Edit tour

Windows Analysis Report
3344.exe

Overview

General Information

Sample name:	3344.exe
Analysis ID:	1576286
MD5:	c2fd049f5e4af19811db14b28e1d9bdc
SHA1:	4ff988b0876061921d162e2077221f6a4923c976
SHA256:	a908193949c9b3f45f3b409d4b28949014ae27e9bb1e962fd5e65ebbc97fb89e
Tags:	exemalwaremeterpretertrojanuser-Joker
Infos:

Detection

Metasploit

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

Found API chain indicative of debugger detection

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected TCP or UDP traffic on non-standard ports

Found evasive API chain (date check)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Yara signature match

Classification

Process Tree

System is w10x64

3344.exe (PID: 5424 cmdline: "C:\Users\user\Desktop\3344.exe" MD5: C2FD049F5E4AF19811DB14B28E1D9BDC)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "45.43.36.223", "Port": 3344}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x3a09:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5 0x3c79:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xd7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "45.43.36.223", "Port": 3344}

Multi AV Scanner detection for submitted file

Source: 3344.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 45.43.36.223:3344

Source: Joe Sandbox View

ASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223
Source: unknown	TCP traffic detected without corresponding DNS query: 45.43.36.223

Source: C:\Users\user\Desktop\3344.exe

Code function: 0_2_001C00D6 LoadLibraryA,WSASocketA,connect,recv,closesocket,

0_2_001C00D6

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown

Source: 3344.exe

Static PE information: Number of sections : 18 > 10

Source: 00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/1

Source: 3344.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3344.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3344.exe

ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\3344.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\3344.exe	Section loaded: mswsock.dll			Jump to behavior

Source: 3344.exe	Static PE information: section name: .xdata
Source: 3344.exe	Static PE information: section name: /4
Source: 3344.exe	Static PE information: section name: /19
Source: 3344.exe	Static PE information: section name: /31
Source: 3344.exe	Static PE information: section name: /45
Source: 3344.exe	Static PE information: section name: /57
Source: 3344.exe	Static PE information: section name: /70
Source: 3344.exe	Static PE information: section name: /81
Source: 3344.exe	Static PE information: section name: /92

Source: C:\Users\user\Desktop\3344.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-4952

Source: C:\Users\user\Desktop\3344.exe

API coverage: 9.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 3344.exe, 00000000.00000002.3315010379.0000000000750000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\3344.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-4267

Source: C:\Users\user\Desktop\3344.exe

Code function: 0_2_004091E0 free,IsDebuggerPresent,RaiseException,

0_2_004091E0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\3344.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,	0_2_00401180
Source: C:\Users\user\Desktop\3344.exe	Code function: 0_2_004050F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_004050F0
Source: C:\Users\user\Desktop\3344.exe	Code function: 0_2_00411498 SetUnhandledExceptionFilter,	0_2_00411498
Source: C:\Users\user\Desktop\3344.exe	Code function: 0_2_0040B259 SetUnhandledExceptionFilter,	0_2_0040B259

Source: C:\Users\user\Desktop\3344.exe

Code function: 0_2_00409470 GetSystemTimeAsFileTime,

0_2_00409470

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3344.exe	79%	ReversingLabs	Win64.Backdoor.Meterpreter

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.43.36.223	unknown	United States		135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576286
Start date and time:	2024-12-16 18:13:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3344.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: 3344.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.43.36.223	m.elf	Get hash	malicious	Unknown	Browse
	5544x64.elf	Get hash	malicious	ConnectBack	Browse
	shell64.elf	Get hash	malicious	ConnectBack	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	m.elf	Get hash	malicious	Unknown	Browse	45.43.36.223
	5544x64.elf	Get hash	malicious	ConnectBack	Browse	45.43.36.223
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	128.1.49.123
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	MAERSK LINE SHIPPING DOC_4253.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	107.155.56.30
	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	107.155.56.30
	nabppc.elf	Get hash	malicious	Unknown	Browse	107.155.48.54
	shell64.elf	Get hash	malicious	ConnectBack	Browse	45.43.36.223
	XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	107.155.56.30

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.575277699276052
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	3344.exe
File size:	152'748 bytes
MD5:	c2fd049f5e4af19811db14b28e1d9bdc
SHA1:	4ff988b0876061921d162e2077221f6a4923c976
SHA256:	a908193949c9b3f45f3b409d4b28949014ae27e9bb1e962fd5e65ebbc97fb89e
SHA512:	0c3c5727dc92dc43c835d2130c660f727faa87a23f2e21a00a6df69a1399c66d5c327309560adadadf6e18f6b6bceb725ddbfb6c9637ad73f5ae14a75bc9665c
SSDEEP:	3072:6Pm7brhtbDKROb953j/wmIIrXt8i8NI/FDjV/+1EdB/:6Pm7brhVWa953j/bIwXt8xEjV/+1EdB/
TLSH:	64E3F9D57BD40CEED905423C84E6D322673EF4D082634B0B6A31B7311E17ED16EDAA6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...OYTg.n........'...........................@.............................. .......y........ ............................

File Icon


Icon Hash:	13170f0f8f060c0c

Static PE Info

General

Entrypoint:	0x4014b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x6754594F [Sat Dec 7 14:18:55 2024 UTC]
TLS Callbacks:	0x405220
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5b928a8f4e4a094efc0701738c18f7f0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000C935h]
mov dword ptr [eax], 00000001h
call 00007F79E5479B3Fh
call 00007F79E5475CAAh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000C905h]
mov dword ptr [eax], 00000000h
call 00007F79E5479B0Fh
call 00007F79E5475C7Ah
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
call 00007F79E547B1C4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F79E5475FC9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push edi
push esi
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [ecx]
dec eax
test eax, eax
dec eax
mov esi, ecx
dec eax
mov ebx, edx
je 00007F79E5476032h
dec eax
mov edi, dword ptr [eax]
dec eax
mov eax, dword ptr [edx]
dec eax
cmp dword ptr [edx+08h], eax
jnle 00007F79E5475FFAh
dec eax
mov ecx, edx
call 00007F79E547840Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11000	0xe28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0xf6c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd720	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11358	0x308	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa4d8	0xa600	a2b3f3abc3fa63f379a0662169f7459a	False	0.5587584713855421	data	6.171384214115333	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xc000	0x560	0x600	9f0b37e587a9a2b0a00cf2880260cd37	False	0.4309895833333333	data	3.9515367953932268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xd000	0xe50	0x1000	b3e3aa802b225cec638f69a84941874d	False	0.379150390625	data	4.29555985877433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0xe000	0xf6c	0x1000	928545e4ac7851c53bbb650d6ea5fd60	False	0.455078125	data	4.533340610576811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0xf000	0xc88	0xe00	cb206662c211b9eb5a83839b3fd392de	False	0.19921875	data	3.707790104287517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x10000	0xae0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x11000	0xe28	0x1000	aaa93e08234604a959bdc3835082e374	False	0.299560546875	data	4.114530536451111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x12000	0x70	0x200	4e74fd0d4b00a683ad4eb4fc34090084	False	0.078125	data	0.3281187745953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x13000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14000	0x1398	0x1398	9c0bdd5191b101b77b3c9352dd1333be	False	0.24561403508771928	data	3.911992311561148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/4	0x16000	0x80	0x200	0c45878a7b8aab977175e41d0aafb1f6	False	0.1015625	data	0.39045257474477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x17000	0x475e	0x4800	0a92d7ddc53616cb05fcd997534c4ed7	False	0.3926866319444444	data	5.958908140921361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x1c000	0x500	0x600	376602388f36e2131f481e79b13268c6	False	0.3111979166666667	data	4.2370580733237615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x1d000	0x704	0x800	60b8788e399a725f8e966a34043e6ccb	False	0.4345703125	data	5.106197583426308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x1e000	0x130	0x200	f702b75bf874d9585c7a98dd44affa4e	False	0.375	data	2.649450423169222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x1f000	0x12c	0x200	da6bb64456072fa6a17880b326fe66d6	False	0.375	data	3.8316609167251707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x20000	0x74e	0x800	78803b79751d58899dd3958cbc59ed79	False	0.2177734375	data	1.7520564810585573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/92	0x21000	0x1f0	0x200	86fa71369197029a259ef41e9e0d6f40	False	0.193359375	data	0.9967668471309872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x140f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.1977016885553471
RT_GROUP_ICON	0x151a0	0x14	data	English	United States	1.1
RT_MANIFEST	0x151b8	0x1ca	XML 1.0 document, ASCII text, with very long lines (456), with CRLF line terminators	English	United States	0.5764192139737991

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, OutputDebugStringA, QueryPerformanceCounter, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SuspendThread, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthreadex, _cexit, _endthreadex, _fileno, _fmode, _initterm, _onexit, _setjmp, _setmode, _strdup, _ultoa, abort, calloc, exit, fflush, fprintf, free, fwrite, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strlen, strncmp, vfprintf
USER32.dll	MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 18:14:00.831334114 CET	49704	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:00.951523066 CET	3344	49704	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:00.951678038 CET	49704	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:03.537416935 CET	3344	49704	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:03.537509918 CET	49704	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:03.538579941 CET	49704	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:03.540550947 CET	49705	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:03.658427954 CET	3344	49704	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:03.660320997 CET	3344	49705	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:03.660444021 CET	49705	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:06.248842955 CET	3344	49705	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:06.248924971 CET	49705	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:06.249921083 CET	49705	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:06.251626015 CET	49706	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:06.369956017 CET	3344	49705	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:06.371473074 CET	3344	49706	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:06.371562958 CET	49706	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:08.963439941 CET	3344	49706	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:08.963552952 CET	49706	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:08.964210987 CET	49706	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:08.965579033 CET	49707	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:09.084964991 CET	3344	49706	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:09.085911036 CET	3344	49707	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:09.085998058 CET	49707	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:11.663192987 CET	3344	49707	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:11.663300991 CET	49707	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:11.664304972 CET	49707	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:11.665736914 CET	49708	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:11.784656048 CET	3344	49707	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:11.785868883 CET	3344	49708	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:11.786022902 CET	49708	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:14.368704081 CET	3344	49708	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:14.368846893 CET	49708	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:14.369563103 CET	49708	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:14.371001005 CET	49709	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:14.489404917 CET	3344	49708	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:14.491014957 CET	3344	49709	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:14.491110086 CET	49709	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:17.086855888 CET	3344	49709	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:17.086982965 CET	49709	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:17.087636948 CET	49709	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:17.088948011 CET	49711	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:17.207417965 CET	3344	49709	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:17.208807945 CET	3344	49711	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:17.208895922 CET	49711	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:19.805835009 CET	3344	49711	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:19.807507038 CET	49711	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:19.827013969 CET	49711	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:19.828392982 CET	49718	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:19.947160959 CET	3344	49711	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:19.948503017 CET	3344	49718	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:19.948617935 CET	49718	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:22.558554888 CET	3344	49718	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:22.558645010 CET	49718	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:22.559384108 CET	49718	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:22.560765028 CET	49726	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:22.681360006 CET	3344	49718	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:22.682564020 CET	3344	49726	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:22.682673931 CET	49726	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:25.274336100 CET	3344	49726	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:25.274444103 CET	49726	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:25.275165081 CET	49726	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:25.276552916 CET	49733	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:25.395612001 CET	3344	49726	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:25.396958113 CET	3344	49733	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:25.397057056 CET	49733	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:27.991339922 CET	3344	49733	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:27.995424986 CET	49733	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:27.999154091 CET	49733	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:28.001204014 CET	49739	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:28.119118929 CET	3344	49733	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:28.121072054 CET	3344	49739	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:28.121171951 CET	49739	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:30.708434105 CET	3344	49739	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:30.711249113 CET	49739	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:30.711946011 CET	49739	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:30.713340998 CET	49750	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:30.832535982 CET	3344	49739	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:30.833978891 CET	3344	49750	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:30.834145069 CET	49750	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:33.416908979 CET	3344	49750	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:33.416990995 CET	49750	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:33.418039083 CET	49750	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:33.419981003 CET	49756	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:33.542604923 CET	3344	49750	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:33.544770002 CET	3344	49756	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:33.544883966 CET	49756	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:36.134063005 CET	3344	49756	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:36.134149075 CET	49756	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:36.134850025 CET	49756	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:36.136291027 CET	49762	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:36.258658886 CET	3344	49756	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:36.260353088 CET	3344	49762	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:36.260602951 CET	49762	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:38.851211071 CET	3344	49762	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:38.851376057 CET	49762	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:38.852166891 CET	49762	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:38.853635073 CET	49768	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:38.971924067 CET	3344	49762	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:38.973356009 CET	3344	49768	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:38.973468065 CET	49768	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:41.558701038 CET	3344	49768	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:41.558866978 CET	49768	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:41.559624910 CET	49768	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:41.561111927 CET	49779	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:41.679505110 CET	3344	49768	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:41.680951118 CET	3344	49779	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:41.681045055 CET	49779	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:44.274085999 CET	3344	49779	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:44.275420904 CET	49779	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:44.328238964 CET	49779	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:44.330948114 CET	49784	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:44.447954893 CET	3344	49779	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:44.450769901 CET	3344	49784	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:44.450915098 CET	49784	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:47.056075096 CET	3344	49784	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:47.057281017 CET	49784	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:47.069380999 CET	49784	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:47.089075089 CET	49789	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:47.189176083 CET	3344	49784	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:47.208868027 CET	3344	49789	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:47.208962917 CET	49789	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:49.822259903 CET	3344	49789	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:49.822334051 CET	49789	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:49.823051929 CET	49789	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:49.825201035 CET	49795	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:49.942785978 CET	3344	49789	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:49.945075035 CET	3344	49795	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:49.945422888 CET	49795	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:52.572073936 CET	3344	49795	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:52.572410107 CET	49795	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:52.572918892 CET	49795	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:52.574311018 CET	49804	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:52.692923069 CET	3344	49795	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:52.694406033 CET	3344	49804	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:52.694694996 CET	49804	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:55.274838924 CET	3344	49804	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:55.275012016 CET	49804	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:55.275770903 CET	49804	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:55.277261019 CET	49811	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:55.395469904 CET	3344	49804	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:55.397088051 CET	3344	49811	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:55.397193909 CET	49811	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:57.984967947 CET	3344	49811	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:57.985069036 CET	49811	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:57.985876083 CET	49811	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:57.987339020 CET	49817	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:14:58.105865955 CET	3344	49811	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:58.107194901 CET	3344	49817	45.43.36.223	192.168.2.5
Dec 16, 2024 18:14:58.107311964 CET	49817	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:00.696916103 CET	3344	49817	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:00.697460890 CET	49817	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:00.698038101 CET	49817	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:00.699450016 CET	49825	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:00.817919970 CET	3344	49817	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:00.819221973 CET	3344	49825	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:00.819478035 CET	49825	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:03.401262999 CET	3344	49825	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:03.401349068 CET	49825	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:03.402187109 CET	49825	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:03.403594017 CET	49832	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:03.527616024 CET	3344	49825	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:03.527657986 CET	3344	49832	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:03.527743101 CET	49832	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:06.099822044 CET	3344	49832	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:06.099904060 CET	49832	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:06.100783110 CET	49832	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:06.102372885 CET	49840	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:06.220740080 CET	3344	49832	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:06.222327948 CET	3344	49840	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:06.222413063 CET	49840	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:08.823896885 CET	3344	49840	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:08.824115038 CET	49840	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:08.824738979 CET	49840	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:08.826179981 CET	49847	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:08.944782972 CET	3344	49840	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:08.945983887 CET	3344	49847	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:08.946073055 CET	49847	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:11.542675972 CET	3344	49847	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:11.542803049 CET	49847	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:11.543859959 CET	49847	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:11.545851946 CET	49854	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:11.663794041 CET	3344	49847	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:11.665863991 CET	3344	49854	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:11.665993929 CET	49854	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:14.244231939 CET	3344	49854	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:14.244462013 CET	49854	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:14.245166063 CET	49854	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:14.246560097 CET	49861	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:14.364974022 CET	3344	49854	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:14.366278887 CET	3344	49861	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:14.366380930 CET	49861	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:16.948852062 CET	3344	49861	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:16.949145079 CET	49861	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:16.950062037 CET	49861	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:16.951509953 CET	49869	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:17.069736004 CET	3344	49861	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:17.071368933 CET	3344	49869	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:17.071527004 CET	49869	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:19.746897936 CET	3344	49869	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:19.747014046 CET	49869	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:19.747728109 CET	49869	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:19.749157906 CET	49876	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:19.867513895 CET	3344	49869	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:19.868937016 CET	3344	49876	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:19.869049072 CET	49876	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:22.522619009 CET	3344	49876	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:22.522744894 CET	49876	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:22.524022102 CET	49876	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:22.525650978 CET	49882	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:22.644088984 CET	3344	49876	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:22.645411015 CET	3344	49882	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:22.645560026 CET	49882	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:25.244973898 CET	3344	49882	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:25.245125055 CET	49882	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:25.246124983 CET	49882	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:25.248142004 CET	49889	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:25.366215944 CET	3344	49882	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:25.368036985 CET	3344	49889	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:25.368180990 CET	49889	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:27.976927996 CET	3344	49889	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:27.977066994 CET	49889	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:27.977806091 CET	49889	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:27.979218006 CET	49896	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:28.098139048 CET	3344	49889	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:28.099582911 CET	3344	49896	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:28.099695921 CET	49896	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:30.680150986 CET	3344	49896	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:30.680351019 CET	49896	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:30.681102991 CET	49896	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:30.682518005 CET	49905	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:30.800954103 CET	3344	49896	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:30.802329063 CET	3344	49905	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:30.802536011 CET	49905	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:33.383557081 CET	3344	49905	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:33.383687973 CET	49905	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:33.384387016 CET	49905	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:33.385751009 CET	49911	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:33.504300117 CET	3344	49905	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:33.505733013 CET	3344	49911	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:33.505853891 CET	49911	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:36.084721088 CET	3344	49911	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:36.084834099 CET	49911	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:36.085479975 CET	49911	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:36.086790085 CET	49918	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:36.205223083 CET	3344	49911	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:36.206624985 CET	3344	49918	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:36.206737995 CET	49918	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:38.847851992 CET	3344	49918	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:38.847964048 CET	49918	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:38.848701000 CET	49918	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:38.850182056 CET	49924	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:38.968413115 CET	3344	49918	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:38.969966888 CET	3344	49924	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:38.970091105 CET	49924	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:41.870351076 CET	3344	49924	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:41.870443106 CET	49924	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:41.871148109 CET	49924	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:41.872579098 CET	49931	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:41.990998030 CET	3344	49924	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:41.992614985 CET	3344	49931	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:41.992732048 CET	49931	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:44.573101997 CET	3344	49931	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:44.573177099 CET	49931	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:44.573782921 CET	49931	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:44.574976921 CET	49939	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:44.693512917 CET	3344	49931	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:44.694788933 CET	3344	49939	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:44.694876909 CET	49939	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:47.273952961 CET	3344	49939	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:47.274097919 CET	49939	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:47.274804115 CET	49939	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:47.276213884 CET	49945	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:47.394484043 CET	3344	49939	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:47.396086931 CET	3344	49945	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:47.396239042 CET	49945	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:49.977591991 CET	3344	49945	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:49.981458902 CET	49945	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:49.982176065 CET	49945	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:49.983526945 CET	49952	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:50.101902008 CET	3344	49945	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:50.103267908 CET	3344	49952	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:50.103498936 CET	49952	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:52.681541920 CET	3344	49952	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:52.681617022 CET	49952	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:52.682229996 CET	49952	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:52.683370113 CET	49960	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:52.803116083 CET	3344	49952	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:52.804933071 CET	3344	49960	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:52.805038929 CET	49960	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:55.384546995 CET	3344	49960	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:55.384628057 CET	49960	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:55.385565042 CET	49960	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:55.387562990 CET	49968	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:55.508440971 CET	3344	49960	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:55.510267019 CET	3344	49968	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:55.510356903 CET	49968	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:58.090459108 CET	3344	49968	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:58.090886116 CET	49968	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:58.091753960 CET	49968	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:58.093588114 CET	49974	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:15:58.211846113 CET	3344	49968	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:58.213702917 CET	3344	49974	45.43.36.223	192.168.2.5
Dec 16, 2024 18:15:58.213815928 CET	49974	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:00.792824030 CET	3344	49974	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:00.792932034 CET	49974	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:00.793628931 CET	49974	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:00.795084000 CET	49981	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:00.913372993 CET	3344	49974	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:00.914875031 CET	3344	49981	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:00.914998055 CET	49981	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:03.492968082 CET	3344	49981	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:03.493046999 CET	49981	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:03.494129896 CET	49981	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:03.496031046 CET	49988	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:03.614263058 CET	3344	49981	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:03.615927935 CET	3344	49988	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:03.616058111 CET	49988	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:06.197679043 CET	3344	49988	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:06.197860956 CET	49988	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:06.198529959 CET	49988	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:06.199951887 CET	49996	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:06.318238020 CET	3344	49988	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:06.319741011 CET	3344	49996	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:06.319823027 CET	49996	3344	192.168.2.5	45.43.36.223
Dec 16, 2024 18:16:08.947947979 CET	3344	49996	45.43.36.223	192.168.2.5
Dec 16, 2024 18:16:08.948065996 CET	49996	3344	192.168.2.5	45.43.36.223

Target ID:	0
Start time:	12:13:59
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\3344.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\3344.exe"
Imagebase:	0x400000
File size:	152'748 bytes
MD5 hash:	C2FD049F5E4AF19811DB14B28E1D9BDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.3314997826.000000000062C000.00000004.00000010.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	3.3%
Total number of Nodes:	1413
Total number of Limit Nodes:	12

Executed Functions

Function 00401180 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 189
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 004011E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00401253
malloc.MSVCRT ref: 00401329
strlen.MSVCRT ref: 00401354
malloc.MSVCRT ref: 00401360
memcpy.MSVCRT ref: 00401378
_cexit.MSVCRT ref: 004013E5
GetStartupInfoA.KERNEL32 ref: 00401473

Strings

0 A, xrefs: 00401480

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
String ID: 0 A
API String ID: 1640792405-1333094694
Opcode ID: 72d2380a66f59b17d7d0b7229c9ae5c33d9b528bfb37d31652a3532418e5254a
Instruction ID: 7fd7e69588d464a95354bfc1fae6e64fad2bb469d7e9e12ca67e8cf5d31449df
Opcode Fuzzy Hash: 72d2380a66f59b17d7d0b7229c9ae5c33d9b528bfb37d31652a3532418e5254a
Instruction Fuzzy Hash: A2718DB171074486EB249F56E89076A37A1FB49B88F84403BEF49A73A5DF7DC884C748

Function 001C00D6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148
networklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 001C0108
WSASocketA.WS2_32(00000000,00000000), ref: 001C0139
connect.WS2_32 ref: 001C014E
recv.WS2_32 ref: 001C0175
closesocket.WS2_32 ref: 001C01D9

Strings

ws2_, xrefs: 001C00D8
unMa, xrefs: 001C01D4

Memory Dump Source

Source File: 00000000.00000002.3314907968.00000000001C0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_3344.jbxd

Yara matches

Similarity

API ID: LibraryLoadSocketclosesocketconnectrecv
String ID: unMa$ws2_
API String ID: 2974377591-4254217991
Opcode ID: 2058f79279c0fba5183a20154c738821c279f9cd7bb2525e365d92f7879f836f
Instruction ID: a88093527675b80ad386f85dfd0a04dbdefc04371b795b6588e792e652b4ef2a
Opcode Fuzzy Hash: 2058f79279c0fba5183a20154c738821c279f9cd7bb2525e365d92f7879f836f
Instruction Fuzzy Hash: DF31D12175CA4C1BE21D716C381B73A66C6C3AD726F25802FEA8EC72D6DC91CC8301DA

Function 00404D7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
memorythreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00404DD5
WriteProcessMemory.KERNELBASE ref: 00404E47
VirtualProtect.KERNELBASE ref: 00404E6B
CreateThread.KERNELBASE ref: 00404E93

Strings

ZnktJt, xrefs: 00404DE7

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Virtual$AllocCreateMemoryProcessProtectThreadWrite
String ID: ZnktJt
API String ID: 589471592-3639927098
Opcode ID: 93f7e6e721c6d3ef7779802b8d633a2d29b62137bfd480fa8152d07a5f882355
Instruction ID: 815d3d090862fbd88549531cd80d5ffafdacf8f0a7f6368fc3c6a27604b9e8ad
Opcode Fuzzy Hash: 93f7e6e721c6d3ef7779802b8d633a2d29b62137bfd480fa8152d07a5f882355
Instruction Fuzzy Hash: 973174B6604A8485EB209F66E81435A7BA1B789BD5F448126AF4D57BA8DF3CC049CB08

Function 004074F0 Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 0040750C

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 84bee37f05bfdbf9993bf61e8910bedf794a0f1c16ea23a0d288ed955fa0f344
Instruction ID: 4d44d83db687c105a8f915d7577d791569068d88c1e7933cc6d3c0b1d6ba4111
Opcode Fuzzy Hash: 84bee37f05bfdbf9993bf61e8910bedf794a0f1c16ea23a0d288ed955fa0f344
Instruction Fuzzy Hash: 0C3173B2A057448AFB209F21F84879A76A0F745BA4F480229DF5E47BE0DF3CE085C719

Function 004019C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fileno.MSVCRT ref: 004019DC
_setmode.MSVCRT ref: 004019EC
_fileno.MSVCRT ref: 004019F8
_setmode.MSVCRT ref: 00401A01
_fileno.MSVCRT ref: 00401A0D
_setmode.MSVCRT ref: 00401A16
exit.MSVCRT ref: 00404BE3

Strings

@g@, xrefs: 004019C7

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: _fileno_setmode$exit
String ID: @g@
API String ID: 1042937471-3552307234
Opcode ID: e91c2104583d018695db4ed5a3c960c343f752282967dfc752c49b34cbbdf3da
Instruction ID: 2d189f3c614311821e3ac3c8582c5dcc26b918c8221a04532d2892516a15019d
Opcode Fuzzy Hash: e91c2104583d018695db4ed5a3c960c343f752282967dfc752c49b34cbbdf3da
Instruction Fuzzy Hash: 84012191B1160481EF19B7B3BC653791656AFD8BC4F59803B9B0E673E1DD3CC8968708

Function 00407790 Relevance: 13.6, APIs: 9, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 004077CA
CloseHandle.KERNEL32 ref: 00407802
CloseHandle.KERNEL32 ref: 0040780D
RemoveVectoredExceptionHandler.KERNEL32 ref: 00407860
TlsSetValue.KERNEL32 ref: 00407934

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CloseHandleValue$ExceptionHandlerRemoveVectored
String ID:
API String ID: 2941551293-0
Opcode ID: d6bd3e596a312003b2f53f3e1b2e677f550e30ec508400ae04fa6f1ac7d8f231
Instruction ID: 82006c851bddbc6f7d96567a6e4e65ba1afed02984d87f7f7e250f3d7a5db34a
Opcode Fuzzy Hash: d6bd3e596a312003b2f53f3e1b2e677f550e30ec508400ae04fa6f1ac7d8f231
Instruction Fuzzy Hash: 05413675A0A64095FB19AF26D8643A93360EF80B98F54413BDF0A633D4DF7CA885C35B

Function 00406460 Relevance: 12.1, APIs: 8, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937b6b15a6eb3c012a691d233e4ef296c6d7008006586f58407847eac017d767
Instruction ID: 2d2e5f29fd85e46d0c498564adfce658b9e55527e4f874cc8bdcd0573f201fa6
Opcode Fuzzy Hash: 937b6b15a6eb3c012a691d233e4ef296c6d7008006586f58407847eac017d767
Instruction Fuzzy Hash: F741C572602A0095EA15EF12E8107993365F744B88F9A883B9A4F37795DF3DD9A6C308

Function 00407D10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00407D8B

Strings

once %p is %d, xrefs: 00407D81

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: once %p is %d
API String ID: 383729395-95064319
Opcode ID: 1c4048602193c1d03f8171ed58baf2ca15e9a686ce7ac89604a45be64e55e6ba
Instruction ID: 597bc4bad2a3756a14a74a292123235e9860e307772a6839578ae55869fee0c3
Opcode Fuzzy Hash: 1c4048602193c1d03f8171ed58baf2ca15e9a686ce7ac89604a45be64e55e6ba
Instruction Fuzzy Hash: A721B573A1AB0085DA159B16E54137A67A4FF88BD4F084136DF4D137A4EB3CD841C34A

Function 00404BEF Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004044E0: signal.MSVCRT ref: 004044F0
Part of subcall function 004044E0: signal.MSVCRT ref: 00404501
Part of subcall function 004044E0: signal.MSVCRT ref: 00404512
Part of subcall function 004044E0: signal.MSVCRT ref: 00404523

exit.MSVCRT ref: 00404BE3
InitializeCriticalSection.KERNEL32 ref: 00404BFF

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: signal$CriticalInitializeSectionexit
String ID:
API String ID: 2966010811-0
Opcode ID: ed26bddd2918d9262c35d06a69f1064c08af1c9a6198f958b283c222558c2428
Instruction ID: 326a7d92601b150306925d15231b8e509079ec1334bb9b553f7a1e7cc46397de
Opcode Fuzzy Hash: ed26bddd2918d9262c35d06a69f1064c08af1c9a6198f958b283c222558c2428
Instruction Fuzzy Hash: 03F054D561150481EB19F773DC9236822209BE4748F854037E70A262F2DF3CC599871D

Non-executed Functions

Function 004050F0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00405104
RtlLookupFunctionEntry.KERNEL32 ref: 0040511B
RtlVirtualUnwind.KERNEL32 ref: 0040515D
SetUnhandledExceptionFilter.KERNEL32 ref: 004051A1
UnhandledExceptionFilter.KERNEL32 ref: 004051AE
GetCurrentProcess.KERNEL32 ref: 004051B4
TerminateProcess.KERNEL32 ref: 004051C2
abort.MSVCRT ref: 004051C8

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: f5151f613f79c80f9e3833b4f785945d4aeade73ae1625b39d7e3f47ba99ee10
Instruction ID: bfb6b45e1e078e74a33f55577b5553ee43ed6af10de6dde30463632e920f560e
Opcode Fuzzy Hash: f5151f613f79c80f9e3833b4f785945d4aeade73ae1625b39d7e3f47ba99ee10
Instruction Fuzzy Hash: 8521EDB5610F45A5EB008B66FC843D937B4B708B88F54412AEB4EA7B64EF78C199C708

Function 004091E0 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040925E
IsDebuggerPresent.KERNEL32 ref: 00409283
RaiseException.KERNEL32 ref: 004092A9

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: DebuggerExceptionPresentRaisefree
String ID:
API String ID: 462861877-0
Opcode ID: 9992174eacac8e5ab886b3de233fb8ebd4dc72c1beb8de0acb777f7299ac8dad
Instruction ID: ce4e9d721cdb7bbce20e722b64e5cbb7c9defe4ee7ac0e4a9b2f1b449396240f
Opcode Fuzzy Hash: 9992174eacac8e5ab886b3de233fb8ebd4dc72c1beb8de0acb777f7299ac8dad
Instruction Fuzzy Hash: C721C3723013409BFA219F65A94039A7694EB98BE4F08467EAF4D537C1DB3DCC85C608

Function 00409470 Relevance: 1.5, APIs: 1, Instructions: 32timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0040949B

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 26814105f8035f977cef670bb666e7c765a3ee1fc66542955a4f888f446064b1
Instruction ID: c225d318a346da5ab50a1fa63e0d27ac38d33a664c6e9188a2d5e0a368294727
Opcode Fuzzy Hash: 26814105f8035f977cef670bb666e7c765a3ee1fc66542955a4f888f446064b1
Instruction Fuzzy Hash: 72F0B4A671424847DF288F29E91136DA36393C87D5F54C131EE1D87B6CD93CE9468B00

Function 00411498 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction ID: a055776a41e1b0b55d4ae2a34dec70663757dcbc0511ef016f381426a7f18ad1
Opcode Fuzzy Hash: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction Fuzzy Hash: 85C01297E4EFC645F11283E40D392AA1EC29A53F3470DC26F4F65073E3950A4C42534A

Function 0040B259 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071e3f193f53798d230cda8995b9538793e79beb0202c8a377ead432d12d34ac
Instruction ID: 55653edafb2575ef809dfd7c181ac5c2f4b73e9893a71408b2c11404d4732a45
Opcode Fuzzy Hash: 071e3f193f53798d230cda8995b9538793e79beb0202c8a377ead432d12d34ac
Instruction Fuzzy Hash: 12A0026245AC09C0F3004B05D8013B15129D30A700F042020521852065C92DC1904128

Function 00405610 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00410610,00007FF8C6F6ADA0,?,?,?,00000001,0040124C), ref: 0040573D

Strings

Unknown pseudo relocation bit size %d., xrefs: 004058AA
Unknown pseudo relocation protocol version %d., xrefs: 004058BE

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: d898b03a5d72de10162663d79a07c72910f85af380d3e9c2501badecda1e5893
Instruction ID: ec0788aba67833d99a14cc676751f17a9673eef151461daced4147b7fc9a059f
Opcode Fuzzy Hash: d898b03a5d72de10162663d79a07c72910f85af380d3e9c2501badecda1e5893
Instruction Fuzzy Hash: 3D9125B1B10A4086EB249766D84475F6362E7847A8F94893BCF0D777D5DA3DC882CF09

Function 00408BC0 Relevance: 16.7, APIs: 11, Instructions: 153sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00408C3C
Sleep.KERNEL32 ref: 00408C51

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CreateEventSleep
String ID:
API String ID: 3100162736-0
Opcode ID: 32ec87e576383e8f8f36a4a7583a92c245c68f92f9b89b3a5f40a635df0c231e
Instruction ID: cda0395fe9995eafc324e38ee0f4f8db92a7d219bb67c06cc15b7fd2b27d9db8
Opcode Fuzzy Hash: 32ec87e576383e8f8f36a4a7583a92c245c68f92f9b89b3a5f40a635df0c231e
Instruction Fuzzy Hash: 7951AF72605B4086E7149F31EA447AA3264FB54BA8F14433ADF6A677D8DF3CC881C359

Function 00405B60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00405BB9
signal.MSVCRT ref: 00405C12
signal.MSVCRT ref: 00405C6E
signal.MSVCRT ref: 00405D23

Strings

CCG , xrefs: 00405B75

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: c7754e18dd7f6f2718d97efecffbec134b501eb59c16e22e9bc238a7a538a630
Instruction ID: c7980c0de720be52abb6cac1ee74694571d924d4e52592449492c6cb1179f141
Opcode Fuzzy Hash: c7754e18dd7f6f2718d97efecffbec134b501eb59c16e22e9bc238a7a538a630
Instruction Fuzzy Hash: 07317E60749E0446FF38627D845973B2012DB89338F298B3B992AA73E5DD3D9CD14E1E

Function 0040A5C0 Relevance: 15.2, APIs: 10, Instructions: 201synchronizationCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8C887F230,0040A900,?,?,0040AD6B), ref: 0040A60B
WaitForSingleObject.KERNEL32 ref: 0040A63F
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8C887F230,0040A900,?,?,0040AD6B), ref: 0040A67A
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8C887F230,0040A900,?,?,0040AD6B), ref: 0040A6CD
ResetEvent.KERNEL32 ref: 0040A845

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Wait$ObjectSingle$EventMultipleObjectsReset
String ID:
API String ID: 654736092-0
Opcode ID: 04b1f1abd6f68fd1b037ea4d9a4c971e1355cd3456d290d3a99d3ada0a2acf6d
Instruction ID: 796082e024a666101088674e1bea0b77694cc4b4648ffe1f6039798b7fbbda1b
Opcode Fuzzy Hash: 04b1f1abd6f68fd1b037ea4d9a4c971e1355cd3456d290d3a99d3ada0a2acf6d
Instruction Fuzzy Hash: 1F51E22270430542FB24767AAA8576F01669B847D8F1C8437CE89A77E1ED3DCCE7921B

Function 0040455C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A82: fwrite.MSVCRT ref: 00401AAE

GetLastError.KERNEL32 ref: 004045B0
MessageBoxA.USER32 ref: 00404655
exit.MSVCRT ref: 00404676

Strings

could not load: , xrefs: 00404585
t load: , xrefs: 0040460E
@g@, xrefs: 00404569
could no, xrefs: 004045F4
(bad format; library may be wrong architecture), xrefs: 004045C7, 0040463E

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: ErrorLastMessageexitfwrite
String ID: (bad format; library may be wrong architecture)$@g@$could no$could not load: $t load:
API String ID: 3526235566-1396288416
Opcode ID: b695c2350faa932a37b32754816e9e5f307918df9a2535d8c508ec1021807acb
Instruction ID: 46bbdd4718f8384f04350224fa1e605d36a6ae5acf09ccdf4a0e1121748b961b
Opcode Fuzzy Hash: b695c2350faa932a37b32754816e9e5f307918df9a2535d8c508ec1021807acb
Instruction Fuzzy Hash: 322104B4701A4492EF14EB62E455B6A6315E784BC4F88043A9F0E277D5FE7CC549C308

Function 004086E0 Relevance: 13.7, APIs: 9, Instructions: 170COMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00408719

Part of subcall function 004074F0: TlsGetValue.KERNEL32 ref: 0040750C

SetEvent.KERNEL32 ref: 00408778
SetEvent.KERNEL32 ref: 0040886F

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Event$HandleInformationValue
String ID:
API String ID: 211894710-0
Opcode ID: ab1906855233d964621fb7e65b87f2ca98b0e39930b8f2cfd7e1cd92da2bc748
Instruction ID: b4421c339d4265d0bdc360d1b60a550c43b1c4af659e952e11673354c775c42c
Opcode Fuzzy Hash: ab1906855233d964621fb7e65b87f2ca98b0e39930b8f2cfd7e1cd92da2bc748
Instruction Fuzzy Hash: 9651A37661164086DB25AF759E413792B60E785BB8F18433ADFAA673D8DF3CC885C308

Function 0040A920 Relevance: 13.6, APIs: 9, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0040A890: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0040AD6B), ref: 0040A8C0
Part of subcall function 0040A890: LeaveCriticalSection.KERNEL32(?,?,0040AD6B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A8D6

TryEnterCriticalSection.KERNEL32 ref: 0040A9E7
LeaveCriticalSection.KERNEL32 ref: 0040AA23

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 5cb9d73e3b5ad60b21f971affb5d9989a1806b9f74b9ff7e3f69561cfc880a09
Instruction ID: e4db76effc332ca64321fdfda63012cdd3d3168a4dd2c78f27009671b3495e37
Opcode Fuzzy Hash: 5cb9d73e3b5ad60b21f971affb5d9989a1806b9f74b9ff7e3f69561cfc880a09
Instruction Fuzzy Hash: 2D318D7330070485EB41DF26EC007AA2310AB85BB8F9D46379E69A73D4DE3CC896C30A

Function 0040A420 Relevance: 13.6, APIs: 9, Instructions: 84COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0040A44B
CreateSemaphoreA.KERNEL32 ref: 0040A48C
CreateSemaphoreA.KERNEL32 ref: 0040A4A2
InitializeCriticalSection.KERNEL32(?,00409872,?,00000008,?,0040990D,?,?,?,00409985,?,?,?,?,00409DD4), ref: 0040A4C7
InitializeCriticalSection.KERNEL32(?,00409872,?,00000008,?,0040990D,?,?,?,00409985,?,?,?,?,00409DD4), ref: 0040A4CD
InitializeCriticalSection.KERNEL32(?,00409872,?,00000008,?,0040990D,?,?,?,00409985,?,?,?,?,00409DD4), ref: 0040A4D3

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID:
API String ID: 2075313795-0
Opcode ID: 0bd96b484e588b6d61870943261d653de27ff8bb9003036ec8967b3bb832b4a0
Instruction ID: 128bbd00df7b5017e5f860e02d31810bbb14c5408239721ec137699294012a8d
Opcode Fuzzy Hash: 0bd96b484e588b6d61870943261d653de27ff8bb9003036ec8967b3bb832b4a0
Instruction Fuzzy Hash: 3E219C3270170486FB599F69F9507AA22A0EB44B98F0842368F2D4B7D8EE38C8D5C305

Function 0040446E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 30COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 004044DA

Strings

SIGINT: Interrupted by Ctrl-C., xrefs: 00404473
SIGFPE: Arithmetic error., xrefs: 00404497
SIGSEGV: Illegal storage access. (Attempt to read from nil?), xrefs: 0040447F
unknown signal, xrefs: 004044A3
SIGILL: Illegal operation., xrefs: 004044AD
SIGABRT: Abnormal termination., xrefs: 0040448B

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: exit
String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
API String ID: 2483651598-3987738871
Opcode ID: 0f099a9a48e2a54ee3d0144dd51444fef535e7246d11d3071e8a6daf15bd6a81
Instruction ID: c50fe41d982ba2d869cf1ea4c672eac364cab60b25e8d7062e0672bf833e2d93
Opcode Fuzzy Hash: 0f099a9a48e2a54ee3d0144dd51444fef535e7246d11d3071e8a6daf15bd6a81
Instruction Fuzzy Hash: CBF05EF0600A4090E618E7D59C953E92262DB803A4FD5462BE72A77AE48F3CC949D298

Function 00405440 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 004054EB
VirtualProtect.KERNEL32 ref: 00405592
GetLastError.KERNEL32 ref: 004055A0

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 004055E7
Address %p has no image-section, xrefs: 004055FD
VirtualProtect failed with code 0x%x, xrefs: 004055A6

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: e2fae49aa962b9c0f4ff22a6c751d4fd290e40669d6f11738ebef2aa7a26a7f1
Instruction ID: 3234b13779dfbf688fb9b4b38bcd367d7dab7da1405971afa70d880db30e62e3
Opcode Fuzzy Hash: e2fae49aa962b9c0f4ff22a6c751d4fd290e40669d6f11738ebef2aa7a26a7f1
Instruction Fuzzy Hash: B051C6B3701A5096DB148F26EC4079E77A6E799BA4F448126EF0D67398DB3CC581CB08

Function 004079A0 Relevance: 10.6, APIs: 7, Instructions: 104sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00406820: GetCurrentThreadId.KERNEL32 ref: 00406854

TlsSetValue.KERNEL32 ref: 004079E3
GetCurrentThreadId.KERNEL32 ref: 004079E9
_setjmp.MSVCRT ref: 00407A0C
CloseHandle.KERNEL32 ref: 00407A46
Sleep.KERNEL32 ref: 00407AA9
TlsSetValue.KERNEL32 ref: 00407B46
_endthreadex.MSVCRT ref: 00407B53

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentThreadValue$CloseHandleSleep_endthreadex_setjmp
String ID:
API String ID: 398069486-0
Opcode ID: c0412a412931fae94798f8b897466d43117539c242fd4bc176f1d6b29b298314
Instruction ID: a24f973f3b46aeaf33cf87e96cd7c3d803f45ba779c19e591cff38fadeb8cc05
Opcode Fuzzy Hash: c0412a412931fae94798f8b897466d43117539c242fd4bc176f1d6b29b298314
Instruction Fuzzy Hash: 9F411835704A0595DB14AF22D8913A93B60E788BA8F0A52379F0E677A4DF3CE485C789

Function 0040A230 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040A255
fprintf.MSVCRT ref: 0040A27C
GetCurrentThreadId.KERNEL32 ref: 0040A290
fprintf.MSVCRT ref: 0040A2AF

Strings

C%p %d V=%0X w=%ld %s, xrefs: 0040A263
C%p %d %s, xrefs: 0040A29E

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentThreadfprintf
String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
API String ID: 1384477639-884133013
Opcode ID: c300bd2e3240b9b88016a1aa02a38e8ed37adfc29734f7c29e1712256e857b6d
Instruction ID: e018a8ffa0a6004cc7d9db567dbf221ec3a68c520bbb8601b9a978c770f479fb
Opcode Fuzzy Hash: c300bd2e3240b9b88016a1aa02a38e8ed37adfc29734f7c29e1712256e857b6d
Instruction Fuzzy Hash: 6D015EB660174889E6119B66F8407993764F798FE8F48803AEF4C53714DB3CC5D5C708

Function 004096B0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00409723
exit.MSVCRT ref: 0040972D

Strings

(, xrefs: 00409703
Assertion failed: (%s), file %s, line %d, xrefs: 0040971C
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00409712
../../src/mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 0040970B

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: exitfprintf
String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$../../src/mingw-w64/mingw-w64-libraries/winpthreads/src/rwlock.c$Assertion failed: (%s), file %s, line %d
API String ID: 4243785698-3651547468
Opcode ID: 75b3554476031ab20edded67fa10d4747db7fda8559f1d36472bd0d557ea95a3
Instruction ID: 49d8b01bfee3644271ad429ab12f1a83106b7f1585004467be13693869ca0aaf
Opcode Fuzzy Hash: 75b3554476031ab20edded67fa10d4747db7fda8559f1d36472bd0d557ea95a3
Instruction Fuzzy Hash: 8001A2B6701604C6D7009F69E8943983770F785B58FC5812ADB0E773A2CB3CC889C749

Function 00406950 Relevance: 9.1, APIs: 6, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 4f3da7276251e1da0c0e6aa49c04d6e0bcf7ff3e088fe48462008955fc8f5936
Instruction ID: adb2d998708df20823972c9038fe79fc01efe8dead41dd2d8f2d3a7cb5e430a5
Opcode Fuzzy Hash: 4f3da7276251e1da0c0e6aa49c04d6e0bcf7ff3e088fe48462008955fc8f5936
Instruction Fuzzy Hash: 6331A5B27012018AFF255F75990076B6251EB84B99F198136CF1A9BBC4EE7CCC91C789

Function 00406820 Relevance: 9.1, APIs: 6, Instructions: 92synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00406854
WaitForSingleObject.KERNEL32(0000003D,00000008,00000000,00000008,00407D40,?,?,0000003D,?,0000003D,?,?,004064C6,00000008), ref: 004068AD

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentObjectSingleThreadWait
String ID:
API String ID: 1728940165-0
Opcode ID: 47bece56c122f0e1aa41513e5a3a78f6c3e946c29ee868df62646a0172b6a58c
Instruction ID: fc1a62eaa0c57444cf29d0e8a597dc91e7f803d354e66607114e0600c8627551
Opcode Fuzzy Hash: 47bece56c122f0e1aa41513e5a3a78f6c3e946c29ee868df62646a0172b6a58c
Instruction Fuzzy Hash: C0318F73B022058AEB156F35D84075B2291EB44B99F19C136CF1A9B7D8EA3CCCE1C399

Function 00408120 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00408135

Part of subcall function 004074F0: TlsGetValue.KERNEL32 ref: 0040750C

SetLastError.KERNEL32 ref: 00408172
realloc.MSVCRT ref: 004081A3
realloc.MSVCRT ref: 004081B7
memset.MSVCRT ref: 004081D7
memset.MSVCRT ref: 004081ED

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: ErrorLastmemsetrealloc$Value
String ID:
API String ID: 1675512986-0
Opcode ID: 223d3009a9ef8e85c21bbbcd79417698199e98664a99f6a07d58e65fcfa285a3
Instruction ID: 62be2ed5063c3c54d6ec1774876784d2551a296588f3e042287308eae0213996
Opcode Fuzzy Hash: 223d3009a9ef8e85c21bbbcd79417698199e98664a99f6a07d58e65fcfa285a3
Instruction Fuzzy Hash: 9321C0327107409ADB14EF3B9840B5D3791FB88FA8F48083A9E4A17795EE3DD496C788

Function 00408310 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004074F0: TlsGetValue.KERNEL32 ref: 0040750C

TlsGetValue.KERNEL32 ref: 0040834B
CloseHandle.KERNEL32 ref: 00408376
_endthreadex.MSVCRT ref: 0040838C
CloseHandle.KERNEL32 ref: 004083AD
TlsSetValue.KERNEL32 ref: 004083CD
CloseHandle.KERNEL32 ref: 004083E0

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CloseHandleValue$_endthreadex
String ID:
API String ID: 3955988603-0
Opcode ID: 49bc13754463169454b9be46e57fb6d5d04353065d8bb5c09bcab0570a8f4f03
Instruction ID: 526bc60f57dce2b01feb9568bca3646861effedfad43c078d0c5a4ced2b6647e
Opcode Fuzzy Hash: 49bc13754463169454b9be46e57fb6d5d04353065d8bb5c09bcab0570a8f4f03
Instruction Fuzzy Hash: 46216872504A44C2EB259F21E5543697BA0F7C4F58F09413ADF8A273E4DF3E9885C349

Function 004046D5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 004046F3

Strings

@g@, xrefs: 00404682
@, xrefs: 00404732
could not import: , xrefs: 00404693

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: AddressProc
String ID: @$@g@$could not import:
API String ID: 190572456-1198613637
Opcode ID: 0036827a0c924401b60dbb7201a3dd1273e294c45e7202368e0e09dab5bad789
Instruction ID: 7ebad886d2771344b8451b3406e87352118a2874c6dd50b7a055f892b80eabb8
Opcode Fuzzy Hash: 0036827a0c924401b60dbb7201a3dd1273e294c45e7202368e0e09dab5bad789
Instruction Fuzzy Hash: 7B112997B0524014FB21E716E8103AB9652A3DB798E980136DF5D2B7CAE77C8856C304

Function 004073A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004073F4
_ultoa.MSVCRT ref: 00407406
OutputDebugStringA.KERNEL32 ref: 0040743A
abort.MSVCRT ref: 00407440

Strings

Error cleaning up spin_keys for thread , xrefs: 004073DA

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Error cleaning up spin_keys for thread
API String ID: 4191895893-2906507043
Opcode ID: bdaedb090970d0d01ca587cde6f6eebd88a8ab7cd9dc0983605b5b8f45151603
Instruction ID: 2b11dbf325f9206dae38f93986ee680d06634de1643b34b317702c6f72ce58b4
Opcode Fuzzy Hash: bdaedb090970d0d01ca587cde6f6eebd88a8ab7cd9dc0983605b5b8f45151603
Instruction Fuzzy Hash: 7F1129B2B0864085FF218B24E40436A6E91E385758F944332DB99673E4DB3CD886C30B

Function 00407B80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00407BBE
printf.MSVCRT ref: 00407BEA
GetCurrentThreadId.KERNEL32 ref: 00407C00

Strings

T%p %d V=%0X H=%p %s, xrefs: 00407BE0
T%p %d %s, xrefs: 00407C0B

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentThread$printf
String ID: T%p %d %s$T%p %d V=%0X H=%p %s
API String ID: 2165381015-2059990036
Opcode ID: 29dbc66d3d7f7ac1b409f4ea41836fe4aea110396dbf3ab6a3c667dd83629912
Instruction ID: dcb3b3d40c25abdf613877dc25bbea6bbdaa2e02ccee726ce835203a99874290
Opcode Fuzzy Hash: 29dbc66d3d7f7ac1b409f4ea41836fe4aea110396dbf3ab6a3c667dd83629912
Instruction Fuzzy Hash: 8B019233B09B0489EA11AF27F80075A6365F7C8BA4F484136AF4D977A4DA3DE49AC744

Function 00409750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409775
printf.MSVCRT ref: 004097AD
GetCurrentThreadId.KERNEL32 ref: 004097C0

Strings

RWL%p %d %s, xrefs: 004097CC
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 00409783

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentThread$printf
String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
API String ID: 2165381015-1971217749
Opcode ID: 51896dfdb83fa2b6406bfcde1285ee30d0da6173f234a2b3343976dbe63aadde
Instruction ID: a39229a982d9eed359273817342c3f8bb6fbb43b1c76c3abbe98cff30270695c
Opcode Fuzzy Hash: 51896dfdb83fa2b6406bfcde1285ee30d0da6173f234a2b3343976dbe63aadde
Instruction Fuzzy Hash: 7901B177711A448AE7119F15F80074A77A4E788F94F058125EF0D53754DB3DC48ACB44

Function 00405010 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00405055
GetCurrentProcessId.KERNEL32 ref: 00405060
GetCurrentThreadId.KERNEL32 ref: 00405069
GetTickCount.KERNEL32 ref: 00405071
QueryPerformanceCounter.KERNEL32 ref: 0040507E

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: b90df0e09f7277041c6bb00634418d3dfcf8a71308a7458ae5798fb1bcc463cc
Instruction ID: 2ece7c0d7d3fb42eb0943ea6b84fda6fadd33c193ba9ef62400c82e1c4872bcb
Opcode Fuzzy Hash: b90df0e09f7277041c6bb00634418d3dfcf8a71308a7458ae5798fb1bcc463cc
Instruction Fuzzy Hash: 56116D6A611B1486FB105B25BC1835A6360B788BB4F0807319F5C53BA4EA3CD4C58748

Function 0040A140 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040A156
LeaveCriticalSection.KERNEL32 ref: 0040A17A
ReleaseSemaphore.KERNEL32 ref: 0040A19D
LeaveCriticalSection.KERNEL32 ref: 0040A1AF
LeaveCriticalSection.KERNEL32 ref: 0040A1C3

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: eb46011cbe728a7e239ab3df55bf4d0488c8117b2b47d2258addfa5a4c687160
Instruction ID: 164aa6dd7d0e247058e53e0e1e16b20f93f41b26d58e958307811f433d7fc4db
Opcode Fuzzy Hash: eb46011cbe728a7e239ab3df55bf4d0488c8117b2b47d2258addfa5a4c687160
Instruction Fuzzy Hash: E701A272B0571883FB154B67AD003A96390AB89FF6F4481308F0E46794ED3C89D78309

Function 0040AE90 Relevance: 6.3, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040AEA9
LeaveCriticalSection.KERNEL32 ref: 0040AEBF

Part of subcall function 0040A140: EnterCriticalSection.KERNEL32 ref: 0040A156
Part of subcall function 0040A140: LeaveCriticalSection.KERNEL32 ref: 0040A17A

LeaveCriticalSection.KERNEL32 ref: 0040AF23

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 04a503100a7fbef466b93cf7d5a47c3b286b1f2d37fe78cf0c8e8f2f3d7cd60e
Instruction ID: 89df100aa4702b325f5cbe8a15e88f7f6ea04ae4ce9daa85113d1dcf1404b2a8
Opcode Fuzzy Hash: 04a503100a7fbef466b93cf7d5a47c3b286b1f2d37fe78cf0c8e8f2f3d7cd60e
Instruction Fuzzy Hash: FD3126B22007418AD7509F36D84079A7760F784B98F088532DF2A97798EF38C4A68755

Function 004070A0 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004070CB
free.MSVCRT ref: 004070D9
free.MSVCRT ref: 004070E7

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b5ac732659f302b197f9af42b44f581d10ac1d948493383e0a19733665c99845
Instruction ID: 9b98cce580f341b08afbd0a9d25e67d2c1d52a802931573d647f1a11822e4c55
Opcode Fuzzy Hash: b5ac732659f302b197f9af42b44f581d10ac1d948493383e0a19733665c99845
Instruction Fuzzy Hash: 3231BCB1B2BA4080EE54DF12E8607AA2351BB44B84F4845378B0E6B7C1DFBCA4C5C34E

Function 00408F40 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00408F7F

Part of subcall function 004074F0: TlsGetValue.KERNEL32 ref: 0040750C

WaitForSingleObject.KERNEL32 ref: 00408FC3
CloseHandle.KERNEL32 ref: 00408FE6
CloseHandle.KERNEL32 ref: 00408FF1

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Handle$Close$InformationObjectSingleValueWait
String ID:
API String ID: 3336430066-0
Opcode ID: 94561ba535e7eb87de228245231c173bc1b10866d201c30543573a7873aa3289
Instruction ID: 4c2eb582730636790bbe5faf07eb2e4dc223f9ad87af774a6c34e96179dcb02f
Opcode Fuzzy Hash: 94561ba535e7eb87de228245231c173bc1b10866d201c30543573a7873aa3289
Instruction Fuzzy Hash: BF31727271551090EB51AF26E9507AA2361EB80B98F48413B9F0EB73E5DF3CCC86C349

Function 00408E30 Relevance: 6.1, APIs: 4, Instructions: 68synchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00408E60

Part of subcall function 004074F0: TlsGetValue.KERNEL32 ref: 0040750C

WaitForSingleObject.KERNEL32 ref: 00408EB6
CloseHandle.KERNEL32 ref: 00408EC7
CloseHandle.KERNEL32 ref: 00408ED2

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Handle$Close$InformationObjectSingleValueWait
String ID:
API String ID: 3336430066-0
Opcode ID: bf54d20186730b733f3033573d09d0865ddafb60e2947f94218dff133e39fce1
Instruction ID: 3835ea98b7a576cb77332b9312d704c85cbc0be8ef46f1dcbc300e920ddb46e3
Opcode Fuzzy Hash: bf54d20186730b733f3033573d09d0865ddafb60e2947f94218dff133e39fce1
Instruction Fuzzy Hash: C0219272711A4185EB149F35DA4036A7365EB84BA8F48423BAE6DA77D8DF3CCC81C348

Function 00407C90 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00407CAD
GetProcessAffinityMask.KERNEL32 ref: 00407CBC
GetCurrentProcess.KERNEL32 ref: 00407CF2
SetProcessAffinityMask.KERNEL32 ref: 00407CFA

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: ae649716770078c60aab8f91a67604c6a9c84ba7e9c394b8010b5a28038c2cc7
Instruction ID: 4759968dd8259ccfd3f6dd1bf9cc40f5d15925abbff648fe7c63ac5051aaa0d9
Opcode Fuzzy Hash: ae649716770078c60aab8f91a67604c6a9c84ba7e9c394b8010b5a28038c2cc7
Instruction Fuzzy Hash: 57F0C273B08A4846FF354B69B8003EA5350BB88B88F4D0136EE8C577A0EE3CD985C208

Function 004044E0 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004044F0
signal.MSVCRT ref: 00404501
signal.MSVCRT ref: 00404512
signal.MSVCRT ref: 00404523

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 1f763610e80ed9761a22474f708b1abc43244adf62ebf0a3229126d9af61beb2
Instruction ID: 9934b6a286831ffb280c01ce65422ec9cde4883020077afceda4b065336c0c96
Opcode Fuzzy Hash: 1f763610e80ed9761a22474f708b1abc43244adf62ebf0a3229126d9af61beb2
Instruction Fuzzy Hash: 2BE08CE8B0271091F748A725D896768127293C9340FA2583F870B2BBD55F7D8D26CB4F

Function 00405303 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
Unknown error, xrefs: 00405400

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 6717ab7750e2b4dc33bb1ad409d0c977c4de9569680406e74c1b6971a852950d
Instruction ID: fd98b8da69ad5590dccb171f3213f91dfb8c00cde0b8a78468a27d2991999229
Opcode Fuzzy Hash: 6717ab7750e2b4dc33bb1ad409d0c977c4de9569680406e74c1b6971a852950d
Instruction Fuzzy Hash: 9B11A363804E84C6D3068F5CE8423EAB375FF9A759F599316EB8927221EB39C547C704

Function 0040226E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 004022C1
exit.MSVCRT ref: 004022DC

Strings

virtualFree failing!, xrefs: 004022CB

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: FreeVirtualexit
String ID: virtualFree failing!
API String ID: 1212090140-3108117800
Opcode ID: 6e8f441944f96f08a83f8e86f4d2cd5d40a6e226664ccc1f5e6b63cfb09c4585
Instruction ID: a0115fd554974488176b1ee1999c0447be5f02f20f4853970660cae25a7a0da8
Opcode Fuzzy Hash: 6e8f441944f96f08a83f8e86f4d2cd5d40a6e226664ccc1f5e6b63cfb09c4585
Instruction Fuzzy Hash: AAF05E6A707A5085EA44EB72E88C39923E1F744B80FA0C439CA0DA7390DE79C5A6D345

Function 004053C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
Overflow range error (OVERFLOW), xrefs: 004053C0

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 882ceb7b6f2dd19204402db65d8aef6977eb84556260a19403f501113d26d431
Instruction ID: 867f74a3dffa014e4d68d9ce76b1e956c410b44e23c0172ff7d17b53c539413b
Opcode Fuzzy Hash: 882ceb7b6f2dd19204402db65d8aef6977eb84556260a19403f501113d26d431
Instruction Fuzzy Hash: 59F06256804E8481C2019F1CA4003ABB374FF8D789F59531AEF8936164DB38C647C704

Function 004053D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
The result is too small to be represented (UNDERFLOW), xrefs: 004053D0

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 1a271ccfc8e5f425e06f946d243b90e02c14ea4d60abc81d0947c2f763f70fd2
Instruction ID: 076bf1569d1e244970be082962cc41633047343012a583bcdaae8345c7c95ead
Opcode Fuzzy Hash: 1a271ccfc8e5f425e06f946d243b90e02c14ea4d60abc81d0947c2f763f70fd2
Instruction Fuzzy Hash: 79F06257904E8481C2019F18A8003ABB374FF8D789F59531AEF8936164DB38C6878704

Function 004053E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
Total loss of significance (TLOSS), xrefs: 004053E0

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 0291d077e61e7b707ed6a624acc9aed5aa3e2d20fd64d71826d408d38fca1f77
Instruction ID: b81d57ea15fcdd01d8f8965055a28406150b722845be22f2793afbb6d306b246
Opcode Fuzzy Hash: 0291d077e61e7b707ed6a624acc9aed5aa3e2d20fd64d71826d408d38fca1f77
Instruction Fuzzy Hash: E9F06252804E8481C2019F18A4003ABB374FF8D789F59531AEF8936524DB38C6878704

Function 004053F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

Partial loss of significance (PLOSS), xrefs: 004053F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: d20a4b237e3385310399897af6f419364295070e4dac8793e780f094f282666b
Instruction ID: 0716048b3bf2fc4679c05361fb154fe1a7f62ab04906b8cd34354216b042b1e8
Opcode Fuzzy Hash: d20a4b237e3385310399897af6f419364295070e4dac8793e780f094f282666b
Instruction Fuzzy Hash: C5F06252804E8481C2019F18A4003ABB374FF4D789F59531AEF8936164DB38C6478704

Function 004053B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
Argument singularity (SIGN), xrefs: 004053B0

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 6981bf5c895afa7006720006c0a65c668c2d463687c0fe2ced7e869ead1392a8
Instruction ID: 6bb61e6e97de5c731350b2bf9ff51882cf36e3e0163fa033220d3b90616c32f7
Opcode Fuzzy Hash: 6981bf5c895afa7006720006c0a65c668c2d463687c0fe2ced7e869ead1392a8
Instruction Fuzzy Hash: CBF06252804E8481C2019F18A4003ABB375FF5D789F59531AEF8936124DB39C6478704

Function 00405341 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00405389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00405379
Argument domain error (DOMAIN), xrefs: 00405341

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 041dfcac5cd2730f3cb7b2935f7dd9dd07187338d4c308035037506489feeb3f
Instruction ID: 8fcf6f73da62e2695ed878605290a599c25e892194e8eb97a34d2c33614aac7b
Opcode Fuzzy Hash: 041dfcac5cd2730f3cb7b2935f7dd9dd07187338d4c308035037506489feeb3f
Instruction Fuzzy Hash: 3AF03656904F8881D201DF19A80039BB375FF5E799F55531AEF8937524DB29C547C704

Function 00401B49 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

exit.MSVCRT(?,?,?,?,00401BA5,?,?,?,?,0040255D,?,?,?,?,?,00000000), ref: 00401B7A
VirtualAlloc.KERNEL32 ref: 00401B95

Strings

out of memory, xrefs: 00401B66

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: AllocVirtualexit
String ID: out of memory
API String ID: 1690354023-49810860
Opcode ID: 48897c503623f553911eb7674d49bff72344a57f923af7e61834ed1e6285ddc7
Instruction ID: 2a05ff1038f12bd885fa3be1bb0d76cd0f9cb3262eb703b16512da769b87dae4
Opcode Fuzzy Hash: 48897c503623f553911eb7674d49bff72344a57f923af7e61834ed1e6285ddc7
Instruction Fuzzy Hash: E9E048B071360081EE1C77B2A89533921256B59B89F44453ECB0E2B3F1EE3DD2558758

Function 0040ABF0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040AC37
LeaveCriticalSection.KERNEL32 ref: 0040AC5E

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 374824018d716c867d07595619a76d01fa581008388c04c54a29c88bcb63c38d
Instruction ID: 6926c6a9b163d29736ae1ac69ecdd78de28307c743802c9c94e6404d0092ea42
Opcode Fuzzy Hash: 374824018d716c867d07595619a76d01fa581008388c04c54a29c88bcb63c38d
Instruction Fuzzy Hash: D73130737087408BF7118F39E40039963A0E744BA8F198232DF25573D8EB38C896DB5A

Function 0040AAC0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040AB07
LeaveCriticalSection.KERNEL32 ref: 0040AB2E

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 17716ec90eecaa7e02d7715e93047ac81f9d33d78ee6121e417759f5cf6cb213
Instruction ID: b4ac7f40e183227341af15e7dc2474d82bec10291a17cfa10cf1b651cdb3bc0e
Opcode Fuzzy Hash: 17716ec90eecaa7e02d7715e93047ac81f9d33d78ee6121e417759f5cf6cb213
Instruction Fuzzy Hash: EE217FB36047018BDB04DF39D84079A33A1F744B68F088232CF158B798EB38D996DB56

Function 0040A890 Relevance: 5.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0040AD6B), ref: 0040A8C0
LeaveCriticalSection.KERNEL32(?,?,0040AD6B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A8D6
EnterCriticalSection.KERNEL32(?,?,0040AD6B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A905
LeaveCriticalSection.KERNEL32(?,?,0040AD6B,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A90F

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 17853caef44ba5b5a15c4db5e32d67f59c7d81ee41d736d42615fd067cfa1c8d
Instruction ID: e612b589c65d6ad95af48e19e3b37c53ff38eef1ceb5de07f10e092681edd510
Opcode Fuzzy Hash: 17853caef44ba5b5a15c4db5e32d67f59c7d81ee41d736d42615fd067cfa1c8d
Instruction Fuzzy Hash: 8D01D13370461499E716EB33AC00B6A6790BBC9FE8F198022EE0917754DE3CC993C706

Function 00405E40 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00405E67
free.MSVCRT ref: 00405EB8
LeaveCriticalSection.KERNEL32 ref: 00405EC4

Memory Dump Source

Source File: 00000000.00000002.3314926766.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3314917672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314940029.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314952687.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314965375.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314975296.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3314985101.0000000000417000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3344.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 779815c0cdb624a0ac66ad72c0c6399530f38951d1bb563984b48ad28879ecfd
Instruction ID: 6433c338ca8aa27eb8d1086780a615c0d7b70ce62ce65857277531e7ca4c4323
Opcode Fuzzy Hash: 779815c0cdb624a0ac66ad72c0c6399530f38951d1bb563984b48ad28879ecfd
Instruction Fuzzy Hash: C00171B1711A04C2EF08DB61E8903AB23A5F794B41F944436DA4D83360EB7CDAC2CB88

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3344.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 3344.exePID: 5424, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: 3344.exePID: 5424, Parent PID: 1028COMMON

Execution Graph

Windows Analysis Report
3344.exe

Function 00401180 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 189
sleepstringCOMMON

Function 001C00D6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148
networklibraryCOMMON

Function 00404D7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
memorythreadinjectionCOMMON

Function 004074F0 Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Function 004019C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56
COMMON

Function 00407790 Relevance: 13.6, APIs: 9, Instructions: 111
COMMON

Function 00406460 Relevance: 12.1, APIs: 8, Instructions: 128
COMMON

Function 00407D10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMON

Function 00404BEF Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 00405610 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON