Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1563392
MD5:	9c433a245d7737ca7fa17490e460f14e
SHA1:	31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9
SHA256:	0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7
Tags:	exeuser-Bitsight
Infos:

Detection

Poverty Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Poverty Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C433A245D7737CA7FA17490E460F14E)

conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 2172 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C433A245D7737CA7FA17490E460F14E)

cleanup

Malware Configuration

Threatname: Poverty Stealer

{"C2 url": "185.244.212.106:2227"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
00000000.00000002.2015603073.000000000026E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: file.exe PID: 1472	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
Process Memory Space: file.exe PID: 2172	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.299de8.0.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
3.2.file.exe.400000.1.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
3.2.file.exe.400000.1.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security
0.2.file.exe.299de8.0.raw.unpack	JoeSecurity_PovertyStealer	Yara detected Poverty Stealer	Joe Security

Suricata Signatures

ET MALWARE LUMAR Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T22:50:04.835240+0100	2048736	1	A Network Trojan was detected	192.168.2.5	49706	185.244.212.106	2227	TCP

Code function: 3_2_00404C2D GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,

3_2_00404C2D

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2030	0_2_003A2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3220	0_2_003A3220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A4270	0_2_003A4270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3480	0_2_003A3480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A8670	0_2_003A8670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A1000	0_2_003A1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A5870	0_2_003A5870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A70F0	0_2_003A70F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A9910	0_2_003A9910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A3900	0_2_003A3900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A19D0	0_2_003A19D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BA262	0_2_003BA262
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2A80	0_2_003A2A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A6B30	0_2_003A6B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A5B40	0_2_003A5B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A63D0	0_2_003A63D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A4CB0	0_2_003A4CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A54F0	0_2_003A54F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A9600	0_2_003A9600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A5EB0	0_2_003A5EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2680	0_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A8E80	0_2_003A8E80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2F10	0_2_003A2F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A7770	0_2_003A7770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A7F50	0_2_003A7F50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2030	3_2_003A2030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A1000	3_2_003A1000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A5870	3_2_003A5870
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A70F0	3_2_003A70F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A9910	3_2_003A9910
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A3900	3_2_003A3900
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A19D0	3_2_003A19D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A3220	3_2_003A3220
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A4270	3_2_003A4270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003BA262	3_2_003BA262
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2A80	3_2_003A2A80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A6B30	3_2_003A6B30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A5B40	3_2_003A5B40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A63D0	3_2_003A63D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A4CB0	3_2_003A4CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A3480	3_2_003A3480
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A54F0	3_2_003A54F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A9600	3_2_003A9600
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A8670	3_2_003A8670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A5EB0	3_2_003A5EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2680	3_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A8E80	3_2_003A8E80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2F10	3_2_003A2F10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A7770	3_2_003A7770
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A7F50	3_2_003A7F50

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003ADB61 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003AB060 appears 84 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .ROL ZLIB complexity 1.0005296610169492

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\085f229d-d27d-4fc1-9dc1-8958125ccbd9

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source:	Binary string: ntkrnlmp.pdbOc source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb/ source: file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb"?^ source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb1 source: file.exe, 00000003.00000002.2253873303.000000000F0A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb( source: file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000003.00000002.2192045605.000000000CCD8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2192045605.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2131509698.0000000009ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2253873303.000000000F0A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2127622104.00000000095A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb& source: file.exe, 00000003.00000002.2220603331.000000000DEF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb%![ source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbMo{ source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbx source: file.exe, 00000003.00000002.2192045605.000000000CCD8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2220044017.000000000DED3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2131509698.0000000009ADA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2253873303.000000000F0A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2128471220.000000000972C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2127622104.00000000095A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2138518387.000000000A19F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: file.exe, 00000003.00000002.2192045605.000000000CCE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdbI'" source: file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb") source: file.exe, 00000003.00000002.2128471220.000000000972C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb&% source: file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb! source: file.exe, 00000003.00000002.2220603331.000000000DEF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb%' source: file.exe, 00000003.00000002.2205178427.000000000D62B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb$#T source: file.exe, 00000003.00000002.2157022064.000000000B232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb,S source: file.exe, 00000003.00000002.2179146915.000000000C405000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbH!# source: file.exe, 00000003.00000002.2167304501.000000000BB30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbI source: file.exe, 00000003.00000002.2220044017.000000000DED3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbHa source: file.exe, 00000003.00000002.2148083936.000000000A98C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb0 source: file.exe, 00000003.00000002.2253873303.000000000F0A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbM source: file.exe, 00000003.00000002.2236350550.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: file.exe	Static PE information: section name: .10cfg
Source: file.exe	Static PE information: section name: .ROL

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A82E0 push eax; mov dword ptr [esp], ecx	0_2_003A82E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A7CF3 push eax; mov dword ptr [esp], ecx	0_2_003A7D15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AA54F push ecx; ret	0_2_003AA562
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A82E0 push eax; mov dword ptr [esp], ecx	3_2_003A82E5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A7CF3 push eax; mov dword ptr [esp], ecx	3_2_003A7D15
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003AA54F push ecx; ret	3_2_003AA562

Source: file.exe

Static PE information: section name: .text entropy: 6.911514343507659

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003AA74D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003AA74D

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_3-13251

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B2CB9 FindFirstFileExW,	0_2_003B2CB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B2D6A FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_003B2D6A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003B2CB9 FindFirstFileExW,	3_2_003B2CB9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003B2D6A FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_003B2D6A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00401000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,	3_2_00401000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00401DC9 FindFirstFileW,FindNextFileW,	3_2_00401DC9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404EB2 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,	3_2_00404EB2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404145 FindFirstFileW,FindNextFileW,	3_2_00404145
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00403F87 FindFirstFileW,FindNextFileW,	3_2_00403F87

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_004020E1 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,

3_2_004020E1

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Network\Cookies	Jump to behavior

Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000003.00000002.2239949570.000000000EA04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,11696428e
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000003.00000002.2149426980.000000000AB68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116964286558ar
Source: file.exe, 00000003.00000002.2239949570.000000000EA04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000003.00000002.2239949570.000000000EA04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,11696428en-GBh
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000003.00000002.2180758455.000000000C624000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116964286558
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000003.00000002.2139392308.000000000A2C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655?
Source: file.exe, 00000003.00000002.2175318807.000000000C18C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000003.00000002.2193812997.000000000CF0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655?%
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000003.00000002.2169058190.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003AAEE2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003AAEE2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C31A4 mov edi, dword ptr fs:[00000030h]	0_2_003C31A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2680 mov edi, dword ptr fs:[00000030h]	0_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2680 mov edi, dword ptr fs:[00000030h]	0_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A2680 mov edi, dword ptr fs:[00000030h]	0_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2680 mov edi, dword ptr fs:[00000030h]	3_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2680 mov edi, dword ptr fs:[00000030h]	3_2_003A2680
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003A2680 mov edi, dword ptr fs:[00000030h]	3_2_003A2680

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003B05C6 GetProcessHeap,

0_2_003B05C6

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AAEE2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003AAEE2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AAED6 SetUnhandledExceptionFilter,	0_2_003AAED6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AA722 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003AA722
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003AD7CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003AD7CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003AAEE2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_003AAEE2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003AAED6 SetUnhandledExceptionFilter,	3_2_003AAED6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003AA722 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_003AA722
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_003AD7CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_003AD7CC

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C31A4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_003C31A4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003AACA0 cpuid

0_2_003AACA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003AB341 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003AB341

Stealing of Sensitive Information

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.file.exe.299de8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.299de8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2015603073.000000000026E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 2172, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected Poverty Stealer

Source: Yara match	File source: 0.2.file.exe.299de8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.299de8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2015603073.000000000026E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 2172, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	211 Process Injection	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1304889
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
185.244.212.106:2227	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.244.212.106:2227	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	file.exe	false	high
https://duckduckgo.com/ac/?q=	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	file.exe	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	file.exe	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	file.exe	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	file.exe	false	high
http://ocsp.sectigo.com0	file.exe	false	high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	file.exe	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	file.exe	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	file.exe	false	high
https://www.ecosia.org/newtab/	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	file.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.212.106	unknown	Romania		9009	M247GB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563392
Start date and time:	2024-11-26 22:49:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 77
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.244.212.106	file.exe	Get hash	malicious	Poverty Stealer	Browse
	file.exe	Get hash	malicious	Poverty Stealer	Browse
	j95Whg3AY1.exe	Get hash	malicious	Poverty Stealer	Browse
	F7fahhucBo.exe	Get hash	malicious	Poverty Stealer	Browse
	IxE6TjWjRM.exe	Get hash	malicious	Poverty Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	https://cad7f0f6.db98e6271a22556409a87203.workers.dev	Get hash	malicious	CorporateDataTheft, HTMLPhisher	Browse	45.11.180.22
	file.exe	Get hash	malicious	Poverty Stealer	Browse	185.244.212.106
	file.exe	Get hash	malicious	Poverty Stealer	Browse	185.244.212.106
	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	93.120.123.217
	file.exe	Get hash	malicious	NetSupport RAT	Browse	45.61.128.74
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	104.224.90.41
	comprobante.exe	Get hash	malicious	Remcos	Browse	176.10.80.43
	7jBzTH9FXQ.exe	Get hash	malicious	Unknown	Browse	95.174.64.138
	fACYdCvub8.exe	Get hash	malicious	Unknown	Browse	95.174.66.19

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.072516985415119
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	189'568 bytes
MD5:	9c433a245d7737ca7fa17490e460f14e
SHA1:	31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9
SHA256:	0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7
SHA512:	edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95
SSDEEP:	3072:1VUaad8eqre/E0fYSB0ih9FHax2OdA1hBB/1lQaejhvltBNTE63yMnHpeGlI4yBt:3Dad8trC7f710UOdc/0bBNTE63yxcXqt
TLSH:	F304BF1570C0D0B2E9531831A8B4C6B16A3EFA615F208EEF7798977E4F253D18A3587B
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...K.Eg..........................................@.......................... ............@.................................X...(..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40b2ec
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x6745D64B [Tue Nov 26 14:08:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0d65a10b5fab1eb2208e888615c975f3

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FA4246CAFBAh
jmp 00007FA4246CAE29h
mov ecx, dword ptr [004235D8h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FA4246CAFB6h
test esi, ecx
jne 00007FA4246CAFD8h
call 00007FA4246CAFE1h
mov ecx, eax
cmp ecx, edi
jne 00007FA4246CAFB9h
mov ecx, BB40E64Fh
jmp 00007FA4246CAFC0h
test esi, ecx
jne 00007FA4246CAFBCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004235D8h], ecx
not ecx
pop edi
mov dword ptr [004235D4h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [0042134Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00421314h]
xor dword ptr [ebp-04h], eax
call dword ptr [00421310h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00421388h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00424998h
call dword ptr [00421368h]
ret
mov al, 01h
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FA4246CCCB3h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21158	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2bc00	0x2e80	.ROL
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27000	0x1620	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1b7c0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x212b0	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19940	0x19a00	eece2ebfa0e1eac007d9a18fb7cf3122	False	0.5988185975609757	data	6.911514343507659	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x7244	0x7400	08f7fc137d9ee1d7930fb5afd5858e48	False	0.4047346443965517	data	4.780789647051548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x23000	0x2094	0x1000	727c8d47eb17616234df54f9202d6ad2	False	0.481201171875	data	5.041175769024138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.10cfg	0x26000	0x8	0x200	32b4303d1745a694ee1cbc28035c59d7	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27000	0x1620	0x1800	045b3e5d880e10085db2a35a5d8b6aa4	False	0.7600911458333334	data	6.362329400431381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.ROL	0x29000	0x7600	0x7600	5de6ca81d504e18ec07ba4c128144c16	False	1.0005296610169492	data	7.994779917365839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x31000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T22:50:04.835240+0100	2048736	ET MALWARE LUMAR Stealer Exfiltration M2	1	192.168.2.5	49706	185.244.212.106	2227	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 22:50:04.592123032 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.712430000 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.712503910 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.714937925 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.715117931 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.834965944 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835021973 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835194111 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835215092 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835239887 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835262060 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835361004 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835371017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835417986 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835449934 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835489988 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835494995 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835535049 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835592031 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835649014 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.835670948 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.835716009 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.954688072 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.954890013 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.955003977 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955051899 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.955204964 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955224037 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955248117 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.955255985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955267906 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.955300093 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.955377102 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955387115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.955426931 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:04.998394966 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:04.998492002 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.118335962 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.118422031 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.166426897 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.166492939 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.282356977 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.378354073 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.378408909 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.631928921 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.631983995 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.738100052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.738280058 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.738339901 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.752006054 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.752062082 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858367920 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858390093 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858429909 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858453035 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858481884 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858493090 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858536005 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858623028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858632088 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858643055 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858696938 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858710051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858736992 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858746052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858776093 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858798981 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858829975 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858908892 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.858923912 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.858952999 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859080076 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859138012 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859181881 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859191895 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859251022 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859258890 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859307051 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859343052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859458923 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859483004 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859597921 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859606028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859648943 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859735966 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.859787941 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.859952927 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.860176086 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.860239983 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.860276937 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.860455036 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.860512972 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.860523939 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.860563040 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.872363091 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.872416019 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.978889942 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.978969097 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.979070902 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979118109 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.979201078 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979258060 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.979289055 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979371071 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979432106 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.979567051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979693890 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979749918 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.979794979 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979944944 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.979998112 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980053902 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980170965 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980221987 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980230093 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980235100 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980240107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980268002 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980273008 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980282068 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980326891 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980339050 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980355024 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980381012 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980396032 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980477095 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980485916 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980494022 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980534077 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980586052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980635881 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980652094 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980660915 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980668068 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980710030 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980725050 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980739117 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980768919 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980813980 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980823040 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980837107 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980865955 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980866909 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980911016 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.980931997 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.980982065 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981003046 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981053114 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981081009 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981089115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981092930 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981153011 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981178999 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981187105 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981240988 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981281996 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981323957 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981327057 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981336117 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981350899 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981375933 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981393099 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981401920 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981447935 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981465101 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981473923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981497049 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981517076 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981570959 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981580973 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981607914 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981617928 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981622934 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981642962 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981667995 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981803894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981812000 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981820107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981822968 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981865883 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981894016 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981903076 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981940985 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.981950045 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981957912 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.981997967 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.982043028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.982459068 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.992424011 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.992511034 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:05.992532015 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:05.992577076 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.099462032 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.099482059 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.099529982 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.099548101 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.099739075 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.099787951 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.099946976 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.099993944 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100097895 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100111961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100156069 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100208044 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100220919 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100263119 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100312948 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100363016 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100395918 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100444078 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100541115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100591898 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100629091 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100677967 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100894928 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.100949049 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.100989103 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101062059 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101298094 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101356983 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101404905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101450920 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101490974 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101536989 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101636887 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101689100 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101771116 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101819992 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.101829052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.101877928 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102071047 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102118969 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102281094 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102327108 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102330923 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102339029 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102376938 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102411985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102463961 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102495909 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102510929 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102540016 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102555990 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102576017 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102648020 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102662086 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102710009 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102736950 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102751017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102786064 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102797031 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102835894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102854013 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.102878094 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102907896 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.102982998 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103009939 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103049040 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103082895 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103132010 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103152037 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103183031 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103199959 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103203058 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103250027 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103271008 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103308916 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103332996 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103348970 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103432894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103445053 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103460073 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103492975 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103513956 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103560925 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103574038 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103621006 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103642941 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103693008 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103795052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.103837967 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.103987932 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104036093 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104063988 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104110003 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104250908 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104264975 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104299068 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104319096 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104365110 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104412079 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104487896 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104535103 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104578972 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104626894 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104768991 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104782104 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104825974 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.104847908 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.104895115 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105089903 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105104923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105142117 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105159998 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105189085 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105238914 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105273962 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105295897 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105312109 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105326891 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105344057 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105365038 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105508089 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105521917 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105545998 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105576992 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105619907 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105650902 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105663061 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105685949 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105695009 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105699062 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105710030 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105711937 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105736971 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105753899 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105787992 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105837107 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105878115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105890989 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105902910 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105921984 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105923891 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105935097 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105937004 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105947971 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.105962992 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.105983973 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106127024 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106139898 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106152058 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106173038 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106193066 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106281042 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106292963 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106323004 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106338024 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106434107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106479883 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106548071 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106561899 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106586933 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106594086 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106607914 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106630087 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106662035 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106674910 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106720924 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106720924 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106776953 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106812000 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106825113 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106847048 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106862068 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106863022 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106873035 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106874943 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.106879950 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106910944 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.106970072 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107028008 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107059002 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107070923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107112885 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107114077 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107126951 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107140064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107153893 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107167006 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107187986 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107207060 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107218027 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107229948 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107261896 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107266903 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107341051 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107469082 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107481003 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107522964 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107614994 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107685089 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107769966 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107783079 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107798100 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.107817888 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.107848883 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108015060 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108063936 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108150959 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108165026 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108189106 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108202934 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108233929 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108237028 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108247042 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108274937 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108285904 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108302116 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108349085 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108432055 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108447075 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108479023 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108479977 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108501911 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108513117 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108530998 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108573914 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.108601093 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108613968 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.108652115 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.112442017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.112503052 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.112504959 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.112555027 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.112591982 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.112639904 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.112705946 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.112771034 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219750881 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219769001 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219782114 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219805956 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219825983 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219871044 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219882965 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219907999 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219919920 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219923973 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219949007 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219949961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.219970942 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.219990969 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220145941 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220159054 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220170021 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220190048 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220201969 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220216990 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220295906 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220340014 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220366955 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220415115 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220650911 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220664024 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220675945 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220690966 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220696926 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220721006 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220746040 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220758915 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220802069 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.220844984 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220856905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220869064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.220904112 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221054077 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221066952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221079111 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221107960 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221122026 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221132040 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221143961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221154928 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221184969 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221199989 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221230030 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221357107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221396923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221402884 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221440077 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221514940 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221566916 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221595049 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221617937 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221630096 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221635103 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221662998 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221668005 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221674919 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221705914 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221765995 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221779108 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221790075 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221832037 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221873999 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221896887 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.221927881 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.221940994 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222140074 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222168922 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222188950 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222218990 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222383022 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222407103 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222453117 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222553015 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222564936 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222577095 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222589016 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222616911 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222630024 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222634077 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222646952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222659111 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222680092 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222697020 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222709894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222712040 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222748041 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222774029 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222785950 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222820044 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222841024 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222888947 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222901106 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222913027 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.222945929 CET	49706	2227	192.168.2.5	185.244.212.106
Nov 26, 2024 22:50:06.222975969 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223073006 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223094940 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223107100 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223187923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223212004 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223223925 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223253012 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223335028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223416090 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223428965 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223439932 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223453999 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223551989 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223563910 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223575115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223618984 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223704100 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223716974 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223728895 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223788977 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223866940 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223879099 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.223948002 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224030018 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224142075 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224164963 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224258900 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224271059 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224282980 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224406004 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224417925 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224430084 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224445105 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224575996 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224587917 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224598885 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224613905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224693060 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224705935 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224718094 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224781990 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224793911 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224806070 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224850893 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224929094 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224941015 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.224951982 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225044012 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225055933 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225111961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225122929 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225174904 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225188017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225253105 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225333929 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225420952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225435019 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225457907 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225469112 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225481033 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225492001 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225632906 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225709915 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225780010 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225791931 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225804090 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225815058 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225886106 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225898027 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225984097 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.225996017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226006985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226011992 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226053953 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226066113 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226088047 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226142883 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226304054 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226360083 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226372004 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226386070 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226474047 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226485968 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226502895 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226618052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226630926 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226641893 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226694107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226756096 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226768017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226787090 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226809025 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226820946 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226943970 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.226983070 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227049112 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227086067 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227097988 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227109909 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227221012 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227232933 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227246046 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227277994 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227291107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227302074 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227407932 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227420092 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227432013 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227468014 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227633953 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227647066 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227658987 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227669954 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227682114 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227705002 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227716923 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227727890 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227823019 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.227844954 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.228003025 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.228015900 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.228027105 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.228044033 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.228172064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232527971 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232541084 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232553005 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232568026 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232614040 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232625961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.232645988 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.339750051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.339931965 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.339943886 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.339955091 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.339977980 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340090990 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340102911 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340116024 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340157986 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340308905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340321064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340332985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340444088 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340466976 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340538025 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340643883 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340656042 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340717077 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340878010 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340929031 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340940952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.340964079 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341054916 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341067076 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341276884 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341289043 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341300011 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341315985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341666937 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341679096 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341691017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341713905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341748953 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341870070 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341926098 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341948032 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.341991901 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342216969 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342273951 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342360973 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342412949 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342425108 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342696905 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342709064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342720985 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342771053 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.342782974 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343038082 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343050003 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343061924 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343085051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343209028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343414068 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343521118 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343533993 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343547106 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343940973 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343952894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.343965054 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344003916 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344016075 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344100952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344144106 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344345093 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344367027 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344594002 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344607115 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344624996 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344646931 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344883919 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344896078 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.344907045 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345042944 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345066071 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345244884 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345321894 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345334053 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345345974 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345469952 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345482111 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345493078 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345851898 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345947027 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345958948 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.345971107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346096992 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346162081 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346312046 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346421957 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346548080 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346592903 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346755028 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346766949 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346779108 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.346808910 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347053051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347181082 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347193003 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347244978 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347336054 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347440958 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347496033 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347508907 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347649097 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347661018 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347671986 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347682953 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347786903 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347809076 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347934961 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.347974062 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348143101 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348155022 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348283052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348294973 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348412991 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348467112 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348757029 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348965883 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348978043 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.348989010 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349436045 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349447966 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349459887 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349544048 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349617958 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349630117 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349701881 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349716902 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349858999 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349870920 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349883080 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349971056 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349982977 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.349994898 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350213051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350225925 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350236893 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350249052 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350260973 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350342035 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350353956 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.350363970 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351146936 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351159096 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351171017 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351181984 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351260900 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351273060 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351284981 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351295948 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351308107 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351325035 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351336956 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351350069 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351361990 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351372957 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351383924 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351396084 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351407051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351418018 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351429939 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351440907 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351453066 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351464033 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351475954 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351488113 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351497889 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351516008 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351527929 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.351540089 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352375031 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352386951 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352400064 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352411032 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352422953 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352435112 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352447987 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352458954 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352471113 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352482080 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352493048 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.352498055 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.368015051 CET	2227	49706	185.244.212.106	192.168.2.5
Nov 26, 2024 22:50:06.368088961 CET	49706	2227	192.168.2.5	185.244.212.106

Target ID:	0
Start time:	16:49:52
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3a0000
File size:	189'568 bytes
MD5 hash:	9C433A245D7737CA7FA17490E460F14E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000000.00000002.2015603073.000000000026E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:49:52
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:49:53
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3a0000
File size:	189'568 bytes
MD5 hash:	9C433A245D7737CA7FA17490E460F14E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3.1%
Total number of Nodes:	1907
Total number of Limit Nodes:	29

Executed Functions

Function 003C31A4 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,003C3116,003C3106), ref: 003C333A
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 003C334D
Wow64GetThreadContext.KERNEL32(000000A8,00000000), ref: 003C336B
ReadProcessMemory.KERNELBASE(0000009C,?,003C315A,00000004,00000000), ref: 003C338F
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 003C33BA
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 003C3412
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 003C345D
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 003C349B
Wow64SetThreadContext.KERNEL32(000000A8,003F0000), ref: 003C34D7
ResumeThread.KERNELBASE(000000A8), ref: 003C34E6

Strings

CreateProcessW, xrefs: 003C3256
GetThreadContext, xrefs: 003C327C
Load, xrefs: 003C31E0
VirtualAlloc, xrefs: 003C3269
VirtualAllocEx, xrefs: 003C32A2
GetP, xrefs: 003C3224
ress, xrefs: 003C322C
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 003C3339
aryA, xrefs: 003C31E8
ReadProcessMemory, xrefs: 003C328F
SetThreadContext, xrefs: 003C32C8
TerminateProcess, xrefs: 003C33C9
WriteProcessMemory, xrefs: 003C32B5
ResumeThread, xrefs: 003C32DE

Memory Dump Source

Source File: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: f05cee4874952360fdd11c4cfb9b81266ab851ab42421b5823d6474efe4a6c42
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 3EB1E57664028AAFDB60CF68CC80BDA73A5FF88714F158518EA08EB741D774FA518B94

Function 003A2030 Relevance: 6.7, Strings: 5, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P*A, xrefs: 003A23F0
P*A, xrefs: 003A22C0
P*A, xrefs: 003A24D0
P*A, xrefs: 003A2269
P*A, xrefs: 003A225B

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: P*A$P*A$P*A$P*A$P*A
API String ID: 0-2583374703
Opcode ID: 51eebc9c8308472e3a21ebd7d56aaa8bab84dadaad1e8e1de1b0a9e5ac081cac
Instruction ID: 9e8eccfeb69b4073114f046957951195ac2647fd5b022bdebd82832a4ded4e3e
Opcode Fuzzy Hash: 51eebc9c8308472e3a21ebd7d56aaa8bab84dadaad1e8e1de1b0a9e5ac081cac
Instruction Fuzzy Hash: C3E1573560C3418FDB5A8A2D88E42AFBBD1DBD6314F155E2DE8CA93792C635CD48CB42

Function 003A8670 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 003A8D0D

Strings

v22y, xrefs: 003A86DB
v22y, xrefs: 003A8B4B

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: v22y$v22y
API String ID: 2134207285-685426704
Opcode ID: 46828ab6ea07d9b7446a1211e815f0fa63d8aedabcd947e8b56b6b3d0c6fab03
Instruction ID: 5149d64dd992e0280e367e711daf7fb9180ab890565625d24663522c32731b07
Opcode Fuzzy Hash: 46828ab6ea07d9b7446a1211e815f0fa63d8aedabcd947e8b56b6b3d0c6fab03
Instruction Fuzzy Hash: 55F16A36F111114FDF1A8B3888E67FE7BE6DB96310F29541AD806D72E1DE274C498B81

Function 003A3480 Relevance: 3.3, APIs: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 003A34E3

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: a7350402117e9aafca6f975a02429202b0e8775926c6290dd44c7da326e6512d
Instruction ID: 95700ca2ad1d83d6507af808c10e102754da08ad030ac26b3bdc3619beb4ac58
Opcode Fuzzy Hash: a7350402117e9aafca6f975a02429202b0e8775926c6290dd44c7da326e6512d
Instruction Fuzzy Hash: 1491787AA042008FCE1ED66C9CD5A7EF3D4DB57714F258C2AF445CB291E625CF489742

Function 003A3220 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003A33CE

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 21877e33c2bd9ddfa3d53474f0a599701eb0fa6dd5592eece685460a4cd5fda7
Instruction ID: c8a0193a16a15d02cfb50612d066a2eda1c5c8d7cc15144a22f66a998838dffe
Opcode Fuzzy Hash: 21877e33c2bd9ddfa3d53474f0a599701eb0fa6dd5592eece685460a4cd5fda7
Instruction Fuzzy Hash: 8F41A037B041005FDF1945289CD37AE778AEBE3354F29C82AF946CF2E5D9298F494282

Function 003A4270 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a72b68720ac7db78e1a33fc260cb68a2b758f92a32dbf0e4bc32ead7a2aebc6
Instruction ID: f94a0ab2787ef2e4edb95ec503117c8f725905ebd74ce2b2e0dcd277c5f028ae
Opcode Fuzzy Hash: 1a72b68720ac7db78e1a33fc260cb68a2b758f92a32dbf0e4bc32ead7a2aebc6
Instruction Fuzzy Hash: 8BC1BD2E7982004F9E2D8428ACE72BF3792D7E2355F35C429E516DB6E0DA9ECC5D8341

Function 003B76D7 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B7ADC: CreateFileW.KERNELBASE(00000000,00000000,?,003B7780,?,?,00000000,?,003B7780,00000000,0000000C), ref: 003B7AF9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B77EB
__dosmaperr.LIBCMT ref: 003B77F2
GetFileType.KERNELBASE(00000000), ref: 003B77FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B7808
__dosmaperr.LIBCMT ref: 003B7811
CloseHandle.KERNEL32(00000000), ref: 003B7831
CloseHandle.KERNEL32(003B4556), ref: 003B797E
GetLastError.KERNEL32 ref: 003B79B0
__dosmaperr.LIBCMT ref: 003B79B7

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: faf4ef2d47031697b69d58324781a2321c9c707b27c740a73890a92760a8b3d1
Instruction ID: 38b29fa8de94397e893b62c85cb040d3ab5443104c32d7b10ea62fd4ff6c76a8
Opcode Fuzzy Hash: faf4ef2d47031697b69d58324781a2321c9c707b27c740a73890a92760a8b3d1
Instruction Fuzzy Hash: 15A14432A081589FCF1A9F68DC62BED7BA4EB86318F15015DFA11DF791CB309902CB41

Function 003B040E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,7EAEDD2A,?,003B051D,?,?,00000000), ref: 003B04CF

Strings

api-ms-, xrefs: 003B0465
ext-ms-, xrefs: 003B0479

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 35dac30f1d1bffd89e009a83c1131326d38e516a422bb0d191a9e8d7a4ead917
Instruction ID: 77274960cfe25a60601034049a4e7bfe9384e495c9a8df6ae259aad5715fed7c
Opcode Fuzzy Hash: 35dac30f1d1bffd89e009a83c1131326d38e516a422bb0d191a9e8d7a4ead917
Instruction Fuzzy Hash: 2821D831A01214ABD7279B62AC45EDB776CAF51778F160224EB16E7A91DB34FD00CBD0

Function 003B48DD Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f4084031a9f22efff7c33e89bd13414c5d7170bbee984886fa735aef1d0648
Instruction ID: bd37df1920cfd932319406f193503c0e4de0158262b7ac6d2952e61512548b31
Opcode Fuzzy Hash: d8f4084031a9f22efff7c33e89bd13414c5d7170bbee984886fa735aef1d0648
Instruction Fuzzy Hash: B7B10F70A04248ABDB13DFA8C891BEEBBB9BF45308F154158E7419BA93C770ED41CB58

Function 003A4860 Relevance: 6.2, APIs: 4, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 003A48A6

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f8916b2c111265356a8ff8cfd4e7496d6f9aceaab16f3fb2ac78745baafc7745
Instruction ID: 2a64dc2a4c5e7ed625cd5e48cc36af9b3466ddcd8aa38dcaeffbd5f0b8c6e7b4
Opcode Fuzzy Hash: f8916b2c111265356a8ff8cfd4e7496d6f9aceaab16f3fb2ac78745baafc7745
Instruction Fuzzy Hash: EF5159367006018FCA299A18ACD27BF33D9EBD3351F26451DE506CB2A1DBBADC458B52

Function 003B5A3D Relevance: 4.7, APIs: 3, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 003B5BF2

Part of subcall function 003B21D4: RtlAllocateHeap.NTDLL(00000000,003AA305,003A6B0B,?,003ABA67,003A6B0D,003A6B0B,BD5B212C,1CF2E7BE,?,003A9CC5,003AA305,003A6B0F,003A6B0B,003A6B0B,003A6B0B), ref: 003B2206

__freea.LIBCMT ref: 003B5C05
__freea.LIBCMT ref: 003B5C12

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: c6dfd45b757c0656047773de83334e7049e10e87ee2356c9303d001552b396f9
Instruction ID: 8e59826893d5373141b5b8eb3f6272c991254b987968c2a219fe6dc5a6e639bc
Opcode Fuzzy Hash: c6dfd45b757c0656047773de83334e7049e10e87ee2356c9303d001552b396f9
Instruction Fuzzy Hash: 9651B672600606AFEF279F648C85FFB7BAAEF44718B1A0528FE05DA950E734DC50D660

Function 003AC6F4 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_0000C80C,00000000,00000000,?), ref: 003AC73D
GetLastError.KERNEL32(?,003A8BC2,00000000,00000000,003A8D20,?,00000000,?), ref: 003AC749
__dosmaperr.LIBCMT ref: 003AC750

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: bbf59a691b8fd4b648d876311b1367c7f2e0d90867a8935db151fb25fc7e0436
Instruction ID: 1eb7e928378809c9387e76a0a5ccd776d790cd3502894fa719e35f3063cd00ba
Opcode Fuzzy Hash: bbf59a691b8fd4b648d876311b1367c7f2e0d90867a8935db151fb25fc7e0436
Instruction Fuzzy Hash: 4E019E76520209AFDF17AFA0DC05AEE7BA9EF02364F104168F90196151EB72D950DF90

Function 003AA3F0 Relevance: 4.5, APIs: 3, Instructions: 32
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 003AA3FB
GetExitCodeThread.KERNELBASE(?,?), ref: 003AA40D
CloseHandle.KERNEL32(?), ref: 003AA426

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCodeExitHandleObjectSingleThreadWait
String ID:
API String ID: 2551024706-0
Opcode ID: 140b8107157b623899a835d176b0e0d9f1886bae46e8907f4a3ec149f33f3b7a
Instruction ID: 68d8373b8f78245d332ea2b322439e384da8638350034529def36bfec6b0004d
Opcode Fuzzy Hash: 140b8107157b623899a835d176b0e0d9f1886bae46e8907f4a3ec149f33f3b7a
Instruction Fuzzy Hash: CBF08C3A200109ABDF068F35DC0AF697AA8EF02368F644324B822D62E0D7B1ED01DB50

Function 003AC88A Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B0778: GetLastError.KERNEL32(00000000,?,003B1CEB,003B1DE8,?,?,003B0674,00000001,00000364,?,00000002,000000FF,?,003AC831,003C1C08,0000000C), ref: 003B077C
Part of subcall function 003B0778: SetLastError.KERNEL32(00000000), ref: 003B081E

CloseHandle.KERNEL32(?,?,?,003AC784,?,?,003AC86A,00000000), ref: 003AC8BB
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,003AC784,?,?,003AC86A,00000000), ref: 003AC8D1
ExitThread.KERNEL32 ref: 003AC8DA

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 89a30cac40dde5e66a4084bc9c8bf3040650bee4e22a8d31906e3e895d130ff3
Instruction ID: bd2f22c5735ec09be487aecbf337d07a8ba0a52d80ca158125bf759b5b8b1939
Opcode Fuzzy Hash: 89a30cac40dde5e66a4084bc9c8bf3040650bee4e22a8d31906e3e895d130ff3
Instruction Fuzzy Hash: 9BF05832410604ABCB231B35C84DA6B7AACFF02364F1A5B14F925C65A1DB38EC41C790

Function 003AC9FB Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,003ACABD,003ADE85,003ADE85,?,00000002,7EAEDD2A,003ADE85,00000002), ref: 003ACA0C
TerminateProcess.KERNEL32(00000000,?,003ACABD,003ADE85,003ADE85,?,00000002,7EAEDD2A,003ADE85,00000002), ref: 003ACA13
ExitProcess.KERNEL32 ref: 003ACA25

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1e73b7956f53cb6acb78d53c134dc8da39597257083447beef988bbf874fabf7
Instruction ID: 5941e5e01b135143e2dc17549414f8b31e34c3ddfb42278ce7e7ca79a61f8eae
Opcode Fuzzy Hash: 1e73b7956f53cb6acb78d53c134dc8da39597257083447beef988bbf874fabf7
Instruction Fuzzy Hash: D4D09E39010148ABCF037F61DC0DC5A3F69EF46785F105014B905D9073DF35A951EB84

Function 003B0ED9 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B10DE: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 003B1109

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,003B12E9,?,00000000,?,00000000,?), ref: 003B0F3A
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,003B12E9,?,00000000,?,00000000,?), ref: 003B0F76

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f8cf555f2a17bbb809efe6aefefc5c66ab34c71a0aa5564ae6f3a75b89e3fd4b
Instruction ID: 3fd9422968df570c221babbd49499690636716c2ff431bd08497c778f1e16be7
Opcode Fuzzy Hash: f8cf555f2a17bbb809efe6aefefc5c66ab34c71a0aa5564ae6f3a75b89e3fd4b
Instruction Fuzzy Hash: 94512370A002858EDB32DF35C8A0AFBBBF5EF41308F19456AD2828BA51D7749986CB50

Function 003B0D4C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,003B0C3B,003C1FE8,0000000C), ref: 003B0D98
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,003B0C3B,003C1FE8,0000000C), ref: 003B0DAA

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8b5a2ce994c72dc0eac9384d08faa16fd5dbd681ab817f9452db8a5c9f1a32a5
Instruction ID: 2a2acb39a48a1558a09cb6682c8d3bdbe39f732a6726b8b206dd2c345ac29183
Opcode Fuzzy Hash: 8b5a2ce994c72dc0eac9384d08faa16fd5dbd681ab817f9452db8a5c9f1a32a5
Instruction Fuzzy Hash: 4811D6315047414ACB3A4FBE8C886A7BA98A756338F39071DD2B7C6DF1C630F886D240

Function 003B547F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000002,?,00000000,?,?,?,003B5337,00000000,?,?,00000002,00000000), ref: 003B54BB
GetLastError.KERNEL32(00000000,?,003B5337,00000000,?,?,00000002,00000000,?,003B5EF2,?,00000000,00000000,00000002,?,?), ref: 003B54C8

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 6267b390032cc0adcc3f909d4caf9d55c78afc0a02a5a82cd156d35eec13570a
Instruction ID: 6eac5b5da028d7c54ddf9f7daeb20d793906bee2c517490f91b0d5f971395895
Opcode Fuzzy Hash: 6267b390032cc0adcc3f909d4caf9d55c78afc0a02a5a82cd156d35eec13570a
Instruction Fuzzy Hash: D5012632610555AFCB068F59DC05DEE3B2EEB85339F250108F911DB991EA71ED81DB90

Function 003AC80C Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(003C1C08,0000000C), ref: 003AC81F
ExitThread.KERNEL32 ref: 003AC826

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 7d2fdf9377cd335560cb3a76fba609e4598bb344ffa1b8c85a178e0897188a7b
Instruction ID: 6525ac0251fd59a846bf2096e240d81a4c628e85cfc88591de88b232ec942f5f
Opcode Fuzzy Hash: 7d2fdf9377cd335560cb3a76fba609e4598bb344ffa1b8c85a178e0897188a7b
Instruction Fuzzy Hash: E8F0C2749402089FDB07BF70C84AEAE7B78FF46700F104148F1029BA62CB75A900DFA0

Function 003B0297 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,003B5B2D,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 003B02CB
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,003B5B2D,?,?,-00000008,?,00000000), ref: 003B02E9

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c4b9b6abef5667b93513cf53dd0e510a55b0d9ccb7dc730a21541aad12f85a88
Instruction ID: 653ae984c4e33bad42fb836fc1d2fffdbe235f804fdbf7d3c3297540795490e5
Opcode Fuzzy Hash: c4b9b6abef5667b93513cf53dd0e510a55b0d9ccb7dc730a21541aad12f85a88
Instruction Fuzzy Hash: 9AF0683200011ABBCF175F90DC09DDE3F2AAB487A4F058410BA1969420CB32D871AB90

Function 003B165A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,003B21C8,?,00000000,?,?,003B20E4,?,00000007,?,?,003B26FD,?,?), ref: 003B1670
GetLastError.KERNEL32(?,?,003B21C8,?,00000000,?,?,003B20E4,?,00000007,?,?,003B26FD,?,?), ref: 003B167B

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 3dbe07c6f392e695190bf14e5c8a5dfc497c172a055157e30219ddd15230ae80
Instruction ID: 102c315e580adc83f8f8a02c45167e1cf1b13405f23af50c0168e9f5a07e7458
Opcode Fuzzy Hash: 3dbe07c6f392e695190bf14e5c8a5dfc497c172a055157e30219ddd15230ae80
Instruction Fuzzy Hash: 1FE0867210021467CB132BA0ED19BE57B5CAB04799F854028F70CCA861D634AC40D784

Function 003B40BE Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,003B424C,00000000,CF830579,003C2148,0000000C,003B41D4,003ADF24,?), ref: 003B4114
GetLastError.KERNEL32(?,003B424C,00000000,CF830579,003C2148,0000000C,003B41D4,003ADF24,?), ref: 003B411E

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 94bf734efbff63b362c01970cb5810bb9e194984d0cf3c4fd93d1b1a0ce699a9
Instruction ID: 0448f252417f5707a677a09b97f66c9094227b50e764f75f9e733580cb737cee
Opcode Fuzzy Hash: 94bf734efbff63b362c01970cb5810bb9e194984d0cf3c4fd93d1b1a0ce699a9
Instruction Fuzzy Hash: 49110C33A041601AD61763785C09BFEAB599B5273CF270119FB14DBAD3DE6098C45694

Function 003AEB08 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0fd1e0bd094bc0454b83a220e3256c65947572e3fc03ed35c22911129cb77b
Instruction ID: 199e8dea50e05f87b052055a028836c32c04ff19e491f4e8102b9da868ad5257
Opcode Fuzzy Hash: 7d0fd1e0bd094bc0454b83a220e3256c65947572e3fc03ed35c22911129cb77b
Instruction Fuzzy Hash: BE51C471A00104AFDF16DF58C885EA9BFB5EF8A324F298158F8599B252D371DE41CB90

Function 003B1468 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,003B12E9,?), ref: 003B149A

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: b6f689a0ac6c82a31c5c64f57b89d458c9d201c425782d5b42fce76cec7173f2
Instruction ID: 262c36515752993768e97f2a95529940cbacd9730b008acdea0d3437ea3fb543
Opcode Fuzzy Hash: b6f689a0ac6c82a31c5c64f57b89d458c9d201c425782d5b42fce76cec7173f2
Instruction Fuzzy Hash: 65515DB1908158AADB228F29CC94BF97B7CEB46308F5401E9E65AC7542C3759D45CF60

Function 003B43F8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003B4551

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0200c767e1596ab618f06d4c7c68d5a0c4e6ce23accd2ce45978150013b98775
Instruction ID: 750ce63f78fe8738a6f7f16de66d40bfbbe5072e0e265b2f0634e41e8f65906f
Opcode Fuzzy Hash: 0200c767e1596ab618f06d4c7c68d5a0c4e6ce23accd2ce45978150013b98775
Instruction Fuzzy Hash: 70116A71A0420AAFCB16DF58E941DDB7BF8EF49308F01405AF908AB202D630ED11CBA4

Function 003B04D9 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7c0b44c83c69c1a29d6088a8ce8847a4195f650f09afa22900c3e0e44408a9
Instruction ID: 5b9852554af8e4014c4eb4cbbe47b46b743a0c473b0aee4df6613ab241387ff3
Opcode Fuzzy Hash: ab7c0b44c83c69c1a29d6088a8ce8847a4195f650f09afa22900c3e0e44408a9
Instruction Fuzzy Hash: CA01FE333042105F9B1B8A5DED40EA7336DA7C2724B254116FB05D7C54EE30E9408B50

Function 003B21D4 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,003AA305,003A6B0B,?,003ABA67,003A6B0D,003A6B0B,BD5B212C,1CF2E7BE,?,003A9CC5,003AA305,003A6B0F,003A6B0B,003A6B0B,003A6B0B), ref: 003B2206

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e2950e7b1854911fe07a113912ce0c1455cf1957593bb666933a043e3243214f
Instruction ID: 7cdafa930ee4710f3edb0d1dade58dcca109f7e5ccdaa36bd102674f7ebc25eb
Opcode Fuzzy Hash: e2950e7b1854911fe07a113912ce0c1455cf1957593bb666933a043e3243214f
Instruction Fuzzy Hash: 42E06D312842645BDA632669DD11FEB3A4CAB527F9F160321FF25DEC96DB60DC00A2E0

Function 003B7ADC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,003B7780,?,?,00000000,?,003B7780,00000000,0000000C), ref: 003B7AF9

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1656d71a2c669001e468bee81375d8faa80d5d246d1715f06bcb52910eb2cd42
Instruction ID: 4202fda36622eb47d081537105c743e5929e3186ce9c4861fdcc089b48551e45
Opcode Fuzzy Hash: 1656d71a2c669001e468bee81375d8faa80d5d246d1715f06bcb52910eb2cd42
Instruction Fuzzy Hash: 65D06C3200010DBBDF028F84DC06EDA3BAAFB48714F014100BA1896020C732E871AB90

Non-executed Functions

Function 003AA74D Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003AA753
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003AA761
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003AA772
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003AA783
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003AA794
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003AA7A5
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 003AA7B6
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003AA7C7
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 003AA7D8
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003AA7E9
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003AA7FA
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003AA80B
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003AA81C
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003AA82D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003AA83E
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003AA84F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003AA860
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 003AA871
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 003AA882
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 003AA893
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 003AA8A4
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 003AA8B5
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 003AA8C6
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 003AA8D7
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 003AA8E8
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 003AA8F9
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003AA90A
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 003AA91B
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003AA92C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003AA93D
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 003AA94E
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 003AA95F
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 003AA970
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 003AA981
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 003AA992
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 003AA9A3
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 003AA9B4
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 003AA9C5
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 003AA9D6
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 003AA9E7
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 003AA9F8

Strings

CreateThreadpoolTimer, xrefs: 003AA7EF
WaitForThreadpoolTimerCallbacks, xrefs: 003AA811
FlushProcessWriteBuffers, xrefs: 003AA866
FreeLibraryWhenCallbackReturns, xrefs: 003AA877
GetTickCount64, xrefs: 003AA8BB
CloseThreadpoolWork, xrefs: 003AA9BA
SetThreadpoolTimer, xrefs: 003AA800
SleepConditionVariableSRW, xrefs: 003AA987
CreateThreadpoolWait, xrefs: 003AA833
CreateSemaphoreW, xrefs: 003AA7CD
TryAcquireSRWLockExclusive, xrefs: 003AA965
GetSystemTimePreciseAsFileTime, xrefs: 003AA8EE
SleepConditionVariableCS, xrefs: 003AA932
InitializeSRWLock, xrefs: 003AA943
SetThreadpoolWait, xrefs: 003AA844
CloseThreadpoolTimer, xrefs: 003AA822
FlsSetValue, xrefs: 003AA789
LCMapStringEx, xrefs: 003AA9ED
GetCurrentProcessorNumber, xrefs: 003AA888
GetLocaleInfoEx, xrefs: 003AA9DC
GetFileInformationByHandleEx, xrefs: 003AA8CC
InitializeCriticalSectionEx, xrefs: 003AA79A
CloseThreadpoolWait, xrefs: 003AA855
FlsAlloc, xrefs: 003AA75B
FlsFree, xrefs: 003AA767
GetCurrentPackageId, xrefs: 003AA8AA
CreateSymbolicLinkW, xrefs: 003AA89E
FlsGetValue, xrefs: 003AA778
WakeConditionVariable, xrefs: 003AA910
kernel32.dll, xrefs: 003AA74E
InitializeConditionVariable, xrefs: 003AA8FF
CreateThreadpoolWork, xrefs: 003AA998
ReleaseSRWLockExclusive, xrefs: 003AA976
CreateEventExW, xrefs: 003AA7BC
WakeAllConditionVariable, xrefs: 003AA921
CompareStringEx, xrefs: 003AA9CB
SetFileInformationByHandle, xrefs: 003AA8DD
InitOnceExecuteOnce, xrefs: 003AA7AB
SubmitThreadpoolWork, xrefs: 003AA9A9
AcquireSRWLockExclusive, xrefs: 003AA954
CreateSemaphoreExW, xrefs: 003AA7DE

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: f98f2cd95d7963fbe7d7ac524560fb2755c4b5091af77e43e962eca930afdfde
Instruction ID: 002b5d3ec358f42d829d8654bf51b6a52524e4d8165668d2bae75fa09a0397d6
Opcode Fuzzy Hash: f98f2cd95d7963fbe7d7ac524560fb2755c4b5091af77e43e962eca930afdfde
Instruction Fuzzy Hash: 8A618B799523A0AFC7037FB8BC1DCC63EECBA0AB09B444656F601D2962D7B4B0519F58

Function 003A6B30 Relevance: 14.1, Strings: 11, Instructions: 360COMMONLIBRARYCODE

Download Yara Rule

Strings

)._>, xrefs: 003A70B1
)._>, xrefs: 003A6FE0
)._>, xrefs: 003A6C4D
*._>, xrefs: 003A6EEB
)._>, xrefs: 003A70C7
)._>, xrefs: 003A6DE0
)._>, xrefs: 003A6F44
)._>, xrefs: 003A6FF9
)._>, xrefs: 003A6CE0
*._>, xrefs: 003A6D04
)._>, xrefs: 003A700F

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: )._>$)._>$)._>$)._>$)._>$)._>$)._>$)._>$)._>$*._>$*._>
API String ID: 0-786905451
Opcode ID: 3ba5d80d3efa13556e38ee38c3e2ced9663f69711eb4146ba3c772fcffc7d810
Instruction ID: d8ed0040a2c3bb4568a14accaaf0ee503a51f350dd4b7125469fe93f44cf20b8
Opcode Fuzzy Hash: 3ba5d80d3efa13556e38ee38c3e2ced9663f69711eb4146ba3c772fcffc7d810
Instruction Fuzzy Hash: 39C16B3BF012118B8F19CA64D8E25FDB7E7EBC9360B3E812AC91197390C9765C45CB81

Function 003A4CB0 Relevance: 8.1, Strings: 6, Instructions: 581COMMONLIBRARYCODE

Download Yara Rule

Strings

vxN, xrefs: 003A5034
vxN, xrefs: 003A5043
vxN, xrefs: 003A53BD
vxN, xrefs: 003A52AA
vxN, xrefs: 003A5259
vxN, xrefs: 003A517E

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: vxN$vxN$vxN$vxN$vxN$vxN
API String ID: 0-1707094956
Opcode ID: 3f96e4f6263925bbdb861b02a91ebe8f459bde7c09f6aebfd5691c5203bc6078
Instruction ID: 61e23c81fdbb4086d0db0c443386861c99d7888968717da3ab611878f02a5451
Opcode Fuzzy Hash: 3f96e4f6263925bbdb861b02a91ebe8f459bde7c09f6aebfd5691c5203bc6078
Instruction Fuzzy Hash: 77025537B005118FDF29C97C98E07EE7BE2EB86390F368425D852DB391E669CC458B91

Function 003B2D6A Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003B2E5A

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1bb1e25898d1df9c1c3784aa9b730b7ec2d9ecd1378f60cbc2b728c52e7f3d28
Instruction ID: 908bd9492ed7a0de1d24d437580f38e157168e10754f818dfd587cb3d762f289
Opcode Fuzzy Hash: 1bb1e25898d1df9c1c3784aa9b730b7ec2d9ecd1378f60cbc2b728c52e7f3d28
Instruction Fuzzy Hash: 8071E37190515C9FDF22AF28CC99AFFB7B8AB05308F1542DAE54CE7611DA318E849F14

Function 003AAEE2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003AAEEE
IsDebuggerPresent.KERNEL32 ref: 003AAFBA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003AAFDA
UnhandledExceptionFilter.KERNEL32(?), ref: 003AAFE4

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1ce12bdf51fe9a30602694db2b91a3928185d2e86c810d3cc2bc74146ab98b7e
Instruction ID: 2823a54181ac074d1fd1281f45b498ade62e9bfbc6ed402f054381b7d9db909f
Opcode Fuzzy Hash: 1ce12bdf51fe9a30602694db2b91a3928185d2e86c810d3cc2bc74146ab98b7e
Instruction Fuzzy Hash: 6A3125B5D052189BDB11EFA4D989BCDBBB8FF09304F1041AAE409AB250EB749A84DF45

Function 003A1000 Relevance: 5.7, Strings: 4, Instructions: 659COMMON

Download Yara Rule

Strings

{tc, xrefs: 003A1138
{tc, xrefs: 003A1738
{tc, xrefs: 003A137C
{tc, xrefs: 003A108C

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: {tc${tc${tc${tc
API String ID: 0-2617826781
Opcode ID: 0d6e3c0a18190507948e772782922fbe9860e2ddbe71389308fbe2ad94c1d688
Instruction ID: c352b99f4c0c177644e3c9d41d385a1fb792701a6531c40d75968f38b5565dc2
Opcode Fuzzy Hash: 0d6e3c0a18190507948e772782922fbe9860e2ddbe71389308fbe2ad94c1d688
Instruction Fuzzy Hash: E922783FB587914BCB188969D4C566FB6D3E7C9360F1EC52ED84AD7314EA38CC814682

Function 003AD7CC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003AD8C4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003AD8CE
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 003AD8DB

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cf5bee81f1aa8af50bb68ec61f4d16c9d4f4045c48fa784ffbf9f9ba6f8de6df
Instruction ID: eeb237f24c62739064ca58ed24eec6afa3e0e72a187c5e738af1b773deb67b13
Opcode Fuzzy Hash: cf5bee81f1aa8af50bb68ec61f4d16c9d4f4045c48fa784ffbf9f9ba6f8de6df
Instruction Fuzzy Hash: 3F31B3759012189BCB22DF64D889BCDBBB8FF09310F5042EAE41CAA251EB749F818F45

Function 003A63D0 Relevance: 4.3, Strings: 3, Instructions: 507COMMONLIBRARYCODE

Download Yara Rule

Strings

vxN, xrefs: 003A68AE
vxN, xrefs: 003A69EE
vxN, xrefs: 003A68BA

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: vxN$vxN$vxN
API String ID: 0-1093492550
Opcode ID: 984b5b980a68bdcf2eb195ec59bc6557d6c8ab9b2e0a0b4ae22c7cb662540b46
Instruction ID: f56b44c99a1a36049adcac4a3eb49f93ed349473a019ff502cf3f4a53f437423
Opcode Fuzzy Hash: 984b5b980a68bdcf2eb195ec59bc6557d6c8ab9b2e0a0b4ae22c7cb662540b46
Instruction Fuzzy Hash: E102BD72A043108BCB258E2884E27AF77D6DBDA350F6F451EDDA6D7351D636CC448782

Function 003A19D0 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

H$l, xrefs: 003A1CE8
H$l, xrefs: 003A1CBD
H$l, xrefs: 003A1CCB

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: H$l$H$l$H$l
API String ID: 0-3261298715
Opcode ID: 25a31de418999fc3d5c76a5ef73437ccaec6211d72fa2396eec7efe24865f4d3
Instruction ID: c0a0a8d1909e5bea804696e5739c009f675af92d80e27d3dfc5587d367a32d08
Opcode Fuzzy Hash: 25a31de418999fc3d5c76a5ef73437ccaec6211d72fa2396eec7efe24865f4d3
Instruction Fuzzy Hash: CCF13379F011158FCF09CA68C8996EEB7F6EF96350F258529D805EB394C735DC868B80

Function 003A5EB0 Relevance: 4.1, Strings: 3, Instructions: 350COMMONLIBRARYCODE

Download Yara Rule

Strings

1Np, xrefs: 003A5F95
1Np, xrefs: 003A6056
1Np, xrefs: 003A6248

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 1Np$1Np$1Np
API String ID: 0-1249163415
Opcode ID: 8a0824c6dcce070ea299444decbe3bb8c0a1fc24cd0a86b48092a5f9cb30fa5c
Instruction ID: d5cf5c970aa6b23a0f7bf20a59b1d039055267ae1cc7f08067f846bc3eff35af
Opcode Fuzzy Hash: 8a0824c6dcce070ea299444decbe3bb8c0a1fc24cd0a86b48092a5f9cb30fa5c
Instruction Fuzzy Hash: B4A1BC7BF98620CF4A22C4349995AEEB797E7F2320F2FC616DC019B7A8D9344D469740

Function 003A7770 Relevance: 4.1, Strings: 3, Instructions: 323COMMONLIBRARYCODE

Download Yara Rule

Strings

L.o, xrefs: 003A77E7
M.o, xrefs: 003A77F9
M.o, xrefs: 003A7921

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: L.o$M.o$M.o
API String ID: 0-3589445495
Opcode ID: 9b95102ca47ea0f3a99d6b39b773dab15cee944d183af5160929788537f5f579
Instruction ID: 66933e7ab57d43e52b41f7f436803c0dd64710550bb7ce0b56dee9d87c42b134
Opcode Fuzzy Hash: 9b95102ca47ea0f3a99d6b39b773dab15cee944d183af5160929788537f5f579
Instruction Fuzzy Hash: A6A1783B71C6024F9A1E862C8CEA2BF67CADB97314F35D91BE419C72A0D62DCD458742

Function 003A2680 Relevance: 4.0, Strings: 3, Instructions: 276COMMON

Download Yara Rule

Strings

^Go, xrefs: 003A288B
^Go, xrefs: 003A28BE
^Go, xrefs: 003A27D1

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: ^Go$^Go$^Go
API String ID: 0-3409708128
Opcode ID: 9ea80ed31a94056a74ef51ce006da34306be111fa88892b015e9d638b6db4c5d
Instruction ID: a45a927267a0a6d2f0beab8b81dca5aee8c4bd87cef0d88f181cba6082d95bce
Opcode Fuzzy Hash: 9ea80ed31a94056a74ef51ce006da34306be111fa88892b015e9d638b6db4c5d
Instruction Fuzzy Hash: B8918A3AB105104FCB1E8A3C9D956BB33D6EB6A320F25952AEC16CB7B0C729DD45C740

Function 003A7F50 Relevance: 3.3, APIs: 2, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a44028f7e3e3eaa652dca7a844c7ffb5e660ad2257dd7053811bcd5b34df9a4
Instruction ID: e59bb3fa265c7825a74d7d3f9ecafe66e7dc7355b887d4138bcc1b00444e44e0
Opcode Fuzzy Hash: 2a44028f7e3e3eaa652dca7a844c7ffb5e660ad2257dd7053811bcd5b34df9a4
Instruction Fuzzy Hash: 9F715B3B7592004FDB1AC63859EA3FABBC6C7D3314F29C829E455CB351D926C9498341

Function 003A70F0 Relevance: 3.0, Strings: 2, Instructions: 474COMMONLIBRARYCODE

Download Yara Rule

Strings

7>fz, xrefs: 003A7105
7>fz, xrefs: 003A7162

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 7>fz$7>fz
API String ID: 0-2331933383
Opcode ID: e9c2f827d2aa911706d75cc8bd26ccbfdf419f4de3c7c12e507c5d219e633013
Instruction ID: b870454be3368f84348e3aee71b021bcdc7fb784b754dd0feb81803653ff8425
Opcode Fuzzy Hash: e9c2f827d2aa911706d75cc8bd26ccbfdf419f4de3c7c12e507c5d219e633013
Instruction Fuzzy Hash: 58D1483A71C2054B5E6D96386CE52BB37C7D7A3314F36D53ADE12CB295F9288C0A8381

Function 003A5870 Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

+*A, xrefs: 003A5903
+*A, xrefs: 003A5960

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: +*A$+*A
API String ID: 0-1047222298
Opcode ID: 98e93810894981efb97f74ade65da74a45d4019118c56b477c99832eab724b89
Instruction ID: 50174743bfde598f162d3f34ec0011ecae6069b924356784c3eed419d3a70c3d
Opcode Fuzzy Hash: 98e93810894981efb97f74ade65da74a45d4019118c56b477c99832eab724b89
Instruction Fuzzy Hash: 9F518877309A14CBE70D0A68A8E57EFB6CBD3C6351F2F412E98064B391CE7A0C498780

Function 003BA262 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003BA1BD,?,?,00000008,?,?,003B9D8F,00000000), ref: 003BA48F

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 423a9d3ea2c158a2aa2eebccb68133c17cfcae6f77b45de1c26ff1ce1c64b842
Instruction ID: 2fc58a74e0f54f32f2d8d34bad43fdc6fc3cabe8916cb1b0519529a4a55aaec1
Opcode Fuzzy Hash: 423a9d3ea2c158a2aa2eebccb68133c17cfcae6f77b45de1c26ff1ce1c64b842
Instruction Fuzzy Hash: 21B15F35110A08DFD716CF28C48ABA57BE0FF45368F268659E9D9CF6A1C335D982CB41

Function 003B2CB9 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003B1D96: HeapAlloc.KERNEL32(00000008,?,?,?,003B0674,00000001,00000364,?,00000002,000000FF,?,003AC831,003C1C08,0000000C), ref: 003B1DD7

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003B2E5A
FindNextFileW.KERNEL32(00000000,?), ref: 003B2F4E
FindClose.KERNEL32(00000000), ref: 003B2F8D
FindClose.KERNEL32(00000000), ref: 003B2FC0

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: aeb1d54c3196e74ef7471ea0c083ae7256271a3956bc6fece82f77490bc6ca7a
Instruction ID: e77564c1599be36880705b7571ca0d0620de4da339d46ab7b0f216ccec502159
Opcode Fuzzy Hash: aeb1d54c3196e74ef7471ea0c083ae7256271a3956bc6fece82f77490bc6ca7a
Instruction Fuzzy Hash: C551587590010CAFDF16AF289C95AFF77B9DF85308F14429DF919DBA01EA308D429B60

Function 003AACA0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003AACB6

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9c098df244d7821096c23c370e86f845bfb7c9751e0d3f8b668daf3d0a9a2629
Instruction ID: be771acb2db95eda64314113e95656d7e699478c4f0ec8782f671baffb4dbe29
Opcode Fuzzy Hash: 9c098df244d7821096c23c370e86f845bfb7c9751e0d3f8b668daf3d0a9a2629
Instruction Fuzzy Hash: A051D1B2901A158FDB16CF58D991BAEBBF8FB49311F15882AC401EB361E374AD00CF91

Function 003AAED6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000AFFD), ref: 003AAEDB

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7308409926f99da2b70d069861f9d66851350d0eb002e03692adf65bf948cacb
Instruction ID: 1fbc9f28f0d03d7aced0f75221569ccb749556efb2ba527839776a37fc52638c
Opcode Fuzzy Hash: 7308409926f99da2b70d069861f9d66851350d0eb002e03692adf65bf948cacb
Instruction Fuzzy Hash:

Function 003B05C6 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 003B05C6

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f4ac48632381c8c06fb03c44daf4f4272c3bfa286c4b6066b80f1de380ac1d5a
Instruction ID: 39ab4a0fc99571dc2304955b1f4204490bc6e7dde1a48456d2c1b69e97426e10
Opcode Fuzzy Hash: f4ac48632381c8c06fb03c44daf4f4272c3bfa286c4b6066b80f1de380ac1d5a
Instruction Fuzzy Hash: BFA02238202200CF83028F32AF08B0C3BECBA823C0F0AC02AA000C2230EB30A800BB00

Function 003A3900 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: bb7b58f41873f8b8ca8ed974aca23fd67c709d9ae73ef0095888d68346d1c4ec
Instruction ID: c3b786170f4a685d8b824e7d90f1d02c56a482cc439fa3dc1d18648595f63a0b
Opcode Fuzzy Hash: bb7b58f41873f8b8ca8ed974aca23fd67c709d9ae73ef0095888d68346d1c4ec
Instruction Fuzzy Hash: 34126C36B052108FDB09CA2884E57EFBBD6DBD6310F69891DF849CB390D635CD498B82

Function 003A8E80 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0235fc90bbeb351dbbab5a2aa36f50e76d719b5c5a4e8e88b9bbfda0f30a28bf
Instruction ID: 8c63e2e5175480802aeafc3e5a4b9723fbab6f591954a5daaa363832a66c1d86
Opcode Fuzzy Hash: 0235fc90bbeb351dbbab5a2aa36f50e76d719b5c5a4e8e88b9bbfda0f30a28bf
Instruction Fuzzy Hash: C9C18D3A7453108BCE2D85285CE43AF73D2DBD7391F2F851BD84AEB7A1C6258D498781

Function 003A2A80 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd190f3208e94025636dba33192bf8b69b3ca64b726a0d1f7adb274054b7779
Instruction ID: f3df14c57724852d93a3de2e43f399fba6cea62a10172b7919bbcc0789e12087
Opcode Fuzzy Hash: ddd190f3208e94025636dba33192bf8b69b3ca64b726a0d1f7adb274054b7779
Instruction Fuzzy Hash: CE9129726083008B8B268E5D44E426FB7E6DBD6310F7F8C1EE4455B725C636CC46AB63

Function 003A54F0 Relevance: .2, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067a3d0d6be627b9d514b393094cc6b1ce4dde63318a3e0f0a0c8eb9bdd7bd92
Instruction ID: 7a8d4415a65a943ea0961f1d5ff033ecb302069c853309693ea151b50e6d2928
Opcode Fuzzy Hash: 067a3d0d6be627b9d514b393094cc6b1ce4dde63318a3e0f0a0c8eb9bdd7bd92
Instruction Fuzzy Hash: 77718E257187008BCA2A8A3485E56BF77C7CFD7354F79D42EE88AC7A61D635CC498B02

Function 003A5B40 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629ee122ddbae890712c2540ae6372c74d7253facc6c088cf20c56a80e91cf48
Instruction ID: ce0df4b63a2053c673c23d4d776333cfe68a66a70669325a095d00e6f94032ad
Opcode Fuzzy Hash: 629ee122ddbae890712c2540ae6372c74d7253facc6c088cf20c56a80e91cf48
Instruction Fuzzy Hash: 5E719E367057014FCF199A2CC8D45AFB7D6EB52360F69982AE851CB361D638CC498B93

Function 003A2F10 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a2b5d5bd71c4730ed96fc13e48f98ea8bc475df0a9062a061f36b8b3a35d13
Instruction ID: a8dddd070e3edff9f6d02e28dcd0633982975e6e03dfa62a666a37802fcbb979
Opcode Fuzzy Hash: 24a2b5d5bd71c4730ed96fc13e48f98ea8bc475df0a9062a061f36b8b3a35d13
Instruction Fuzzy Hash: 52616A3BB111205BDB0D852898F27FEB797DBCB750B29812EDC1797694CA3B1D058781

Function 003A9910 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af32fa27dad53b65365fbc8cf3736d7ac8a0e3a2417614ae9ade1a2a413db22b
Instruction ID: 3f24143256889961e80b0bf6e14eee35dbb334828bc9a0aaa8fb559c39f035de
Opcode Fuzzy Hash: af32fa27dad53b65365fbc8cf3736d7ac8a0e3a2417614ae9ade1a2a413db22b
Instruction Fuzzy Hash: 726177377151104FA709C9299CA63FF37CBDBD2355F2AD42AE446CB6A4DA29C80AC740

Function 003A9600 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a0a7aa7986cf74906728acec369e60d8a367b443e54379726f69956bcfc3b1
Instruction ID: cdc3c279451333726881d6811acf8023368aa244c99f25bfd70ce9b1351d05bd
Opcode Fuzzy Hash: 61a0a7aa7986cf74906728acec369e60d8a367b443e54379726f69956bcfc3b1
Instruction Fuzzy Hash: 21617A7B3556040B9A099A359CE57BF77D7DBD2360F1EC12AD91A0BAA0E936480AC240

Function 003AF71A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 003AF839
___TypeMatch.LIBVCRUNTIME ref: 003AF947
CatchIt.LIBVCRUNTIME ref: 003AF998
_UnwindNestedFrames.LIBCMT ref: 003AFA99
CallUnexpected.LIBVCRUNTIME ref: 003AFAB4

Strings

csm, xrefs: 003AF757
csm, xrefs: 003AF7C4
csm, xrefs: 003AF870

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 14dcc128d191100ad6e646310eecaffd7e889d2a5733f3ed86f3c846528022c0
Instruction ID: e90c4ffc183a251b2e193e9fefe23b9d5c022a813978e961f4a9bec3e7972136
Opcode Fuzzy Hash: 14dcc128d191100ad6e646310eecaffd7e889d2a5733f3ed86f3c846528022c0
Instruction Fuzzy Hash: F3B14A71800209EFCF2AEFE4D8819AEB7B9FF1A310F15416AE8156B212D735DA51CF91

Function 003A82E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003A82F2

Strings

\a=, xrefs: 003A8366
~\Ya, xrefs: 003A8372
\a=, xrefs: 003A8304
~\Ya, xrefs: 003A83F5
~\Ya, xrefs: 003A835B

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ~\Ya$~\Ya$~\Ya$\a=$\a=
API String ID: 4194217158-2811050778
Opcode ID: ad8045904f14d6202ea3f3b2784ae72f79549a10b058e9c4f2eeb80343506969
Instruction ID: 2d32becf84185ff0952b9da6f2fd4c280ac33dafffb9205b157f61678704206f
Opcode Fuzzy Hash: ad8045904f14d6202ea3f3b2784ae72f79549a10b058e9c4f2eeb80343506969
Instruction Fuzzy Hash: 3F319D7F600605CB9E1E4A3C6DF52AF77C5EF66711B2A4D37D515CB180EA21CC4A8782

Function 003ABB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003ABBB7
___except_validate_context_record.LIBVCRUNTIME ref: 003ABBBF
_ValidateLocalCookies.LIBCMT ref: 003ABC48
__IsNonwritableInCurrentImage.LIBCMT ref: 003ABC73
_ValidateLocalCookies.LIBCMT ref: 003ABCC8

Strings

csm, xrefs: 003ABC5D

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a14f1a264e332a834035de1c639a35508037cb87504bdecfda2ea1268019ea96
Instruction ID: ad15a05255062e244fcec0b55791367d3c54daf773f8d1c74113f6b579e948e8
Opcode Fuzzy Hash: a14f1a264e332a834035de1c639a35508037cb87504bdecfda2ea1268019ea96
Instruction Fuzzy Hash: 6D41B534A00208AFCF16EF68C845E9EFBA9FF06324F148155E915AB353DB31DA11CB91

Function 003B838B Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00270550,00270550,00000000,7FFFFFFF,?,003B8376,00270550,00270550,00000000,00270550,?,?,?,?,00270550,00000000), ref: 003B8431
__freea.LIBCMT ref: 003B85C6
__freea.LIBCMT ref: 003B85CC
__freea.LIBCMT ref: 003B8602
__freea.LIBCMT ref: 003B8608
__freea.LIBCMT ref: 003B8618

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 0ceb19ea42538a4b8490c6946a5fb85e2de926f0dedadead4c829ad0b65276fb
Instruction ID: f06b1c3ba3338b7b223407d061d45b4210f0936f02068675d043fe1102809c9d
Opcode Fuzzy Hash: 0ceb19ea42538a4b8490c6946a5fb85e2de926f0dedadead4c829ad0b65276fb
Instruction Fuzzy Hash: BD71B372A0020AAADF239F548C42FEF77AD9F45318F160155EB45ABA42EF75DC01C760

Function 003AEE93 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003AEE8A,003AB95D,003AB041), ref: 003AEEA1
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003AEEAF
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003AEEC8
SetLastError.KERNEL32(00000000,003AEE8A,003AB95D,003AB041), ref: 003AEF1A

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5d0956da1b612fc5d39b6c2d6453906e3929ebeecdff6c08fb0c971170b8e81e
Instruction ID: 0c6484403986e18369648ab9db4f6ca6b163a105e05acf06c1f7b0cd4f4f0b96
Opcode Fuzzy Hash: 5d0956da1b612fc5d39b6c2d6453906e3929ebeecdff6c08fb0c971170b8e81e
Instruction Fuzzy Hash: DF01F73A2097116EA7272BB47CC5EAB3B9CEB03779B210329F6108A5F1FF119C109690

Function 003B30E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 003B30FF

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-517116171
Opcode ID: ce0fe7ae97002f8d1248f9527746ce5521deddbdb974c87bd8882dba064e0fb1
Instruction ID: 48767d1808b01f44def465f8b0ae0ccf46db1acd3805a9fea53f45f408a8fded
Opcode Fuzzy Hash: ce0fe7ae97002f8d1248f9527746ce5521deddbdb974c87bd8882dba064e0fb1
Instruction Fuzzy Hash: 6621D171604229AFDB22BF69CC809EBB7ADAF0432D7414528FA25CBD11D730FE008760

Function 003AC960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,7EAEDD2A,?,?,00000000,003BA898,000000FF,?,003ACA21,00000002,?,003ACABD,003ADE85), ref: 003AC995
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003AC9A7
FreeLibrary.KERNEL32(00000000,?,?,00000000,003BA898,000000FF,?,003ACA21,00000002,?,003ACABD,003ADE85), ref: 003AC9C9

Strings

mscoree.dll, xrefs: 003AC98E
CorExitProcess, xrefs: 003AC99F

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cdedc64ade9b3425fb1dc7da3c47fda0cef7f5e21aab8f660635a24338a50b1d
Instruction ID: 06c7efc5e3f389f3b0a573f092d79441ddc1ee855aad0e427a0426641a80fab7
Opcode Fuzzy Hash: cdedc64ade9b3425fb1dc7da3c47fda0cef7f5e21aab8f660635a24338a50b1d
Instruction Fuzzy Hash: B801A236914625AFCB138B50CC09FEEBBBCFB06B14F004529E811E2690DB74A900CB80

Function 003AFB3F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,003AFA45,?,?,00000000,00000000,00000000,?), ref: 003AFB64
CatchIt.LIBVCRUNTIME ref: 003AFC4A

Strings

MOC, xrefs: 003AFB76
RCC, xrefs: 003AFB7E

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 3f13e16aa179eb94ffd5b068f54f39b35d1799278454a2a3d465b0ea076fe6ae
Instruction ID: 27d70a524cfc03c32fe209ea526cd01f7df0262d419d6528aeb55147ad0d5a91
Opcode Fuzzy Hash: 3f13e16aa179eb94ffd5b068f54f39b35d1799278454a2a3d465b0ea076fe6ae
Instruction Fuzzy Hash: C2416772900209AFCF16DF98CD81EEEBBB5FF4A314F198169F905AB221D3359950DB50

Function 003AA369 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003AA375
__Mtx_unlock.LIBCPMT ref: 003AA3B4
__Cnd_broadcast.LIBCPMT ref: 003AA3BC

Strings

8C<, xrefs: 003AA370

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cnd_broadcastCurrentMtx_unlockThread
String ID: 8C<
API String ID: 2021000804-553782651
Opcode ID: e18fdac4b0105022bbc62bd2ec3824afdabdfe92615a3978c493b0ffae5cc844
Instruction ID: 0e20e2ff773730ba99e2b7d881a86bc6b79963a19163447130224ac2af29d90a
Opcode Fuzzy Hash: e18fdac4b0105022bbc62bd2ec3824afdabdfe92615a3978c493b0ffae5cc844
Instruction Fuzzy Hash: E701F13B600F02DFDF239BA5C45079AB3A5EF02311F46092DE8869B280D7B0AC10CB92

Function 003B5721 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,003B57BD,00000000,?,003C4D00,?,?,?,003B56F4,00000004,InitializeCriticalSectionEx,003BC714,003BC71C), ref: 003B572E
GetLastError.KERNEL32(?,003B57BD,00000000,?,003C4D00,?,?,?,003B56F4,00000004,InitializeCriticalSectionEx,003BC714,003BC71C,00000000,?,003AFD6C), ref: 003B5738
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 003B5760

Strings

api-ms-, xrefs: 003B5745

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e0f716d28df304308ee5a98432e30f154c75d73a4a71dd1f3e5c0c37373686fb
Instruction ID: 385995511e411e6a8730a00b3fc39903d344ef12ed03da00a36440acb55a2853
Opcode Fuzzy Hash: e0f716d28df304308ee5a98432e30f154c75d73a4a71dd1f3e5c0c37373686fb
Instruction Fuzzy Hash: DBE01231780244F7EB122B60ED06F993A99AB11B49F144020FA0CE88A2DBA6E9109644

Function 003B61F7 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(7EAEDD2A,00000000,00000000,?), ref: 003B625A

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003B64AC
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 003B64F2
GetLastError.KERNEL32 ref: 003B6595

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: efacc886b612fdd416f15e107eed54afb2a7e97c026857f91c1af623269e3ac2
Instruction ID: 8a277544f066ab1cd80adc4842b84e5c1011d85459bd5c5f86b01f2191ce30ae
Opcode Fuzzy Hash: efacc886b612fdd416f15e107eed54afb2a7e97c026857f91c1af623269e3ac2
Instruction Fuzzy Hash: 37D1AEB5D006489FCF16CFA8C8819EDBBB8FF09318F18452AE526EB752D734A951CB50

Function 003AF543 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 003AF60A
___AdjustPointer.LIBCMT ref: 003AF62D
___AdjustPointer.LIBCMT ref: 003AF6C9

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 222c4922fc33d5dcbd2ca09ee33975c2d3eee8e4e4a2447418e587c32618fe64
Instruction ID: 6f91fd85f498c9880e09f3da10c0fd53604656d1a3fe33d32d758b63fe7fba6a
Opcode Fuzzy Hash: 222c4922fc33d5dcbd2ca09ee33975c2d3eee8e4e4a2447418e587c32618fe64
Instruction Fuzzy Hash: E951DE72A01606AFDB2B9F90D941BBAB3A4EF03710F15413DE8059B2B1E735EC40DB90

Function 003B2B47 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,003B2EED,?,?,?,00000000), ref: 003B2BAB
__dosmaperr.LIBCMT ref: 003B2BB2
GetLastError.KERNEL32(00000000,003B2EED,?,?,00000000,?,?,?,00000000,00000000,?,003B2EED,?,?,?,00000000), ref: 003B2BEC
__dosmaperr.LIBCMT ref: 003B2BF3

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6f92817fac4f4fa151f4fbd984750c029b0b61e1dd30e92c848dc67477e05ca9
Instruction ID: bc929b5a1223448e07b095fd48b2c8e360d4c3ebe60bc7dde3b79d14328b004d
Opcode Fuzzy Hash: 6f92817fac4f4fa151f4fbd984750c029b0b61e1dd30e92c848dc67477e05ca9
Instruction Fuzzy Hash: F821A171600215AF9B22AF6198819EBBBACFF0436C7518619FA159BD11EB31EC0087A0

Function 003B37BC Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003B37C4

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003B37FC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003B381C

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 62a3f45d873e9a4c39292aa79fb26b09648639df72b76d22dc3fe35e220838d4
Instruction ID: 52a3a578d507eacd8dc5b468f836c3fd7943d0636eb80732d605b9a62a52cc80
Opcode Fuzzy Hash: 62a3f45d873e9a4c39292aa79fb26b09648639df72b76d22dc3fe35e220838d4
Instruction Fuzzy Hash: 111126F5900229BFA72327B15C8DCFF2A5CCE853AD7110025FB01D5902EA20DF0482B2

Function 003B8A90 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000), ref: 003B8AA7
GetLastError.KERNEL32(?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?,?,?,003B5F2F,00000000), ref: 003B8AB3

Part of subcall function 003B8B04: CloseHandle.KERNEL32(FFFFFFFE,003B8AC3,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?,?), ref: 003B8B14

___initconout.LIBCMT ref: 003B8AC3

Part of subcall function 003B8AE5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,003B8A81,003B831E,?,?,003B65E9,?,00000000,00000000,?), ref: 003B8AF8

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?), ref: 003B8AD8

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0a1ed983d7cb47cf05e68bed2981f4f7dbf54bf251ca5b852149429797625675
Instruction ID: 7dce5a1d115410e8847c863df314e4b9bf347d4f43a291e44cf59060fb7f56dc
Opcode Fuzzy Hash: 0a1ed983d7cb47cf05e68bed2981f4f7dbf54bf251ca5b852149429797625675
Instruction Fuzzy Hash: 38F01C36400158BBCF232FA2DC08DCA3F6AFF093A5F114414FA09D5921CA729920EB90

Function 003AF3B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 003AF3BC

Strings

csm, xrefs: 003AF44F
csm, xrefs: 003AF3DE

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 643ea4e8ec1e0df71fb3a56e378134e4906b46b5809f9296df6b74d030adc28b
Instruction ID: eb6bd1248499873b435cff12ca311df82f973820f6702b84a1d8489f5a3bfe52
Opcode Fuzzy Hash: 643ea4e8ec1e0df71fb3a56e378134e4906b46b5809f9296df6b74d030adc28b
Instruction Fuzzy Hash: F631D3325002149FCF279FE6C8419AB7B66FF4E325B19867AFD444A121C336CC62DB91

Function 003B009B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(003C4D20), ref: 003B00B8

Strings

M<, xrefs: 003B00A7
xM<, xrefs: 003B00C4

Memory Dump Source

Source File: 00000000.00000002.2015751467.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.2015739396.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015767545.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015780142.00000000003C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015831435.00000000003C4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015953790.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2016073307.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: M<$xM<
API String ID: 3664257935-2597119641
Opcode ID: 60b9c0b95b931abf3d2b31a30d36cd30b9b85bbd58d93ed5c6610495f42da926
Instruction ID: 892066db1857b7ab4c803c6a4808681f0674dd8ca8ef230d2b36e92f51deabfa
Opcode Fuzzy Hash: 60b9c0b95b931abf3d2b31a30d36cd30b9b85bbd58d93ed5c6610495f42da926
Instruction Fuzzy Hash: CAE08636C116189BDB373E08D408BD276D85B5133AF17052AD5DD525A192B11CD1C781

Analysis Process: file.exePID: 2172, Parent PID: 1472COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.8%
Total number of Nodes:	382
Total number of Limit Nodes:	8

Executed Functions

Function 00404C2D Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

KiUserCallbackDispatcher.NTDLL(0000004C), ref: 00404C9E
GetSystemMetrics.USER32(0000004D), ref: 00404CA5
GetDC.USER32(00000000), ref: 00404CE0
GetCurrentObject.GDI32(00000000,00000007), ref: 00404CF3
GetObjectW.GDI32(00000000,00000018,?), ref: 00404D0C
DeleteObject.GDI32(00000000), ref: 00404D3E
CreateCompatibleDC.GDI32(00000000), ref: 00404D9F
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00404DC0
SelectObject.GDI32(00000000,00000000), ref: 00404DD2
BitBlt.GDI32(00000000,00000000,00000000,?,004024F5,00000000,?,?,00CC0020), ref: 00404DF7

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

Part of subcall function 00403E03: EnterCriticalSection.KERNEL32(004084D4,?,0000011C), ref: 00403E15

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

DeleteObject.GDI32(00000000), ref: 00404E95
DeleteDC.GDI32(00000000), ref: 00404E9C
ReleaseDC.USER32(00000000,00000000), ref: 00404EA5

Strings

6, xrefs: 00404D84
U, xrefs: 00404C5E
(, xrefs: 00404D78
- ScreenSize: {lWidth=%d, lHeight=%d}, xrefs: 00404D28
gdi3, xrefs: 00404C49
2, xrefs: 00404C55
er32, xrefs: 00404C65

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
API String ID: 1387450592-1028866296
Opcode ID: 54111a4b7bc319f5745368608b5675afeea82435c2ec2d0b094c19900ce30ce6
Instruction ID: 6b3ee7ab4da137d1a309b5a9f787d899f0e5564c39ac921fb92ff6ff8e554c30
Opcode Fuzzy Hash: 54111a4b7bc319f5745368608b5675afeea82435c2ec2d0b094c19900ce30ce6
Instruction Fuzzy Hash: 4B718075D00208ABDB20DFA5DD45BEEBB79AF44700F10446AE605B72D1DB785A04CBA9

Function 00401000 Relevance: 21.7, APIs: 4, Strings: 8, Instructions: 700
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?), ref: 004013D1

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00E6AE78,00401035,00E6AE78,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindFirstFileW.KERNELBASE(00000000,?,00E6AE78,?), ref: 00401161

Part of subcall function 00403F87: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
Part of subcall function 00403F87: FindNextFileW.KERNEL32(0040179D,?), ref: 00404089

EnterCriticalSection.KERNEL32(004084D4), ref: 004016F5
LeaveCriticalSection.KERNEL32(004084D4), ref: 0040170E

Strings

Discord/, xrefs: 004013AF
7a?=, xrefs: 00401364
%s%s, xrefs: 0040150B, 00401854, 004019EA, 00401A4F
7a?=, xrefs: 00401730
$Lr, xrefs: 00401281
%s\*, xrefs: 0040112A
%s\%s, xrefs: 004011A2
Telegram, xrefs: 004016FB

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$7a?=$Discord/$Telegram
API String ID: 1893179121-60960798
Opcode ID: cc32662204eef177c1bb24944cceb37b970cd3f52aad9942ed642ea1a6b4ea2d
Instruction ID: e0fe4e299a14adff3431ec18ef39797f5155a140b4338a3cd7c1f3b0b96d06eb
Opcode Fuzzy Hash: cc32662204eef177c1bb24944cceb37b970cd3f52aad9942ed642ea1a6b4ea2d
Instruction Fuzzy Hash: A0323A71E102146ADB249BA58C91BFE73B89F80304F14417FE845B72E1EB7C8E858B9D

Function 004020E1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

GetCurrentHwProfileA.ADVAPI32(?), ref: 00402198
GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 004021BF
GlobalMemoryStatusEx.KERNELBASE(?), ref: 004021F3
EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 00402275

Strings

- VideoAdapter #%d: %s, xrefs: 00402241
- RAM: %d GB, xrefs: 0040220A
- HWID: %s, xrefs: 004021AC
- CPU: %s (%d cores), xrefs: 004021D1
@, xrefs: 004021EA

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
API String ID: 330852582-565344305
Opcode ID: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
Instruction ID: 22e8c097fdb53a750db3d38699cd98a3431052edcfded2005e7f0d2a9ec9707d
Opcode Fuzzy Hash: 1289e8cf0d5fbe5f3f0ef4059f282c48e11b380c65581eb552a4a88b93ed5c2e
Instruction Fuzzy Hash: 6141A6719083019BD720DF24CD85FABBBE8EB84714F10493EF945AB2C1E774994587AA

Function 00404EB2 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,004084D4,?), ref: 00404F58
EnterCriticalSection.KERNEL32(004084D4), ref: 00405014

Part of subcall function 00404EB2: LeaveCriticalSection.KERNEL32(004084D4), ref: 00405031

FindNextFileW.KERNELBASE(?,?), ref: 00405200

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00E6AE78,00401035,00E6AE78,?), ref: 00404109

Strings

%s\*, xrefs: 00404F42
%s\%s, xrefs: 00404F72
Telegram, xrefs: 0040501A

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
String ID: %s\%s$%s\*$Telegram
API String ID: 648860119-4994844
Opcode ID: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
Instruction ID: ecd5ca78d3e23e3f5ec3a68d4d3fe809ace172ce08446f2cd26366b6c0f1c70a
Opcode Fuzzy Hash: d84d8187fe1ade631e357449a07b88c685cf14ca7df123eb18c2c8c5d20aa8b4
Instruction Fuzzy Hash: D9A18021E14308A9EF10DBA0AD06BBE7775EF44710F20546FE904BB2E1EBB50E85875E

Function 00401DC9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?), ref: 00401E10

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindNextFileW.KERNELBASE(00000000,?), ref: 00401F94

Strings

%s%s, xrefs: 00401F4E
%s\*, xrefs: 00401DF7
%s\%s, xrefs: 00401E9B

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 3555643018-2064654797
Opcode ID: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
Instruction ID: 14e95c991f87aca2b944788a29030c3de2d12e3058c1dcaec3f91741412fe5a3
Opcode Fuzzy Hash: 5cebb7284f378f55fcd4df65f13594aa010d6026b77e4466925d64efd1a65d52
Instruction Fuzzy Hash: C641B0706182025BC714EF24D955A2F77E8AF84704F10493FF885A72F2EB39EA44879E

Function 00401D21 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00401D80
CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 00401DB6

Strings

CRYPT32.dll, xrefs: 00401D4F
Poverty is the parent of crime., xrefs: 00401D9F

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
String ID: CRYPT32.dll$Poverty is the parent of crime.
API String ID: 3642467563-1885057629
Opcode ID: 0bfa8139f65bd25693e68981f44dce0d28659087e85b2fcfac568366f43bb735
Instruction ID: c7f84ecd61725d2c0d2cc539ea739b2fab333b7ee9f2c38f0174a54d3eab5c97
Opcode Fuzzy Hash: 0bfa8139f65bd25693e68981f44dce0d28659087e85b2fcfac568366f43bb735
Instruction Fuzzy Hash: 9911F7B5D0020DABDB10DF95C8819EFBBBCEF48314F10456AE945B3280E774AE09CAA4

Function 00402282 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004084D4,00000DA3), ref: 00402297
CreateMutexA.KERNELBASE(00000000,00000000,085f229d-d27d-4fc1-9dc1-8958125ccbd9), ref: 004022AF
GetLastError.KERNEL32 ref: 004022C2

Strings

kernel32, xrefs: 00402439
Chrome, xrefs: 004025F3
@, xrefs: 004025DE
- UserAgent: %s, xrefs: 004025B3
$, xrefs: 004025FD
085f229d-d27d-4fc1-9dc1-8958125ccbd9, xrefs: 004022A6, 00402612
shell32, xrefs: 004023E5
$d.log, xrefs: 00402678
- OperationSystem: %d:%d:%d, xrefs: 0040232A

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$085f229d-d27d-4fc1-9dc1-8958125ccbd9$@$Chrome$kernel32$shell32
API String ID: 2005177960-2910755732
Opcode ID: 7d85174eba821bd26a3f3c474d69b94223cfdb22e9e683f010e87f1aa16b2777
Instruction ID: db5b455704c763b654c06a6b3c78ab43ebdd973590fbbde67410529c29875780
Opcode Fuzzy Hash: 7d85174eba821bd26a3f3c474d69b94223cfdb22e9e683f010e87f1aa16b2777
Instruction Fuzzy Hash: 36C11630904245AEEB10EFA0DE4ABAE7F75AF14705F00447EE141BA2E2DFB91A44CB5D

Function 004044F7 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00E6AE78,00401035,00E6AE78,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

EnterCriticalSection.KERNEL32(004084D4), ref: 00404580
LeaveCriticalSection.KERNEL32(004084D4), ref: 004045CC
EnterCriticalSection.KERNEL32(004084D4), ref: 0040464F
LeaveCriticalSection.KERNEL32(004084D4), ref: 00404688
EnterCriticalSection.KERNEL32(004084D4), ref: 004046C5
LeaveCriticalSection.KERNEL32(004084D4), ref: 00404708
EnterCriticalSection.KERNEL32(004084D4), ref: 00404721
LeaveCriticalSection.KERNEL32(004084D4), ref: 0040474A

Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 00404399
Part of subcall function 00404377: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
Part of subcall function 00404377: GetProcAddress.KERNEL32(00000000), ref: 004043AD
Part of subcall function 00404377: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
Part of subcall function 00404377: GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
Part of subcall function 00404377: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
Part of subcall function 00404377: CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Strings

\Network\Cookies, xrefs: 004045EC
@, xrefs: 00404566
\??\%s, xrefs: 0040452F

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
String ID: @$\??\%s$\Network\Cookies
API String ID: 330363434-2791195959
Opcode ID: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
Instruction ID: 30b89a0c7dd792c6c55c89bb752360b8731b4be3a9f183659006c232308b4c97
Opcode Fuzzy Hash: 3aceadb322b04b0cd88ffec1cbc000090e3a08d248677b6e52905a850177b162
Instruction Fuzzy Hash: 0C719F70940209BFDB04DF90CD4ABAD7BB5FB44305F10803AFA41BA2E1EBB95A45CB59

Function 004053F8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 139
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

socket.WS2_32(?,00000001,00000000), ref: 0040550F
connect.WS2_32(000000FF,?,00000010), ref: 0040554E
send.WS2_32(000000FF,00000000,00000000), ref: 00405570
send.WS2_32(000000FF,000000FF,106,00000000), ref: 0040558C
closesocket.WS2_32(000000FF), ref: 004055BC

Strings

185.244.212.106, xrefs: 00405523
106, xrefs: 0040557B, 0040557F
ws2_32.dll, xrefs: 00405473

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: send$HandleLibraryLoadModuleclosesocketconnectsocket
String ID: 106$185.244.212.106$ws2_32.dll
API String ID: 2279181061-2093737415
Opcode ID: 1717f7b469886dd0248fd88ee7bed06fc9c62e98bc7b207c854f528114d91968
Instruction ID: 1ba8255f1e8dd8081fefad2875cd7e7399d758cce23e8b083b3bca88080a13bc
Opcode Fuzzy Hash: 1717f7b469886dd0248fd88ee7bed06fc9c62e98bc7b207c854f528114d91968
Instruction Fuzzy Hash: C851C530C44288EDEF018BE4D8097EEBFB99F15314F14459AE660BE2D1C7B9474ACB65

Function 004048D6 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 231
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,00402351), ref: 004048F7

Part of subcall function 0040475F: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
Part of subcall function 0040475F: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

GetCurrentProcess.KERNEL32(Q#@), ref: 0040496B
IsWow64Process.KERNEL32(00000000), ref: 00404972

Strings

ntdllQ#@, xrefs: 00404985
l, xrefs: 00404917
Q#@, xrefs: 00404964, 0040497A, 0040496A
ntdl, xrefs: 00404914

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
String ID: Q#@$l$ntdl$ntdllQ#@
API String ID: 1207166019-1218684799
Opcode ID: bcc7277f0982174f50dd03a4f8c9cdb8aac042102541d2e3cf7aa096f817556f
Instruction ID: 3ee230e69bd7094b3339c115938649c60d03c5872765df0b6732839f5e82a11c
Opcode Fuzzy Hash: bcc7277f0982174f50dd03a4f8c9cdb8aac042102541d2e3cf7aa096f817556f
Instruction Fuzzy Hash: C881E5B061820196EB649B50EF5577A33A8FB91710F20053FE345BB3E1EBB88D80874E

Function 00401FBA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0040201D
GetKeyboardLayoutList.USER32(00000032,?), ref: 0040207F

Strings

- KeyboardLayouts: ( , xrefs: 00402068
), xrefs: 004020CF
{%d} , xrefs: 004020B2
- SystemLayout %d, xrefs: 00402059

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: DefaultKeyboardLanguageLayoutListUser
String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
API String ID: 167087913-619012376
Opcode ID: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
Instruction ID: 10b5000f3d20341b48b4ae383d5168f65d0d8f996377bdde78befb18ad8f4928
Opcode Fuzzy Hash: 098336f7847c56de198dceea2ad9df411a430e70487c194ec4b5a45776de32d6
Instruction Fuzzy Hash: 0931BE60D08298A9DB009FE494067BDBB70EF14306F1054ABF648F72C2D27E4B49D76E

Function 00403595 Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID:
API String ID: 1367039788-0
Opcode ID: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
Instruction ID: 3223c967265719e8531dc247f72f9ba3551b462deb81e419d276c47ad9b9309f
Opcode Fuzzy Hash: d8cb59fa451f531bb7d9703be9d6d3f1f0789b70689b423d9663a2cdfd0a23a5
Instruction Fuzzy Hash: 81D0A733E0812067CB5027F9BE0C99BBF6CEF86661705027AF645E3160CAB85C0587AA

Function 0040475F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,0040489D), ref: 00404771
LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,0040489D), ref: 0040477E

Strings

ntdl, xrefs: 0040476C, 0040477D

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: ntdl
API String ID: 4133054770-3973061744
Opcode ID: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
Instruction ID: 11ff4d8a77b90bf3d421a1100ca7fc1e5220f65cc3b3dee9f6ee43e9c25cea99
Opcode Fuzzy Hash: 153b30b252ebdc061fc8619bae493407424138c2e36891cb89667ed67eb505d5
Instruction Fuzzy Hash: B131127AE00215DBCB54EFA9C480ABEB7B0FF89704F04466AC551B3381C738A951CBA4

Function 004035C3 Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
Instruction ID: 873122bf131184cd6aa06baef865d0714c6afb91f4c12db888e56dda872d8f6a
Opcode Fuzzy Hash: a5c4a5c9563baa38c9ba5d526c864f3f6d83196204a18c55b87fe91dca070a4b
Instruction Fuzzy Hash: B6B092B0A491006AEE182BA09E0DB3B3A18AB04303F0002A8B302B14A0CA786500862A

Function 00404108 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00E6AE78,00401035,00E6AE78,?), ref: 00404109

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
Instruction ID: c139d24a98a97a360684cfbb393a546f3f92256ca7c1166e296c0db0bb017a51
Opcode Fuzzy Hash: d097877ed9740e91f650fee32fe24c2afa502c42455f07a4a2dfcf8c61e2aed8
Instruction Fuzzy Hash: 1DA022380302008BCA2C03300FAA00E30000E0A2F03220BACB033F80E0EA38C2800002

Non-executed Functions

Function 00403F87 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404108: GetFileAttributesW.KERNELBASE(00E6AE78,00401035,00E6AE78,?), ref: 00404109

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00403FE8
FindNextFileW.KERNEL32(0040179D,?), ref: 00404089

Strings

%s%s, xrefs: 004040D2
%s\*, xrefs: 00403FD2
%s\%s, xrefs: 00404022

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
String ID: %s%s$%s\%s$%s\*
API String ID: 674214967-2064654797
Opcode ID: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
Instruction ID: 3b86eeb09e9c0eadff58ad7c69213eb5ca1285151f1c464e5ebf84cdc8497cf1
Opcode Fuzzy Hash: 851fe2d0db6313b3b97ce49e1a9b884d2538fd0dfee7c13a5dcc67b2ec672ff6
Instruction Fuzzy Hash: 2831F3B1E0021967DB21AF618C45ABE7BA99F80304F0441BEFE05B73D1EB3D8F458699

Function 00404145 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00404198
FindNextFileW.KERNEL32(000000FF,?), ref: 004041E4

Part of subcall function 004035C3: GetProcessHeap.KERNEL32(00000000,00000000,004026DC), ref: 004035CA
Part of subcall function 004035C3: RtlFreeHeap.NTDLL(00000000), ref: 004035D1

Strings

%s\*, xrefs: 00404182
%s\%s, xrefs: 004041F8

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileFindHeap$FirstFreeNextProcess
String ID: %s\%s$%s\*
API String ID: 1689202581-2848263008
Opcode ID: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
Instruction ID: 0ae009433c7d8e74f2399d383574e25c26017cf842a18982b61cce91de727895
Opcode Fuzzy Hash: 03ec7cdd6b1c53106126d1c61fe10d4903e8003fb5869c5929cfc5ffc06257b0
Instruction Fuzzy Hash: C931A8B0B00214ABCB20AF65CC8566E7BADEF85745F1044BEB905A73C1DB7C9E418B99

Function 003B2D6A Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003B2E5A

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: eeab62e2c1f5af416a2e286717bc1cb6ce684408ac4bf3ed9efc959d6024c4bc
Instruction ID: 908bd9492ed7a0de1d24d437580f38e157168e10754f818dfd587cb3d762f289
Opcode Fuzzy Hash: eeab62e2c1f5af416a2e286717bc1cb6ce684408ac4bf3ed9efc959d6024c4bc
Instruction Fuzzy Hash: 8071E37190515C9FDF22AF28CC99AFFB7B8AB05308F1542DAE54CE7611DA318E849F14

Function 003AAEE2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003AAEEE
IsDebuggerPresent.KERNEL32 ref: 003AAFBA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003AAFDA
UnhandledExceptionFilter.KERNEL32(?), ref: 003AAFE4

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1ce12bdf51fe9a30602694db2b91a3928185d2e86c810d3cc2bc74146ab98b7e
Instruction ID: 2823a54181ac074d1fd1281f45b498ade62e9bfbc6ed402f054381b7d9db909f
Opcode Fuzzy Hash: 1ce12bdf51fe9a30602694db2b91a3928185d2e86c810d3cc2bc74146ab98b7e
Instruction Fuzzy Hash: 6A3125B5D052189BDB11EFA4D989BCDBBB8FF09304F1041AAE409AB250EB749A84DF45

Function 003A8670 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 003A8D0D

Strings

v22y, xrefs: 003A8B4B
v22y, xrefs: 003A86DB

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: v22y$v22y
API String ID: 2134207285-685426704
Opcode ID: 46828ab6ea07d9b7446a1211e815f0fa63d8aedabcd947e8b56b6b3d0c6fab03
Instruction ID: 5149d64dd992e0280e367e711daf7fb9180ab890565625d24663522c32731b07
Opcode Fuzzy Hash: 46828ab6ea07d9b7446a1211e815f0fa63d8aedabcd947e8b56b6b3d0c6fab03
Instruction Fuzzy Hash: 55F16A36F111114FDF1A8B3888E67FE7BE6DB96310F29541AD806D72E1DE274C498B81

Function 003AA74D Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003AA753
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003AA761
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003AA772
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003AA783
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003AA794
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003AA7A5
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 003AA7B6
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003AA7C7
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 003AA7D8
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003AA7E9
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003AA7FA
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003AA80B
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003AA81C
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003AA82D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003AA83E
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003AA84F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003AA860
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 003AA871
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 003AA882
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 003AA893
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 003AA8A4
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 003AA8B5
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 003AA8C6
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 003AA8D7
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 003AA8E8
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 003AA8F9
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003AA90A
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 003AA91B
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003AA92C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003AA93D
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 003AA94E
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 003AA95F
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 003AA970
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 003AA981
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 003AA992
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 003AA9A3
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 003AA9B4
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 003AA9C5
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 003AA9D6
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 003AA9E7
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 003AA9F8

Strings

InitializeCriticalSectionEx, xrefs: 003AA79A
SleepConditionVariableSRW, xrefs: 003AA987
InitializeConditionVariable, xrefs: 003AA8FF
CreateThreadpoolWait, xrefs: 003AA833
GetCurrentPackageId, xrefs: 003AA8AA
CreateSemaphoreExW, xrefs: 003AA7DE
ReleaseSRWLockExclusive, xrefs: 003AA976
WakeConditionVariable, xrefs: 003AA910
CreateSemaphoreW, xrefs: 003AA7CD
SubmitThreadpoolWork, xrefs: 003AA9A9
GetSystemTimePreciseAsFileTime, xrefs: 003AA8EE
CreateThreadpoolTimer, xrefs: 003AA7EF
FlsAlloc, xrefs: 003AA75B
CloseThreadpoolTimer, xrefs: 003AA822
GetTickCount64, xrefs: 003AA8BB
CloseThreadpoolWork, xrefs: 003AA9BA
SetThreadpoolWait, xrefs: 003AA844
GetCurrentProcessorNumber, xrefs: 003AA888
SetThreadpoolTimer, xrefs: 003AA800
GetFileInformationByHandleEx, xrefs: 003AA8CC
GetLocaleInfoEx, xrefs: 003AA9DC
FlsSetValue, xrefs: 003AA789
CreateThreadpoolWork, xrefs: 003AA998
FlsFree, xrefs: 003AA767
AcquireSRWLockExclusive, xrefs: 003AA954
LCMapStringEx, xrefs: 003AA9ED
CloseThreadpoolWait, xrefs: 003AA855
kernel32.dll, xrefs: 003AA74E
InitOnceExecuteOnce, xrefs: 003AA7AB
FreeLibraryWhenCallbackReturns, xrefs: 003AA877
SetFileInformationByHandle, xrefs: 003AA8DD
WakeAllConditionVariable, xrefs: 003AA921
CreateEventExW, xrefs: 003AA7BC
SleepConditionVariableCS, xrefs: 003AA932
InitializeSRWLock, xrefs: 003AA943
FlushProcessWriteBuffers, xrefs: 003AA866
CreateSymbolicLinkW, xrefs: 003AA89E
FlsGetValue, xrefs: 003AA778
WaitForThreadpoolTimerCallbacks, xrefs: 003AA811
TryAcquireSRWLockExclusive, xrefs: 003AA965
CompareStringEx, xrefs: 003AA9CB

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: f98f2cd95d7963fbe7d7ac524560fb2755c4b5091af77e43e962eca930afdfde
Instruction ID: 002b5d3ec358f42d829d8654bf51b6a52524e4d8165668d2bae75fa09a0397d6
Opcode Fuzzy Hash: f98f2cd95d7963fbe7d7ac524560fb2755c4b5091af77e43e962eca930afdfde
Instruction Fuzzy Hash: 8A618B799523A0AFC7037FB8BC1DCC63EECBA0AB09B444656F601D2962D7B4B0519F58

Function 00404377 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,004045FF), ref: 00404390
GetProcAddress.KERNEL32(00000000), ref: 00404399
GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,004045FF), ref: 004043AA
GetProcAddress.KERNEL32(00000000), ref: 004043AD

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,004045FF), ref: 0040442F
GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000002,?,?,?,?,004045FF), ref: 0040444B
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 0040445A
CloseHandle.KERNEL32(004045FF,?,?,?,?,004045FF), ref: 0040448A
GetCurrentProcess.KERNEL32(004045FF,00000000,00000000,00000001,?,?,?,?,004045FF), ref: 00404498
DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,004045FF), ref: 004044A7
CloseHandle.KERNEL32(?,?,?,?,?,004045FF), ref: 004044BA
CloseHandle.KERNEL32(000000FF), ref: 004044DD
CloseHandle.KERNEL32(?), ref: 004044E5

Strings

NtQueryObject, xrefs: 0040439B
ntdll, xrefs: 0040438B, 004043A2
NtQuerySystemInformation, xrefs: 00404386

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
String ID: NtQueryObject$NtQuerySystemInformation$ntdll
API String ID: 3110323036-2044536123
Opcode ID: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
Instruction ID: 6b6220df04feaa08bf7b4da56c654ad1a859742ad58229fcdab27ba0eb323707
Opcode Fuzzy Hash: b5df68a6bf919bf50a48ac763dfae3735d449fe75d6ecaf60c1b57aeb643f3aa
Instruction Fuzzy Hash: 884172B1E00119ABDB109BE68D44AAFBBB9EF84314F144176F604F22D0DB78DE41CBA5

Function 003AF71A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 003AF839
___TypeMatch.LIBVCRUNTIME ref: 003AF947
CatchIt.LIBVCRUNTIME ref: 003AF998
_UnwindNestedFrames.LIBCMT ref: 003AFA99
CallUnexpected.LIBVCRUNTIME ref: 003AFAB4

Strings

csm, xrefs: 003AF870
csm, xrefs: 003AF757
csm, xrefs: 003AF7C4

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 8a253163da7954bb24dcd6ed5ef229d1b474fd12b9b8a38a178c65da533c8b07
Instruction ID: e90c4ffc183a251b2e193e9fefe23b9d5c022a813978e961f4a9bec3e7972136
Opcode Fuzzy Hash: 8a253163da7954bb24dcd6ed5ef229d1b474fd12b9b8a38a178c65da533c8b07
Instruction Fuzzy Hash: F3B14A71800209EFCF2AEFE4D8819AEB7B9FF1A310F15416AE8156B212D735DA51CF91

Function 00402A1E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00402B09

Strings

(null), xrefs: 00402C14
0123456789ABCDEF, xrefs: 00402A85
(null), xrefs: 00402B9A
0123456789abcdef, xrefs: 00402A7E

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
API String ID: 1302938615-1267642376
Opcode ID: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
Instruction ID: bcdd270a88cad76f636a2a04ffa2895c1f0e3bc7806eb067e009ec13a134c41f
Opcode Fuzzy Hash: 74a9ea239097ada3d1414e157643d0f430ec2b0ca7e571adabed524bf4d5b292
Instruction Fuzzy Hash: 5691A0706087028FDB25CF24C58862BB7E5EF85344F24897FE49AA77D1D7B4A881CB49

Function 003B76D7 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003B7ADC: CreateFileW.KERNEL32(00000000,00000000,?,003B7780,?,?,00000000,?,003B7780,00000000,0000000C), ref: 003B7AF9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B77EB
__dosmaperr.LIBCMT ref: 003B77F2
GetFileType.KERNEL32(00000000), ref: 003B77FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003B7808
__dosmaperr.LIBCMT ref: 003B7811
CloseHandle.KERNEL32(00000000), ref: 003B7831
CloseHandle.KERNEL32(003B4556), ref: 003B797E
GetLastError.KERNEL32 ref: 003B79B0
__dosmaperr.LIBCMT ref: 003B79B7

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: faf4ef2d47031697b69d58324781a2321c9c707b27c740a73890a92760a8b3d1
Instruction ID: 38b29fa8de94397e893b62c85cb040d3ab5443104c32d7b10ea62fd4ff6c76a8
Opcode Fuzzy Hash: faf4ef2d47031697b69d58324781a2321c9c707b27c740a73890a92760a8b3d1
Instruction Fuzzy Hash: 15A14432A081589FCF1A9F68DC62BED7BA4EB86318F15015DFA11DF791CB309902CB41

Function 003A82E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003A82F2

Strings

\a=, xrefs: 003A8304
~\Ya, xrefs: 003A83F5
~\Ya, xrefs: 003A8372
\a=, xrefs: 003A8366
~\Ya, xrefs: 003A835B

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ~\Ya$~\Ya$~\Ya$\a=$\a=
API String ID: 4194217158-2811050778
Opcode ID: ad8045904f14d6202ea3f3b2784ae72f79549a10b058e9c4f2eeb80343506969
Instruction ID: 2d32becf84185ff0952b9da6f2fd4c280ac33dafffb9205b157f61678704206f
Opcode Fuzzy Hash: ad8045904f14d6202ea3f3b2784ae72f79549a10b058e9c4f2eeb80343506969
Instruction Fuzzy Hash: 3F319D7F600605CB9E1E4A3C6DF52AF77C5EF66711B2A4D37D515CB180EA21CC4A8782

Function 003ABB80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003ABBB7
___except_validate_context_record.LIBVCRUNTIME ref: 003ABBBF
_ValidateLocalCookies.LIBCMT ref: 003ABC48
__IsNonwritableInCurrentImage.LIBCMT ref: 003ABC73
_ValidateLocalCookies.LIBCMT ref: 003ABCC8

Strings

csm, xrefs: 003ABC5D

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a14f1a264e332a834035de1c639a35508037cb87504bdecfda2ea1268019ea96
Instruction ID: ad15a05255062e244fcec0b55791367d3c54daf773f8d1c74113f6b579e948e8
Opcode Fuzzy Hash: a14f1a264e332a834035de1c639a35508037cb87504bdecfda2ea1268019ea96
Instruction Fuzzy Hash: 6D41B534A00208AFCF16EF68C845E9EFBA9FF06324F148155E915AB353DB31DA11CB91

Function 003B040E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,003B051D,00000000,00000000,00000000,00000000,?,?,003B0226,00000022,FlsSetValue,003BBDDC,003BBDE4,00000000), ref: 003B04CF

Strings

ext-ms-, xrefs: 003B0479
api-ms-, xrefs: 003B0465

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 35dac30f1d1bffd89e009a83c1131326d38e516a422bb0d191a9e8d7a4ead917
Instruction ID: 77274960cfe25a60601034049a4e7bfe9384e495c9a8df6ae259aad5715fed7c
Opcode Fuzzy Hash: 35dac30f1d1bffd89e009a83c1131326d38e516a422bb0d191a9e8d7a4ead917
Instruction Fuzzy Hash: 2821D831A01214ABD7279B62AC45EDB776CAF51778F160224EB16E7A91DB34FD00CBD0

Function 003B48DD Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95012b95763dbb9bd5f0e4cb0e24feef92e0183f3367ef69c5c02e014021722
Instruction ID: bd37df1920cfd932319406f193503c0e4de0158262b7ac6d2952e61512548b31
Opcode Fuzzy Hash: b95012b95763dbb9bd5f0e4cb0e24feef92e0183f3367ef69c5c02e014021722
Instruction Fuzzy Hash: B7B10F70A04248ABDB13DFA8C891BEEBBB9BF45308F154158E7419BA93C770ED41CB58

Function 003B838B Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,003B8376,?,?,?,?,?,?,?,?,?,?), ref: 003B8431
__freea.LIBCMT ref: 003B85C6
__freea.LIBCMT ref: 003B85CC
__freea.LIBCMT ref: 003B8602
__freea.LIBCMT ref: 003B8608
__freea.LIBCMT ref: 003B8618

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 0ceb19ea42538a4b8490c6946a5fb85e2de926f0dedadead4c829ad0b65276fb
Instruction ID: f06b1c3ba3338b7b223407d061d45b4210f0936f02068675d043fe1102809c9d
Opcode Fuzzy Hash: 0ceb19ea42538a4b8490c6946a5fb85e2de926f0dedadead4c829ad0b65276fb
Instruction Fuzzy Hash: BD71B372A0020AAADF239F548C42FEF77AD9F45318F160155EB45ABA42EF75DC01C760

Function 00403111 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

x, xrefs: 00403451

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
Instruction ID: cdbb1d4b41a264391f31279463ee9e8db51f7a06bf36a1bae859705254ac4300
Opcode Fuzzy Hash: cc77272222d09f9b3e8e7dc35d4396ed1e50a5a1df7a949ef9c02a18000c61cf
Instruction Fuzzy Hash: 1302A174D00219EFCB45CF98C985AAEBBF4FB09305F10846AE826EB390D734AA41CF55

Function 003AEE93 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003AEE8A,003AB95D,003AB041), ref: 003AEEA1
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003AEEAF
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003AEEC8
SetLastError.KERNEL32(00000000,003AEE8A,003AB95D,003AB041), ref: 003AEF1A

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d032c85a8edc1020789cf9920d07a2eface61fe4d883638e48dec6e7054cac1f
Instruction ID: 0c6484403986e18369648ab9db4f6ca6b163a105e05acf06c1f7b0cd4f4f0b96
Opcode Fuzzy Hash: d032c85a8edc1020789cf9920d07a2eface61fe4d883638e48dec6e7054cac1f
Instruction Fuzzy Hash: DF01F73A2097116EA7272BB47CC5EAB3B9CEB03779B210329F6108A5F1FF119C109690

Function 003AC960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,003BA898,000000FF,?,003ACA21,?,?,003ACABD,00000000), ref: 003AC995
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003AC9A7
FreeLibrary.KERNEL32(00000000,?,00000000,003BA898,000000FF,?,003ACA21,?,?,003ACABD,00000000), ref: 003AC9C9

Strings

mscoree.dll, xrefs: 003AC98E
CorExitProcess, xrefs: 003AC99F

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cdedc64ade9b3425fb1dc7da3c47fda0cef7f5e21aab8f660635a24338a50b1d
Instruction ID: 06c7efc5e3f389f3b0a573f092d79441ddc1ee855aad0e427a0426641a80fab7
Opcode Fuzzy Hash: cdedc64ade9b3425fb1dc7da3c47fda0cef7f5e21aab8f660635a24338a50b1d
Instruction Fuzzy Hash: B801A236914625AFCB138B50CC09FEEBBBCFB06B14F004529E811E2690DB74A900CB80

Function 003AFB3F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,003AFA45,?,?,00000000,00000000,00000000,?), ref: 003AFB64
CatchIt.LIBVCRUNTIME ref: 003AFC4A

Strings

MOC, xrefs: 003AFB76
RCC, xrefs: 003AFB7E

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b4f66c5963cc4ffe06dbf2d40115e590754f82bb32ed27f362cba146d83c67e4
Instruction ID: 27d70a524cfc03c32fe209ea526cd01f7df0262d419d6528aeb55147ad0d5a91
Opcode Fuzzy Hash: b4f66c5963cc4ffe06dbf2d40115e590754f82bb32ed27f362cba146d83c67e4
Instruction Fuzzy Hash: C2416772900209AFCF16DF98CD81EEEBBB5FF4A314F198169F905AB221D3359950DB50

Function 003AA369 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003AA375
__Mtx_unlock.LIBCPMT ref: 003AA3B4
__Cnd_broadcast.LIBCPMT ref: 003AA3BC

Strings

8C<, xrefs: 003AA370

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: Cnd_broadcastCurrentMtx_unlockThread
String ID: 8C<
API String ID: 2021000804-553782651
Opcode ID: e18fdac4b0105022bbc62bd2ec3824afdabdfe92615a3978c493b0ffae5cc844
Instruction ID: 0e20e2ff773730ba99e2b7d881a86bc6b79963a19163447130224ac2af29d90a
Opcode Fuzzy Hash: e18fdac4b0105022bbc62bd2ec3824afdabdfe92615a3978c493b0ffae5cc844
Instruction Fuzzy Hash: E701F13B600F02DFDF239BA5C45079AB3A5EF02311F46092DE8869B280D7B0AC10CB92

Function 003B5721 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,003B57BD,00000000,?,003C4D00,?,?,?,003B56F4,00000004,InitializeCriticalSectionEx,003BC714,003BC71C), ref: 003B572E
GetLastError.KERNEL32(?,003B57BD,00000000,?,003C4D00,?,?,?,003B56F4,00000004,InitializeCriticalSectionEx,003BC714,003BC71C,00000000,?,003AFD6C), ref: 003B5738
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 003B5760

Strings

api-ms-, xrefs: 003B5745

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e0f716d28df304308ee5a98432e30f154c75d73a4a71dd1f3e5c0c37373686fb
Instruction ID: 385995511e411e6a8730a00b3fc39903d344ef12ed03da00a36440acb55a2853
Opcode Fuzzy Hash: e0f716d28df304308ee5a98432e30f154c75d73a4a71dd1f3e5c0c37373686fb
Instruction Fuzzy Hash: DBE01231780244F7EB122B60ED06F993A99AB11B49F144020FA0CE88A2DBA6E9109644

Function 003B61F7 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 003B625A

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003B64AC
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 003B64F2
GetLastError.KERNEL32 ref: 003B6595

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: efacc886b612fdd416f15e107eed54afb2a7e97c026857f91c1af623269e3ac2
Instruction ID: 8a277544f066ab1cd80adc4842b84e5c1011d85459bd5c5f86b01f2191ce30ae
Opcode Fuzzy Hash: efacc886b612fdd416f15e107eed54afb2a7e97c026857f91c1af623269e3ac2
Instruction Fuzzy Hash: 37D1AEB5D006489FCF16CFA8C8819EDBBB8FF09318F18452AE526EB752D734A951CB50

Function 003A4860 Relevance: 6.2, APIs: 4, Instructions: 169threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003A48A6

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f8916b2c111265356a8ff8cfd4e7496d6f9aceaab16f3fb2ac78745baafc7745
Instruction ID: 2a64dc2a4c5e7ed625cd5e48cc36af9b3466ddcd8aa38dcaeffbd5f0b8c6e7b4
Opcode Fuzzy Hash: f8916b2c111265356a8ff8cfd4e7496d6f9aceaab16f3fb2ac78745baafc7745
Instruction Fuzzy Hash: EF5159367006018FCA299A18ACD27BF33D9EBD3351F26451DE506CB2A1DBBADC458B52

Function 003AF543 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 003AF60A
___AdjustPointer.LIBCMT ref: 003AF62D
___AdjustPointer.LIBCMT ref: 003AF6C9

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 363c24c6c7f39ed898717981d2d80c0c1d4561d365c9054d6c6c347316e284d9
Instruction ID: 6f91fd85f498c9880e09f3da10c0fd53604656d1a3fe33d32d758b63fe7fba6a
Opcode Fuzzy Hash: 363c24c6c7f39ed898717981d2d80c0c1d4561d365c9054d6c6c347316e284d9
Instruction Fuzzy Hash: E951DE72A01606AFDB2B9F90D941BBAB3A4EF03710F15413DE8059B2B1E735EC40DB90

Function 003B2B47 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,003B2EED,?,?,?,00000000), ref: 003B2BAB
__dosmaperr.LIBCMT ref: 003B2BB2
GetLastError.KERNEL32(00000000,003B2EED,?,?,00000000,?,?,?,00000000,00000000,?,003B2EED,?,?,?,00000000), ref: 003B2BEC
__dosmaperr.LIBCMT ref: 003B2BF3

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6f92817fac4f4fa151f4fbd984750c029b0b61e1dd30e92c848dc67477e05ca9
Instruction ID: bc929b5a1223448e07b095fd48b2c8e360d4c3ebe60bc7dde3b79d14328b004d
Opcode Fuzzy Hash: 6f92817fac4f4fa151f4fbd984750c029b0b61e1dd30e92c848dc67477e05ca9
Instruction Fuzzy Hash: F821A171600215AF9B22AF6198819EBBBACFF0436C7518619FA159BD11EB31EC0087A0

Function 003B30E3 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0fe7ae97002f8d1248f9527746ce5521deddbdb974c87bd8882dba064e0fb1
Instruction ID: 48767d1808b01f44def465f8b0ae0ccf46db1acd3805a9fea53f45f408a8fded
Opcode Fuzzy Hash: ce0fe7ae97002f8d1248f9527746ce5521deddbdb974c87bd8882dba064e0fb1
Instruction Fuzzy Hash: 6621D171604229AFDB22BF69CC809EBB7ADAF0432D7414528FA25CBD11D730FE008760

Function 003B37BC Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003B37C4

Part of subcall function 003B36C0: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,003B5BE8,?,00000000,-00000008), ref: 003B3721

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003B37FC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003B381C

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d201bae2791fa9535ca9f36e817d9c02766dc722ee7ae7a46da2dea2ba1c8dc9
Instruction ID: 52a3a578d507eacd8dc5b468f836c3fd7943d0636eb80732d605b9a62a52cc80
Opcode Fuzzy Hash: d201bae2791fa9535ca9f36e817d9c02766dc722ee7ae7a46da2dea2ba1c8dc9
Instruction Fuzzy Hash: 111126F5900229BFA72327B15C8DCFF2A5CCE853AD7110025FB01D5902EA20DF0482B2

Function 003B8A90 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000), ref: 003B8AA7
GetLastError.KERNEL32(?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?,?,?,003B5F2F,00000000), ref: 003B8AB3

Part of subcall function 003B8B04: CloseHandle.KERNEL32(FFFFFFFE,003B8AC3,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?,?), ref: 003B8B14

___initconout.LIBCMT ref: 003B8AC3

Part of subcall function 003B8AE5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,003B8A81,003B831E,?,?,003B65E9,?,00000000,00000000,?), ref: 003B8AF8

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,003B8331,00000000,00000001,00000000,?,?,003B65E9,?,00000000,00000000,?), ref: 003B8AD8

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0a1ed983d7cb47cf05e68bed2981f4f7dbf54bf251ca5b852149429797625675
Instruction ID: 7dce5a1d115410e8847c863df314e4b9bf347d4f43a291e44cf59060fb7f56dc
Opcode Fuzzy Hash: 0a1ed983d7cb47cf05e68bed2981f4f7dbf54bf251ca5b852149429797625675
Instruction Fuzzy Hash: 38F01C36400158BBCF232FA2DC08DCA3F6AFF093A5F114414FA09D5921CA729920EB90

Function 00402C95 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00402ECA

Strings

6#@, xrefs: 00402F4A

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
String ID: 6#@
API String ID: 1990697408-399668929
Opcode ID: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
Instruction ID: 04ec494e2720618fda0ea9b48e18905337fba48f3a471985427a56106dfb7a8a
Opcode Fuzzy Hash: 1f26a5c5fc2634c2030f9b83c1c8166a34ad48809439acca6c6bd24674cc38fe
Instruction Fuzzy Hash: 9202AF70A04249EFCB41CF98C985AAEBBF4BF09305F148466E855FB390D778AA41CF55

Function 003AF3B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 003AF3BC

Strings

csm, xrefs: 003AF44F
csm, xrefs: 003AF3DE

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 643ea4e8ec1e0df71fb3a56e378134e4906b46b5809f9296df6b74d030adc28b
Instruction ID: eb6bd1248499873b435cff12ca311df82f973820f6702b84a1d8489f5a3bfe52
Opcode Fuzzy Hash: 643ea4e8ec1e0df71fb3a56e378134e4906b46b5809f9296df6b74d030adc28b
Instruction Fuzzy Hash: F631D3325002149FCF279FE6C8419AB7B66FF4E325B19867AFD444A121C336CC62DB91

Function 00403DA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,00403E4E,00000000,?,0000011C), ref: 00403DC1

Part of subcall function 00403595: EnterCriticalSection.KERNEL32(004084D4,?,?,00403C72,?,004022DE), ref: 0040359F
Part of subcall function 00403595: GetProcessHeap.KERNEL32(00000008,?,?,?,00403C72,?,004022DE), ref: 004035A8
Part of subcall function 00403595: RtlAllocateHeap.NTDLL(00000000,?,?,?,00403C72,?,004022DE), ref: 004035AF
Part of subcall function 00403595: LeaveCriticalSection.KERNEL32(004084D4,?,?,?,00403C72,?,004022DE), ref: 004035B8

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,00403E4E,00000000,?,0000011C), ref: 00403DF7

Strings

$d.log, xrefs: 00403DB8, 00403DF0

Memory Dump Source

Source File: 00000003.00000002.2125417255.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
String ID: $d.log
API String ID: 635875880-1910398676
Opcode ID: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
Instruction ID: ac6dd0e6687c57a2322cdc8011629eff706fdab16a0174ef90b3a49cae1c3f8c
Opcode Fuzzy Hash: 596067efd1d70e71452a917ac77f7634f6861e6932447c6e6420039467924f9e
Instruction Fuzzy Hash: 46F0BEB16001207FA3246A6ACC09C777EAEDBC2B71304433ABC18EB3D0D9309C0082B0

Function 003B009B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(003C4D20), ref: 003B00B8

Strings

M<, xrefs: 003B00A7
xM<, xrefs: 003B00C4

Memory Dump Source

Source File: 00000003.00000002.2125322206.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000003.00000002.2125302563.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125343767.00000000003BB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125363369.00000000003C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125381306.00000000003C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2125398518.00000000003C9000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: M<$xM<
API String ID: 3664257935-2597119641
Opcode ID: 60b9c0b95b931abf3d2b31a30d36cd30b9b85bbd58d93ed5c6610495f42da926
Instruction ID: 892066db1857b7ab4c803c6a4808681f0674dd8ca8ef230d2b36e92f51deabfa
Opcode Fuzzy Hash: 60b9c0b95b931abf3d2b31a30d36cd30b9b85bbd58d93ed5c6610495f42da926
Instruction Fuzzy Hash: CAE08636C116189BDB373E08D408BD276D85B5133AF17052AD5DD525A192B11CD1C781

Source: file.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000003.00000003.2043675219.00000000095EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2130535521.00000000099FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.212.106

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Poverty Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
file.exe

Function 003C31A4 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 003A2030 Relevance: 6.7, Strings: 5, Instructions: 408
COMMON

Function 003A8670 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495
COMMON

Function 003A3480 Relevance: 3.3, APIs: 2, Instructions: 296
COMMON

Function 003B76D7 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Function 003B040E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 003B48DD Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 003A4860 Relevance: 6.2, APIs: 4, Instructions: 169
threadCOMMON

Function 003B5A3D Relevance: 4.7, APIs: 3, Instructions: 197
COMMON

Function 003AC6F4 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 003AA3F0 Relevance: 4.5, APIs: 3, Instructions: 32
threadCOMMON

Function 003AC88A Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 003AC9FB Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 003B0ED9 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 003B0D4C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON