: 1d33147da6fef292ddb6e3dfce7d4f5fb46f2d394935471198070cec947208fe
Opcode Fuzzy Hash: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction Fuzzy Hash: 23C1D073725A9487EB56CF63D9447A9B762F3D8BE0F55D120EB4A07B98CA38C846C700

Function 0000000140006610 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1b1de879cd7e42ebf2539f4be516ae56f05d2d23899ff6a7557d8b7da4b024
Instruction ID: dae7188b58aa12ed6a721d46ece6e361adde1b5e6735e4fc9e27f5ef3900fc0f
Opcode Fuzzy Hash: 7f1b1de879cd7e42ebf2539f4be516ae56f05d2d23899ff6a7557d8b7da4b024
Instruction Fuzzy Hash: DD12C532619BC88AE7718F29E84139AB7A4F79D788F505315EBCC57B19EB38C254CB04

Function 0000000140075AB0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction ID: 447b2b773560c4beaa4e67ccb80f79841d332dbb345d5add23c245d827f16df0
Opcode Fuzzy Hash: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction Fuzzy Hash: 38C1C4B3A146948BE355CF2DD401A5D7BA0F398B84F40A629EB56C3B01E778D9A5CF80

Function 000000014009A924 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction ID: 81f69587606c8d6d2920975f800801ad71658ffe686509f5888f9c5868ecb4cc
Opcode Fuzzy Hash: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction Fuzzy Hash: BFC1C27630468086EB629B6799107EA37A1F79ABC8F404115FF8A8BBE5EF3CC545C740

Function 000000014009666C Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction ID: 3a803396a737e7e09fc37ffe396adff213b7af43b5bde25c7abf1f4bb1d46515
Opcode Fuzzy Hash: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction Fuzzy Hash: 21C1B832604A4486EB2ACF3BC5507AE37A0E749BCCF248215EF595B7E5DB3AC846D740

Function 00000001400A8674 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction ID: 219554444d32d0e4537ad1326bba152ffa5b4e92018c9ef7381ea1e0fb4a3fed
Opcode Fuzzy Hash: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction Fuzzy Hash: A8B1CE7261468482EB76DF22D4117EA33A0F3A8BC8F544326EF56836E9DF78C595CB40

Function 0000000140054720 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction ID: b20235c530f76bdce2ee3876d0716f49ee890a7daca5df87e94b1965b3cc0896
Opcode Fuzzy Hash: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction Fuzzy Hash: 8661B172714BC882DB21CB2AE4453EDA3A1F75D7D8F549211EB9D47BA8EB79D280C340

Function 000000014009F7E6 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction ID: e2c9dfdefbb9d112d0675f23ad41226c04d3d172fc5c8865881e53bf685bf733
Opcode Fuzzy Hash: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction Fuzzy Hash: 4B51D87261878086EBB5CB2BA4413BAA690F74E7D4F544225FB9E43BE9DB3CC5409B00

Function 000000014007E2F0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193cd117a2ef074e35f90b234510b644fd9885312343ba6f5a452ee1bb2d5318
Instruction ID: 6900e702a5941c77574d6443b4333d3e101c6be96e986b2f6778fca52dddf91e
Opcode Fuzzy Hash: 193cd117a2ef074e35f90b234510b644fd9885312343ba6f5a452ee1bb2d5318
Instruction Fuzzy Hash: D65114A3B0568443DB248B49F842786F7A5FB887C5F00A126EE8D57B68EB3CD5808700

Function 0000000140095394 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction ID: 99ad1355632ae1fd69952ade0b8b880547fb4266a066a210fa678cc3ea636d96
Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction Fuzzy Hash: 6D519236624A5086E7669B2BD0543AC3BA1E35CFDEF258111EF89477B5C736C893C740

Function 0000000140095598 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: 1a5f552ae487ea52881a4b4007291b9de41d1dc95850a7e92b2562e97dc69483
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: 8B51C136224A50C6E7269B2BE0403A97BA1E34CFD9F684111EF49477B5D732CD43CB80

Function 000000014009579C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction ID: bf005c958525c39f9f98a73881a786616db269bc64c82d253bf23c47cd79f0e7
Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction Fuzzy Hash: B3518036624A50C6E7269F2BC0503A93BA1E34DFA9F288111EF89577B4CB36CD43C780

Function 00000001400ABB90 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b072ca8265509c148f4541a461e9c46211a015d1fc6d543edcef350f88236ae8
Instruction ID: be5b461f7ee288339d9b570e5532cccf87377d3a7bff12cd17e984541771d2f7
Opcode Fuzzy Hash: b072ca8265509c148f4541a461e9c46211a015d1fc6d543edcef350f88236ae8
Instruction Fuzzy Hash: 7641B172310A5482EF19CF2BD9647A973A1B35CFD0F59A126EF0D87B68EE38C5818700

Function 00000001400D56F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc33c3536161bc484423b10eb716127ab9544999afc424961bcb52a57f13683
Instruction ID: 3c7983b830f6b63e9c4c9675241669f5c13d1c0f71ef5918f77dcbd55cd6ecdd
Opcode Fuzzy Hash: 8bc33c3536161bc484423b10eb716127ab9544999afc424961bcb52a57f13683
Instruction Fuzzy Hash: 341196E750DBC04AE3536A764C6638C2FA0EF69B82F5E4047ABC1432E3D41988178771

Function 00000001400D5688 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b94530713a913939f12afd49bf3f989c7adb72ec33da958378e54e9ad9fd42b
Instruction ID: 393e66a248a7458cbd0769797b836fce9b5d88c46e865def206e129f9bba6403
Opcode Fuzzy Hash: 0b94530713a913939f12afd49bf3f989c7adb72ec33da958378e54e9ad9fd42b
Instruction Fuzzy Hash: 0FF0F99B40F7C04EE3430A3548B839C6F705B96A05F8E9187D7D1872A3D45D891A8722

Function 00000001400D52C0 Relevance: .0, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b547731a42b455a57830d377de8a2b20729656713097031710f37aee72577a8f
Instruction ID: 02345993a42a1f42dcd7f10c3dd684b024d0b45ed66d7960d40f0ea9c6da856b
Opcode Fuzzy Hash: b547731a42b455a57830d377de8a2b20729656713097031710f37aee72577a8f
Instruction Fuzzy Hash: 58D05B6760D7C04AF35359711862B9C1F909F97B55F4D404DBB81131D7A446480A8361

Function 00000001400D54A0 Relevance: .0, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f6fcd7a4cb68e4d74a8a051caf1e2187c963a0189974b76a7c08800c8ad9bf
Instruction ID: 0c38828c7b08ca5da40bb7a2481fa8f8af6693f67d55db55594c42c6799df067
Opcode Fuzzy Hash: 73f6fcd7a4cb68e4d74a8a051caf1e2187c963a0189974b76a7c08800c8ad9bf
Instruction Fuzzy Hash: 91D0A7A754AAD01AF25356E518537DC1F50DF9976FF484140BB82030D2545498874632

Function 00000001400D53B8 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb15a94e342ea890222ad9b7dd98e0be93d51a9a21dccf1d3e9e7f6fb6c6733
Instruction ID: 284bb321d2ffc78d06ddc6b5d1304e48de7d8bede21ee8d30e6dfabe55de0752
Opcode Fuzzy Hash: 4cb15a94e342ea890222ad9b7dd98e0be93d51a9a21dccf1d3e9e7f6fb6c6733
Instruction Fuzzy Hash: 8FA0228B00CAE00FC302C230382830E2F00A382208F0F808E83C022283E888C80A8300

Function 00000001400D52E0 Relevance: .0, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 00000001400D53A0 Relevance: .0, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5456c1017e62d8a62d24bd00efd00e1bd566c7298f1a5c9df3ac67b34942d268
Instruction ID: 1e5fe235f4e7dce37c692c762f7cd0d9374d6e3f00cd63ce27c0307ae74c01e5
Opcode Fuzzy Hash: 5456c1017e62d8a62d24bd00efd00e1bd566c7298f1a5c9df3ac67b34942d268
Instruction Fuzzy Hash:

Function 00000001400D5100 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
Instruction ID: 92bca372c73bf05736e5418606bf4d9f339bc1d6ec97d0400b5c022073cefb92
Opcode Fuzzy Hash: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
Instruction Fuzzy Hash:

Function 00000001400AF498 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261fe6521d892542d75bab8d3c7c41f58578a8ad23917a021c9647768b8a2587
Instruction ID: 21f96874aefc6780fb4cc87987608e11b01dfb94e8bba2c9a4a0b173746f94ca
Opcode Fuzzy Hash: 261fe6521d892542d75bab8d3c7c41f58578a8ad23917a021c9647768b8a2587
Instruction Fuzzy Hash: 2AA00231144C01E4E606AB82E8513B52330F76D3D3F800111F609434709B38C486D724

Function 0000000140074A30 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000000140074A86
Process32FirstW.KERNEL32 ref: 0000000140074ACA
Process32NextW.KERNEL32 ref: 0000000140074ADF
OpenProcess.KERNEL32 ref: 0000000140074B1B
OpenProcessToken.ADVAPI32 ref: 0000000140074B42
GetTokenInformation.ADVAPI32 ref: 0000000140074B6E
GetLastError.KERNEL32 ref: 0000000140074B7C
GetTokenInformation.ADVAPI32 ref: 0000000140074BBC
ConvertSidToStringSidA.ADVAPI32 ref: 0000000140074BD3
CloseHandle.KERNEL32 ref: 0000000140074C46
CloseHandle.KERNEL32 ref: 0000000140074C51
CloseHandle.KERNEL32 ref: 0000000140074CB6
Process32NextW.KERNEL32 ref: 0000000140074CC3
CloseHandle.KERNEL32 ref: 0000000140074CE9
CloseHandle.KERNEL32 ref: 0000000140074CF2
CloseHandle.KERNEL32 ref: 0000000140074D07

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertCreateErrorFirstLastSnapshotStringToolhelp32
String ID:
API String ID: 3925315391-0
Opcode ID: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction ID: 68b79e17468d5ffc7bdb11eb9da1f300de3bde19eb7119fa88f07868e24a99b8
Opcode Fuzzy Hash: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction Fuzzy Hash: E1815636215B8082EB52DB27E8507AEA7A4FB8CBD5F404115EF8947BA8DF7CC506CB00

Function 0000000140057C00 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 202COMMON

Download Yara Rule

Strings

unexpected '}', xrefs: 0000000140059413
word wasnt properly ended, xrefs: 0000000140059365, 00000001400593EC
object is not closed with '}', xrefs: 000000014005920F
quote was opened but not closed., xrefs: 0000000140059236, 00000001400592AB
key declared, but no value, xrefs: 000000014005925D, 0000000140059284, 0000000140059398
unexpected key without object, xrefs: 00000001400592EA
No closed word, xrefs: 0000000140059317, 000000014005933E
key opened, but never closed, xrefs: 00000001400593BF

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: No closed word$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 0-2700065129
Opcode ID: ad38a0761d6ba5948b7696d48ceb3f0e7c48dfa30fde10419c371ab7bc1f8fca
Instruction ID: 6fab13cdf4c8ee5aec4ee7cf0a03f33fee243f48159f504b0079cc5bb13959cb
Opcode Fuzzy Hash: ad38a0761d6ba5948b7696d48ceb3f0e7c48dfa30fde10419c371ab7bc1f8fca
Instruction Fuzzy Hash: A3B1D972111B8698EB72EF22DC817D83364E758388F809616E74D4B9BAEF74C799C700

Function 0000000140090254 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140090283
_invalid_parameter_noinfo.LIBCMT ref: 0000000140090353

Strings

0, xrefs: 000000014009037D
0, xrefs: 0000000140090325
0, xrefs: 000000014009038F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0
API String ID: 3215553584-3137946472
Opcode ID: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction ID: 3213ef2b50ecd163c7d14e926568a975ace41416199d29b45c1ca283887101a0
Opcode Fuzzy Hash: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction Fuzzy Hash: BDE1D532506A858EF7629F2AC5903ED3BE5E75ABC4F558012FB84477F6C739886AC700

Function 0000000140089B70 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140089BA1
GetProcessId.KERNEL32 ref: 0000000140089BAA
RmStartSession.RSTRTMGR ref: 0000000140089BCA
RmRegisterResources.RSTRTMGR ref: 0000000140089BF5
RmGetList.RSTRTMGR ref: 0000000140089C2E
RmGetList.RSTRTMGR ref: 0000000140089C90
RmEndSession.RSTRTMGR ref: 0000000140089CCB
RmEndSession.RSTRTMGR ref: 0000000140089D02
RmEndSession.RSTRTMGR ref: 0000000140089D17

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Session$ListProcess$CurrentRegisterResourcesStart
String ID:
API String ID: 3299295986-0
Opcode ID: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction ID: 4c793500f816d282acb2aabb8fc29ea38f6b32d5493fd496aff2a0b1b3cfbeb8
Opcode Fuzzy Hash: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction Fuzzy Hash: 96512A32B10A518AFB11DFA6E4507DD33B1B78C789F54412AEF0A67BA8DE38C906C750

Function 00000001400B1A44 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000001400B1AA1

Part of subcall function 00000001400B3E5C: __GetUnwindTryBlock.LIBCMT ref: 00000001400B3E9F
Part of subcall function 00000001400B3E5C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001400B3EC4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000001400B1B79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001400B1DC7
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400B1ED4

Strings

csm, xrefs: 00000001400B1ABB
csm, xrefs: 00000001400B1B9C
csm, xrefs: 00000001400B1B22

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 93094d183b60bcbe653e0156645cfa8f2fca202be6890cc91cb0939cc453230d
Instruction ID: 3a13c9879769dac578afa29d7b485a497df9fff387a412afdd0e51ddf3691885
Opcode Fuzzy Hash: 93094d183b60bcbe653e0156645cfa8f2fca202be6890cc91cb0939cc453230d
Instruction Fuzzy Hash: 2FD15A32600B408AEB62DFA694803ED77B0F7997D8F504215FF8957BAADB34D491CB40

Function 000000014009DB5C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000000014009DCD8
GetProcAddress.KERNEL32 ref: 000000014009DCE4

Strings

api-ms-, xrefs: 000000014009DC22
ext-ms-, xrefs: 000000014009DC35

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction ID: f73114aa169cb76ed7bb151e5edde51fcbf1469d6d678e3e652b687f2da571e4
Opcode Fuzzy Hash: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction Fuzzy Hash: 6341AE72351A1182FA27DB27A8147DA33D5BB4DBE1F494626BF0D877A8EE78C446C340

Function 000000014007B2D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 000000014007B33B
InternetOpenUrlA.WININET ref: 000000014007B370
InternetReadFile.WININET ref: 000000014007B391
InternetReadFile.WININET ref: 000000014007B3CF
InternetCloseHandle.WININET ref: 000000014007B3DC
InternetCloseHandle.WININET ref: 000000014007B3E5

Strings

File Downloader, xrefs: 000000014007B334

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandleOpenRead
String ID: File Downloader
API String ID: 4038090926-3631955488
Opcode ID: 08390c31da5b4fc07b5c09408d7811b7848834d5846b825d266ba2205e00005c
Instruction ID: eb27d1ea62c1c53e703129baddda4c43dac775c7680c307a68408eb1a4e91a40
Opcode Fuzzy Hash: 08390c31da5b4fc07b5c09408d7811b7848834d5846b825d266ba2205e00005c
Instruction Fuzzy Hash: F5315B32214B8486EB229F26F85079EB3A1FB89BC4F545116FF8943B68DF7CC5958B00

Function 00000001400938F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140093933
_invalid_parameter_noinfo.LIBCMT ref: 0000000140093D20
_invalid_parameter_noinfo.LIBCMT ref: 0000000140093FBC

Strings

f, xrefs: 0000000140093A55
p, xrefs: 0000000140093A5D
p, xrefs: 00000001400939E5

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction ID: 8ef2ce2b4433a5174d3e3dbe1a20b96cbda26b55fe283d1aa6820eb14bd99968
Opcode Fuzzy Hash: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction Fuzzy Hash: 8912E572A0864186FB229B16E0687FA76A1F7887D4FC84115F7D6876F4D738C980CF10

Function 00000001400B43CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000001400B4451
GetLastError.KERNEL32 ref: 00000001400B445F
LoadLibraryExW.KERNEL32 ref: 00000001400B4489
FreeLibrary.KERNEL32 ref: 00000001400B44F7
GetProcAddress.KERNEL32 ref: 00000001400B4503

Strings

api-ms-, xrefs: 00000001400B4471

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 081807f0f237e99e654a6d52eb3ba83cc0c1c8883019cc9f4ec60aedd52be443
Instruction ID: d2d2b12301ccee3db6092258b470e539f8c69494279eba12926322fb6e990f4b
Opcode Fuzzy Hash: 081807f0f237e99e654a6d52eb3ba83cc0c1c8883019cc9f4ec60aedd52be443
Instruction Fuzzy Hash: C2315831212A9092EF23DF97A8007A963E4BB4CBE5F498625EF191B7A4EF38C5558310

Function 00000001400AC8CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000001400AC8FD
GetLastError.KERNEL32 ref: 00000001400AC909
CloseHandle.KERNEL32 ref: 00000001400AC921
CreateFileW.KERNEL32 ref: 00000001400AC94C
WriteConsoleW.KERNEL32 ref: 00000001400AC96B

Strings

CONOUT$, xrefs: 00000001400AC92D

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction ID: f15e57fd0cbad3ac117247ebeab47ab85c390eb31785d7c6841302a8b2ce117c
Opcode Fuzzy Hash: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction Fuzzy Hash: A111BC35324B8086F7529B07E85479AA3A4FB9CFE9F040224EF5987BB4CF78C8858740

Function 00000001400BD42C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00000001400BD4D9
MultiByteToWideChar.KERNEL32 ref: 00000001400BD575
MultiByteToWideChar.KERNEL32 ref: 00000001400BD61E
MultiByteToWideChar.KERNEL32 ref: 00000001400BD648
MultiByteToWideChar.KERNEL32 ref: 00000001400BD6F0
CompareStringEx.KERNEL32 ref: 00000001400BD73D

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction ID: f3d77999423992fadc64f97f79b2d010f51e5ad261fed549977a36ea05826e58
Opcode Fuzzy Hash: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction Fuzzy Hash: 44A1AD72645F8086EB339FA694507EDB7A1E749BE8F484622FB59077E5FB38C8448700

Function 00000001400BD0CC Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400BD13C
MultiByteToWideChar.KERNEL32 ref: 00000001400BD1DA
LCMapStringEx.KERNEL32 ref: 00000001400BD243
LCMapStringEx.KERNEL32 ref: 00000001400BD295
LCMapStringEx.KERNEL32 ref: 00000001400BD33A
WideCharToMultiByte.KERNEL32 ref: 00000001400BD394

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction ID: 6204e7013e5cadcd1b8727ff30a8d0596e87d4a89eb5434169e5949405e06915
Opcode Fuzzy Hash: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction Fuzzy Hash: EE81A572200B8086EB629F66E8407DDB3F5FB58BE8F144616FB5947BE9EB38C5418700

Function 0000000140090840 Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400908B2
_invalid_parameter_noinfo.LIBCMT ref: 00000001400908E3
_invalid_parameter_noinfo.LIBCMT ref: 0000000140090923
_invalid_parameter_noinfo.LIBCMT ref: 0000000140090965
_invalid_parameter_noinfo.LIBCMT ref: 000000014009099A
_invalid_parameter_noinfo.LIBCMT ref: 0000000140090A17

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction ID: 7b56d8f3e7d84661432cdb72d15b1222586d501d367448fe89141b583d9e4598
Opcode Fuzzy Hash: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction Fuzzy Hash: D0517633605B8489FB639F26D0603ED37A1A75EFC4F998052E7D8473A6CA3D8846C752

Function 000000014009A064 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014009A073
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140094E71,?,?,?,?,000000014009D3FC), ref: 000000014009A0A9
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140094E71,?,?,?,?,000000014009D3FC), ref: 000000014009A0D6
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140094E71,?,?,?,?,000000014009D3FC), ref: 000000014009A0E7
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140094E71,?,?,?,?,000000014009D3FC), ref: 000000014009A0F8
SetLastError.KERNEL32 ref: 000000014009A113

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6edccbe99d42b8d8ba81787b9913857dbdf264f8e30533449deede82163d0890
Instruction ID: eeff4923b96ffbeaac783fc6dd0fa1487e36d7b8cfc170d4ae8f5156a2ba4d41
Opcode Fuzzy Hash: 6edccbe99d42b8d8ba81787b9913857dbdf264f8e30533449deede82163d0890
Instruction Fuzzy Hash: 98111C3034568042FA5BA7336A623FD62925B8D7F0F544729BB3B07BF6DE39D4419241

Function 000000014002DCE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 000000014002DD3F

Part of subcall function 00000001400BB260: AreFileApisANSI.KERNEL32 ref: 00000001400BB272

__std_exception_destroy.LIBVCRUNTIME ref: 000000014002DFE7
__std_exception_destroy.LIBVCRUNTIME ref: 000000014002E0A1

Strings

", ", xrefs: 000000014002DE2D
: ", xrefs: 000000014002DDFA

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy$ApisFile__std_fs_code_page
String ID: ", "$: "
API String ID: 741338541-747220369
Opcode ID: 2c062e25483d2eca155dcbad927ea592646f55c0d7d00b677cf4262805b9b337
Instruction ID: a0ebd77add875ad15dad381f545e36b6a5c96292ae31a13c06a59994470402d1
Opcode Fuzzy Hash: 2c062e25483d2eca155dcbad927ea592646f55c0d7d00b677cf4262805b9b337
Instruction Fuzzy Hash: 2DB19C72700A8086EB05EF66E4943ED3361E758BC8F508526EF5D17BAADF38C895C384

Function 00000001400B1314 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00000001400B1437
__AdjustPointer.LIBCMT ref: 00000001400B1482

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3df3621708c9e1d29be45954cd8076bff015c977087edb3d15e3ad851c434b44
Instruction ID: 41cb3884d18e3d7aac6dd593d0dde361e415a54a90db4f7c0cd28a3af3c10cc3
Opcode Fuzzy Hash: 3df3621708c9e1d29be45954cd8076bff015c977087edb3d15e3ad851c434b44
Instruction Fuzzy Hash: 05B16F32206E8081EA67DF97A5447E967B4EBDCBC4F998525BF4907BADDB34C4428700

Function 00000001400A11C8 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001400A1207
_set_statfp.LIBCMT ref: 00000001400A1225
_set_statfp.LIBCMT ref: 00000001400A124E
_set_statfp.LIBCMT ref: 00000001400A148A

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: c9768c6bae9d0a1841153f261c566ca82662720961c70f1a47209fa097809d0f
Instruction ID: 0afbddc13addd556ac1af8f9b4ec179a3aecd6ac334101865df0461df1719237
Opcode Fuzzy Hash: c9768c6bae9d0a1841153f261c566ca82662720961c70f1a47209fa097809d0f
Instruction Fuzzy Hash: 7981B232514A444AF7738B3BB4503EAA6A5AFAE7D8F144301BF96279F5D738C9D18E00

Function 000000014009A12C Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000000140097EF7,?,?,00000000,0000000140098192,?,?,?,?,-2723E8D8DEBC5093,000000014009811E), ref: 000000014009A14B
FlsSetValue.KERNEL32(?,?,?,0000000140097EF7,?,?,00000000,0000000140098192,?,?,?,?,-2723E8D8DEBC5093,000000014009811E), ref: 000000014009A16A
FlsSetValue.KERNEL32(?,?,?,0000000140097EF7,?,?,00000000,0000000140098192,?,?,?,?,-2723E8D8DEBC5093,000000014009811E), ref: 000000014009A192
FlsSetValue.KERNEL32(?,?,?,0000000140097EF7,?,?,00000000,0000000140098192,?,?,?,?,-2723E8D8DEBC5093,000000014009811E), ref: 000000014009A1A3
FlsSetValue.KERNEL32(?,?,?,0000000140097EF7,?,?,00000000,0000000140098192,?,?,?,?,-2723E8D8DEBC5093,000000014009811E), ref: 000000014009A1B4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b771374d0113ee62c52f9551d0bcc9a33419d028b1b5e3e085ec0dffb0dbca1e
Instruction ID: 0eecc3e7c070fbf0bcafe1dd48680c6a3d0408fcd47933c8e5bef9cf617aa8ce
Opcode Fuzzy Hash: b771374d0113ee62c52f9551d0bcc9a33419d028b1b5e3e085ec0dffb0dbca1e
Instruction Fuzzy Hash: 58118F3034524042FA5B93376A623FA62925B8D7F0F444325BB3E47BF6DE3CC4018240

Function 0000000140049990 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140049A00
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140049A48
_Getcoll.LIBCPMT ref: 0000000140049A7C

Strings

bad locale name, xrefs: 0000000140049B81

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1287851536-1405518554
Opcode ID: 78d073a28301f33edaeebb1b7eabe76fb7f7027334c2f86e0179706359c2cb8b
Instruction ID: 9a2edcff680919b35428e1209fb65e27f44ba661b4d9c7d5374eb54866a69a42
Opcode Fuzzy Hash: 78d073a28301f33edaeebb1b7eabe76fb7f7027334c2f86e0179706359c2cb8b
Instruction Fuzzy Hash: 6E917A72B01B808AEB16DFA6E4903DD7362EB48BC8F044535EF5D57AAADF38C4558384

Function 00000001400BF0DC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BF3BB

Part of subcall function 00000001400AC4AC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400AC4C9

Strings

UTF-8, xrefs: 00000001400BF33A
UTF-16LEUNICODE, xrefs: 00000001400BF359
ccs, xrefs: 00000001400BF2F6

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: a61b9dafeebeef71c778538e02d1dd93d241f4be75a88b4b5df5efb2b9ec5def
Instruction ID: 8cb6542061ef7d37a80eb2345665ae9640161e3f439a4ea34f0695e2e3c1826a
Opcode Fuzzy Hash: a61b9dafeebeef71c778538e02d1dd93d241f4be75a88b4b5df5efb2b9ec5def
Instruction Fuzzy Hash: 02818A7A604A4085FBAB9FABC1503F93BF0E319BC8F958405EB02972B5D339CA41A741

Function 00000001400B2688 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000001400B26F8
_CallSETranslator.LIBVCRUNTIME ref: 00000001400B2743

Strings

MOC, xrefs: 00000001400B270C
RCC, xrefs: 00000001400B2714

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 9c00d47a1c5516f7bd2be0d164cd20731702100fa42f3d3dd2f3d47e27ffce20
Instruction ID: 0bca953fdf33b9ad83e23bb3243ae714b6286ddf27e3bb4087caff64ac5815b8
Opcode Fuzzy Hash: 9c00d47a1c5516f7bd2be0d164cd20731702100fa42f3d3dd2f3d47e27ffce20
Instruction Fuzzy Hash: 5D916A73604B808AE752DFA6E8803DD7BB0F7497C8F14411AEB8957B69DB38C195CB00

Function 00000001400B2418 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000001400B2477
_CallSETranslator.LIBVCRUNTIME ref: 00000001400B24C3

Strings

MOC, xrefs: 00000001400B248B
RCC, xrefs: 00000001400B2493

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a60986bc9adbf2c75a94aae45f25198f4bb40c34f31260bb5ef7955aadcba44f
Instruction ID: f5b259ee515619902a5d128d7cb9eaef2be3e26f63f7a3474eb2bc1e490a6338
Opcode Fuzzy Hash: a60986bc9adbf2c75a94aae45f25198f4bb40c34f31260bb5ef7955aadcba44f
Instruction Fuzzy Hash: 9F616932508BC486EB72DF66E4407DAB7A0F799BD8F044215FB9807BA9DB78C190CB00

Function 00000001400B2C08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B2C30
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000001400B2D18

Strings

csm, xrefs: 00000001400B2D6A
csm, xrefs: 00000001400B2C52

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1075979170a2e9a18e477d88d2de6d235b634f407b84dd7ceece1c898f0d7b57
Instruction ID: 54ecd6d1438185d50b972ba826f5ce2af5ba67c0f274a1b1d786e80e0e72cb3f
Opcode Fuzzy Hash: 1075979170a2e9a18e477d88d2de6d235b634f407b84dd7ceece1c898f0d7b57
Instruction Fuzzy Hash: 75516D32200B808AEB769FA794443D977B0F759BD5F188226EB9857BE5CB38D461CB01

Function 000000014002CA60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002CACF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014002CB17
_Getctype.LIBCPMT ref: 000000014002CB55

Strings

bad locale name, xrefs: 000000014002CC0E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: 026e47313af15043398a11391e273b1130a8867416237ca342cef0d4e4808d66
Instruction ID: 207d3642c3b50f17bf177e439d3fe9f40958c29cbdde464f884d1d612c46b59d
Opcode Fuzzy Hash: 026e47313af15043398a11391e273b1130a8867416237ca342cef0d4e4808d66
Instruction Fuzzy Hash: 71516836711B408AEB16DFB2E4917EC33B5EB48788F044429EF8927AA6DF34C526D344

Function 00000001400BB210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400BB226
GetProcAddress.KERNEL32 ref: 00000001400BB236

Strings

GetTempPath2W, xrefs: 00000001400BB22C
kernel32.dll, xrefs: 00000001400BB21F

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32.dll
API String ID: 1646373207-1846531799
Opcode ID: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction ID: 8948df6339a09da6af2494f7b4aca6647369a72829e4e3643078e2be1e3806b8
Opcode Fuzzy Hash: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction Fuzzy Hash: 25E01231300A0582EE06AB12F9887AD6321FF8CBC2F985025EF0E07334EE3CC44A8710

Function 0000000140075180 Relevance: 6.5, APIs: 4, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140074A30: CreateToolhelp32Snapshot.KERNEL32 ref: 0000000140074A86
Part of subcall function 0000000140074A30: Process32FirstW.KERNEL32 ref: 0000000140074ACA
Part of subcall function 0000000140074A30: Process32NextW.KERNEL32 ref: 0000000140074ADF
Part of subcall function 0000000140074A30: OpenProcess.KERNEL32 ref: 0000000140074B1B
Part of subcall function 0000000140074A30: OpenProcessToken.ADVAPI32 ref: 0000000140074B42
Part of subcall function 0000000140074A30: CloseHandle.KERNEL32 ref: 0000000140074CB6
Part of subcall function 0000000140074A30: Process32NextW.KERNEL32 ref: 0000000140074CC3
Part of subcall function 0000000140074A30: CloseHandle.KERNEL32 ref: 0000000140074D07

ImpersonateLoggedOnUser.ADVAPI32 ref: 00000001400751DD
ImpersonateLoggedOnUser.ADVAPI32 ref: 00000001400756C8
RevertToSelf.ADVAPI32 ref: 00000001400756E6

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleImpersonateLoggedNextOpenProcessUser$CreateFirstRevertSelfSnapshotTokenToolhelp32
String ID:
API String ID: 1562318730-0
Opcode ID: 46975101b5bb912cb8c18d6f0a7b35585e18786a4ae977b998627e5ccdad2a74
Instruction ID: ad7d59218a4d2420d6ee86cb7ed838c25e870fc05f373488bbf4d43a86272400
Opcode Fuzzy Hash: 46975101b5bb912cb8c18d6f0a7b35585e18786a4ae977b998627e5ccdad2a74
Instruction Fuzzy Hash: A5229B72B14B8086FB02AB6AD4443DD2761E7897E8F505615FBAD17AFADFB8C481C700

Function 000000014009C578 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000014009C5F7
WriteFile.KERNEL32 ref: 000000014009C8BF
WriteFile.KERNEL32 ref: 000000014009C905
GetLastError.KERNEL32 ref: 000000014009C9BB

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction ID: 83f89cefb2d932c64b68d175d5ea0fe2b41a0143d6f3692f9e6e20abd60b4dae
Opcode Fuzzy Hash: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction Fuzzy Hash: 4BD1CF72B24A808AE712CF6AD444BDC37B1F758BD8F444216EF9E97BA9DA34C446C740

Function 000000014008A260 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000000014008A280
FreeEnvironmentStringsW.KERNEL32 ref: 000000014008A37B
RtlInitUnicodeString.NTDLL ref: 000000014008A3EE
RtlInitUnicodeString.NTDLL ref: 000000014008A3FB

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: EnvironmentInitStringStringsUnicode$Free
String ID:
API String ID: 2488768755-0
Opcode ID: efafd639e9174d00bc146c1560cf1528ed8c856197ad0565266ce7339dd8c3cd
Instruction ID: 87069c6435efe869352e4d7ec8a553a9e77cee2d25ee79a4713f5d8602df03e1
Opcode Fuzzy Hash: efafd639e9174d00bc146c1560cf1528ed8c856197ad0565266ce7339dd8c3cd
Instruction Fuzzy Hash: EF518C72A18B80C2EB129F1AE44039D7760FB99BD4F589215EB9903BA5DF7CD2E1C704

Function 0000000140042C80 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400BC5EC: std::_Lockit::_Lockit.LIBCPMT ref: 00000001400BC609
Part of subcall function 00000001400BC5EC: std::locale::_Setgloballocale.LIBCPMT ref: 00000001400BC62C

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140042CC1
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140042CE6
std::_Facet_Register.LIBCPMT ref: 0000000140042D92
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140042DF4

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
String ID:
API String ID: 3698853521-0
Opcode ID: 3d7667ad2e0602b66abf42365a29bfb2d0932d23135c08196bf5434fa8e63462
Instruction ID: be7052521538f46ca31769c5e8ad34a96fa69d07cef5d8ccdfe7c05edfc6c238
Opcode Fuzzy Hash: 3d7667ad2e0602b66abf42365a29bfb2d0932d23135c08196bf5434fa8e63462
Instruction Fuzzy Hash: 4E415A32324A8082EA66DF16E4507D973A4F78CBD4F9A5621FB99477B5DF38C482C704

Function 00000001400906FC Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140090775
_invalid_parameter_noinfo.LIBCMT ref: 00000001400907D1
_invalid_parameter_noinfo.LIBCMT ref: 000000014009080C
_invalid_parameter_noinfo.LIBCMT ref: 0000000140090831

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction ID: 9d625922f0084f738925744b6ce75ac3468dc28db60b1638888baded20588c2c
Opcode Fuzzy Hash: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction Fuzzy Hash: 63417F32509A8489EB63CF66C4203ED7BA0FB4DFD4F4AC042EB88073A6DA39C446C711

Function 00000001400478A0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400478CB
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400478F0
std::_Facet_Register.LIBCPMT ref: 000000014004799B
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400479E6

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction ID: 13c908d1154428c6937b5c3509377b7ccdd79ff15f68ab15f939c0ebe6def4ce
Opcode Fuzzy Hash: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction Fuzzy Hash: 70413932224A4081FA26DF17E850BD96760F78CBE4F591622EB9D477B9DF38D982C704

Function 000000014007AB80 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014007ABAB
std::_Lockit::_Lockit.LIBCPMT ref: 000000014007ABD0
std::_Facet_Register.LIBCPMT ref: 000000014007AC7B
Concurrency::cancel_current_task.LIBCPMT ref: 000000014007ACC6

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction ID: 74d7fc06fc51955d11541e88f1d53fd6ed53de51744ee963c2a23d3aba2a14c1
Opcode Fuzzy Hash: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction Fuzzy Hash: E2415B36214A8096FA27DF27E8507DA67A0F78DBE4F581621BB9D477B5DE3CC4818700

Function 00000001400BB3F4 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400BB43D
GetLastError.KERNEL32 ref: 00000001400BB44B
WideCharToMultiByte.KERNEL32 ref: 00000001400BB480
GetLastError.KERNEL32 ref: 00000001400BB48E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction ID: a031f3bea18fd59b085b3d452c6f81a1a71a70fbd363d9f8fa6e03f334feb155
Opcode Fuzzy Hash: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction Fuzzy Hash: 0A216D76614B848BE7208F12E44435FBBB4F79DFD5F240128EB8997B65DB38C5028B00

Function 00000001400BB8E0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400BB210: GetModuleHandleW.KERNEL32 ref: 00000001400BB226
Part of subcall function 00000001400BB210: GetProcAddress.KERNEL32 ref: 00000001400BB236

GetLastError.KERNEL32 ref: 00000001400BB904

Part of subcall function 00000001400998B4: IsProcessorFeaturePresent.KERNEL32 ref: 00000001400998DA

GetFileAttributesW.KERNEL32 ref: 00000001400BB913
__std_fs_open_handle.LIBCPMT ref: 00000001400BB93C
CloseHandle.KERNEL32 ref: 00000001400BB94E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
String ID:
API String ID: 156590933-0
Opcode ID: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction ID: 62e66b62d14fa543578834bf2b4ef4b7e56291556af98af6738b9ddd7679e05d
Opcode Fuzzy Hash: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction Fuzzy Hash: 4A11A032218A4087FB625FABA0843BE6371E78C7F0F100614BBB747AF5DAB8C5418B00

Function 00007FF607DC0214 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF607DC0240
GetCurrentThreadId.KERNEL32 ref: 00007FF607DC024E
GetCurrentProcessId.KERNEL32 ref: 00007FF607DC025A
QueryPerformanceCounter.KERNEL32 ref: 00007FF607DC026A

Memory Dump Source

Source File: 00000002.00000002.1541836231.00007FF607D71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF607D70000, based on PE: true

Associated: 00000002.00000002.1541809290.00007FF607D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1541898855.00007FF607DEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1541898855.00007FF607E04000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1541898855.00007FF60815F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1542173612.00007FF608177000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1542201478.00007FF60817B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1542201478.00007FF608183000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1542256674.00007FF608188000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff607d70000_5LEXIucyEP.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b7ee5f73d21c22f4c3e3b841111f855bb87ab456a378e60018242c68feb33e76
Instruction ID: 5e52f6137d7a06b7a951f38158256eaf7ca8628a2c666363cbd48b6253fe6d6f
Opcode Fuzzy Hash: b7ee5f73d21c22f4c3e3b841111f855bb87ab456a378e60018242c68feb33e76
Instruction Fuzzy Hash: AE111832B14B028AEB00CB70E8542B833B4FB59758F541E35EAAD867A4DF7CD1A4C380

Function 00000001400AF908 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000001400AF934
GetCurrentThreadId.KERNEL32 ref: 00000001400AF942
GetCurrentProcessId.KERNEL32 ref: 00000001400AF94E
QueryPerformanceCounter.KERNEL32 ref: 00000001400AF95E

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction ID: b655b697fc6b073ddc816c875066984fbd2aa83c7f17d9a519f4fc4b792de05b
Opcode Fuzzy Hash: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction Fuzzy Hash: 1A111532710F008AEB01DB62E8543A833A4F71DB99F441A25EF6D877A4DF78C1A98380

Function 000000014002EBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

[json.exception., xrefs: 000000014002ED2B

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID:
String ID: [json.exception.
API String ID: 0-791563284
Opcode ID: aa9ce472859b39d8d4b89a398f1babea442f6c72f9e4918f49389b3ba7e588c3
Instruction ID: fb2f653c69449183f086398a4c43b5c45a9310b96e1abbd96b49283a355f216b
Opcode Fuzzy Hash: aa9ce472859b39d8d4b89a398f1babea442f6c72f9e4918f49389b3ba7e588c3
Instruction Fuzzy Hash: 9171D172F10B9085FB02CF7AE8413DD67A1E799BD8F245215EF5917BAADB78C4828340

Function 00000001400B089C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B08C7
RtlUnwindEx.KERNEL32 ref: 00000001400B09B8

Strings

csm, xrefs: 00000001400B0945

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: Unwind__except_validate_context_record
String ID: csm
API String ID: 2208346422-1018135373
Opcode ID: b6b4ec287b03b43af7135d47e4a928fccc53e45a76218f894a62c54d13e92dd1
Instruction ID: 19c601aaea4a852408da0c01ce0685467ec383445de2fce7942d3b672fa0fc06
Opcode Fuzzy Hash: b6b4ec287b03b43af7135d47e4a928fccc53e45a76218f894a62c54d13e92dd1
Instruction Fuzzy Hash: 3551BF32312B008AEB56CF56E454BAC73B1F748BD8F558521FB9A477A9EB78C841C700

Function 000000014007B100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014007B16F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014007B1B7

Strings

bad locale name, xrefs: 000000014007B28C

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 1d48ec966220e33eb46537d50b65b025bdb0597fdae6c4422fb9f30e2bae3d48
Instruction ID: a70bdc5d483a3a6709f00792b18fb0141f1d3f3c4e5a5c8a55365fd5953b6739
Opcode Fuzzy Hash: 1d48ec966220e33eb46537d50b65b025bdb0597fdae6c4422fb9f30e2bae3d48
Instruction Fuzzy Hash: C7514D33702A408AEB56DFB2E4503ED33B4EB58B88F044025FF5967AA6DE38C5168344

Function 000000014004A600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014004A66F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014004A6B7

Strings

bad locale name, xrefs: 000000014004A796

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 133dae14c956dc43492fc21a5fc6e50363224602403c47e4697dbaa5a0c0d9d7
Instruction ID: 198352202ef1475b794fd52093b47f8c285fde63b82ab9b5d546a8a9e2019f38
Opcode Fuzzy Hash: 133dae14c956dc43492fc21a5fc6e50363224602403c47e4697dbaa5a0c0d9d7
Instruction Fuzzy Hash: 87513A32706A4089EB56DFB2E8907EC33B4EB58788F044535FB4967AA6DF38C525D348

Function 00000001400B3530 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B35DA
_CreateFrameInfo.LIBVCRUNTIME ref: 00000001400B3603

Strings

csm, xrefs: 00000001400B3703

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction ID: dcb4dcb3da8c4b404caa3ed0d2c3029b21496a08969d053362ec2df929759ba3
Opcode Fuzzy Hash: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction Fuzzy Hash: E6510776219B4086E672EF66E4413AE77B4F38DBE0F140125BB8907BA6DB38D461CB01

Function 000000014009CC10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014009CD27
GetLastError.KERNEL32 ref: 000000014009CD49

Strings

U, xrefs: 000000014009CCD3

Memory Dump Source

Source File: 00000002.00000002.1540390648.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_5LEXIucyEP.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction ID: 265af7a89e28bd5e55a3246d438a373a726ea37e60e0b815f1dbf572d141d70c
Opcode Fuzzy Hash: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction Fuzzy Hash: A4419F72625A8082EB219F26E4447EA67A0F79CBD4F444121EF4D877A8EB3CC441CB40

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5LEXIucyEP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

DNS Queries

Windows Analysis Report
5LEXIucyEP.exe

Function 0000000140085B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Function 00000001400BB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Function 000000014003D570 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Function 0000000140065970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Function 000000014007C600 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173
synchronizationCOMMON

Function 0000000140032CA0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 789
registryCOMMON

Function 00000001400A2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Function 0000000140085240 Relevance: 13.9, APIs: 9, Instructions: 408
networkfileCOMMON

Function 00000001400C0658 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 0000000140066350 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1136
COMMON

Function 00000001400320B0 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 684
registryCOMMON

Function 000000014007F020 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre