Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1582593
MD5:	b3fad209b07f4d66570c24a40f30d5c7
SHA1:	0bd9c9aee1eafebdb435593c393392753b879e0f
SHA256:	f8840621ccce4e993283ac91d322c35cacd42619856477e057eac1cb1127bd6b
Tags:	exeMeduzaMeduzaStealeruser-aachum
Infos:

Detection

Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: B3FAD209B07F4D66570C24A40F30D5C7)

Loader.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: B3FAD209B07F4D66570C24A40F30D5C7)

cmd.exe (PID: 7816 cmdline: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7860 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "147.45.44.216", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "37", "self_destruct": true, "extensions": "", "links": "", "grabber_max_size": 1048576}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x11292c:$str01: emoji 0x1154b8:$str02: %d-%m-%Y, %H:%M:%S 0x115528:$str03: [UTC 0x115530:$str04: user_name 0x115578:$str05: computer_name 0x115550:$str06: timezone 0x115488:$str07: current_path() 0x1128f0:$str08: [json.exception. 0x12cf12:$str09: GDI32.dll 0x12d184:$str10: GdipGetImageEncoders 0x12d1fc:$str10: GdipGetImageEncoders 0x12c7b0:$str11: GetGeoInfoA
Process Memory Space: Loader.exe PID: 7624	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: Loader.exe PID: 7624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Loader.exe.140000000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
1.2.Loader.exe.140000000.0.unpack	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x11152c:$str01: emoji 0x1140b8:$str02: %d-%m-%Y, %H:%M:%S 0x114128:$str03: [UTC 0x114130:$str04: user_name 0x114178:$str05: computer_name 0x114150:$str06: timezone 0x114088:$str07: current_path() 0x1114f0:$str08: [json.exception. 0x12bb12:$str09: GDI32.dll 0x12bd84:$str10: GdipGetImageEncoders 0x12bdfc:$str10: GdipGetImageEncoders 0x12b3b0:$str11: GetGeoInfoA
1.2.Loader.exe.140000000.0.raw.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
1.2.Loader.exe.140000000.0.raw.unpack	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x11292c:$str01: emoji 0x1154b8:$str02: %d-%m-%Y, %H:%M:%S 0x115528:$str03: [UTC 0x115530:$str04: user_name 0x115578:$str05: computer_name 0x115550:$str06: timezone 0x115488:$str07: current_path() 0x1128f0:$str08: [json.exception. 0x12cf12:$str09: GDI32.dll 0x12d184:$str10: GdipGetImageEncoders 0x12d1fc:$str10: GdipGetImageEncoders 0x12c7b0:$str11: GetGeoInfoA

Sigma Signatures

System Summary

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Loader.exe", ParentImage: C:\Users\user\Desktop\Loader.exe, ParentProcessId: 7624, ParentProcessName: Loader.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe", ProcessId: 7816, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T00:52:02.424899+0100	2046303	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.216	15666	TCP
2024-12-31T00:52:02.430129+0100	2046303	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.216	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T00:52:02.424899+0100	2050807	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.216	15666	TCP
2024-12-31T00:52:02.430129+0100	2050807	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.216	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.Loader.exe.140000000.0.raw.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "147.45.44.216", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "37", "self_destruct": true, "extensions": "", "links": "", "grabber_max_size": 1048576}

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140076AA0 CryptUnprotectData,LocalFree,	1_2_0000000140076AA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3090 CryptUnprotectData,	1_2_00000001400D3090
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400772C0 BCryptCloseAlgorithmProvider,	1_2_00000001400772C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140077340 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,Concurrency::cancel_current_task,	1_2_0000000140077340
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3658 BCryptCloseAlgorithmProvider,	1_2_00000001400D3658
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140033A30 BCryptDestroyKey,	1_2_0000000140033A30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140036C90 CryptUnprotectData,LocalFree,	1_2_0000000140036C90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140076DC0 CryptProtectData,LocalFree,	1_2_0000000140076DC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140076F20 BCryptDecrypt,BCryptDecrypt,	1_2_0000000140076F20

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: Loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E3CA90 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E4E3CA90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400B9DB8 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400B9DB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3100 FindFirstFileW,	1_2_00000001400D3100
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400B9E68 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400B9E68
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E3CAF1 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF7E4E3CAF1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2046303 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1 : 192.168.2.4:49730 -> 147.45.44.216:15666

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.44.216:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 147.45.44.216:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.216

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00000001400840A0 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

1_2_00000001400840A0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Loader.exe, 00000001.00000003.1828750732.0000029E6E9B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1828719030.0000029E6E9B0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1676773188.0000029E6E9A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: Loader.exe, 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Loader.exe, 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/B
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Loader.exe, 00000001.00000003.1694149732.0000029E6E000000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6EDFF000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692025439.0000029E6E008000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692831305.0000029E6EDF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6ED08000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1694414972.0000029E6EEC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Loader.exe, 00000001.00000003.1679960665.0000029E6ED87000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1680614566.0000029E6EC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Loader.exe, 00000001.00000003.1679763052.0000029E6C1AB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECDB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ED10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679960665.0000029E6ED62000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679544542.0000029E6ECA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Loader.exe, 00000001.00000003.1679960665.0000029E6ED87000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1680614566.0000029E6EC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Loader.exe, 00000001.00000003.1679763052.0000029E6C1AB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECDB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ED10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679960665.0000029E6ED62000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679544542.0000029E6ECA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Loader.exe, 00000001.00000003.1694149732.0000029E6E000000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6EDFF000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692025439.0000029E6E008000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692831305.0000029E6EDF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6ED08000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1694414972.0000029E6EEC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Loader.exe, 00000001.00000003.1692144032.0000029E6EE07000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692025439.0000029E6E00F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Loader.exe, 00000001.00000003.1692144032.0000029E6EE07000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692025439.0000029E6E00F000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00000001400849D0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00000001400849D0

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Loader.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 1.2.Loader.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3718 NtQueryObject,	1_2_00000001400D3718
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400888E0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	1_2_00000001400888E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140088FE0 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	1_2_0000000140088FE0

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E32DD0	0_2_00007FF7E4E32DD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E3CA90	0_2_00007FF7E4E3CA90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E37008	0_2_00007FF7E4E37008
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400840A0	1_2_00000001400840A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400320B0	1_2_00000001400320B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014008B17B	1_2_000000014008B17B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140086250	1_2_0000000140086250
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140065250	1_2_0000000140065250
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400442D0	1_2_00000001400442D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140030450	1_2_0000000140030450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003C5E0	1_2_000000014003C5E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003D680	1_2_000000014003D680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400856C0	1_2_00000001400856C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A16FC	1_2_00000001400A16FC
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014002F730	1_2_000000014002F730
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014007B7D0	1_2_000000014007B7D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140064870	1_2_0000000140064870
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400849D0	1_2_00000001400849D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140097A4C	1_2_0000000140097A4C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003BA80	1_2_000000014003BA80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140034B70	1_2_0000000140034B70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140031B90	1_2_0000000140031B90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140086BE0	1_2_0000000140086BE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014008BC00	1_2_000000014008BC00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140032CA0	1_2_0000000140032CA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003DD20	1_2_000000014003DD20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140050D9A	1_2_0000000140050D9A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014002FE20	1_2_000000014002FE20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140048E80	1_2_0000000140048E80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014007DF10	1_2_000000014007DF10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400BEF18	1_2_00000001400BEF18
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014006BF80	1_2_000000014006BF80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005AFF0	1_2_000000014005AFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014009405C	1_2_000000014009405C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014009E0A6	1_2_000000014009E0A6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400070E0	1_2_00000001400070E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014006F1C0	1_2_000000014006F1C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014007D1E0	1_2_000000014007D1E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400991E4	1_2_00000001400991E4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400752A6	1_2_00000001400752A6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014007A320	1_2_000000014007A320
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005B320	1_2_000000014005B320
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140089330	1_2_0000000140089330
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A5328	1_2_00000001400A5328
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005A380	1_2_000000014005A380
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400853A0	1_2_00000001400853A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400283D0	1_2_00000001400283D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400AA450	1_2_00000001400AA450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140026510	1_2_0000000140026510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140025520	1_2_0000000140025520
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014008F5D4	1_2_000000014008F5D4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140097610	1_2_0000000140097610
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140006610	1_2_0000000140006610
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140053620	1_2_0000000140053620
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140061650	1_2_0000000140061650
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005A680	1_2_000000014005A680
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400BE87C	1_2_00000001400BE87C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003893D	1_2_000000014003893D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A1978	1_2_00000001400A1978
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014009D998	1_2_000000014009D998
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400749B0	1_2_00000001400749B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005A9B0	1_2_000000014005A9B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005F9C0	1_2_000000014005F9C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400509F0	1_2_00000001400509F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400AA9E8	1_2_00000001400AA9E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140077A00	1_2_0000000140077A00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140091A10	1_2_0000000140091A10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140094A24	1_2_0000000140094A24
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140033A30	1_2_0000000140033A30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140030A80	1_2_0000000140030A80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A5A98	1_2_00000001400A5A98
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014008FAE0	1_2_000000014008FAE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140056BEB	1_2_0000000140056BEB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140073C40	1_2_0000000140073C40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140093C54	1_2_0000000140093C54
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A8C88	1_2_00000001400A8C88
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014005ACD0	1_2_000000014005ACD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014007FCF0	1_2_000000014007FCF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A8D0F	1_2_00000001400A8D0F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140006D20	1_2_0000000140006D20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014009FDA4	1_2_000000014009FDA4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140005DB0	1_2_0000000140005DB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140074DF0	1_2_0000000140074DF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140039E40	1_2_0000000140039E40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140093E58	1_2_0000000140093E58
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400B9E68	1_2_00000001400B9E68
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140030E80	1_2_0000000140030E80
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140036EE0	1_2_0000000140036EE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140094F2C	1_2_0000000140094F2C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A6F34	1_2_00000001400A6F34
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A1F68	1_2_00000001400A1F68
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400A2FA4	1_2_00000001400A2FA4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014003AFB0	1_2_000000014003AFB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140088FE0	1_2_0000000140088FE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E32DD0	1_2_00007FF7E4E32DD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E3CAF1	1_2_00007FF7E4E3CAF1

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 000000014002E1D0 appears 33 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 0000000140096B14 appears 35 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 000000014002BA80 appears 32 times
Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 00000001400475F0 appears 60 times

Source: 1.2.Loader.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 1.2.Loader.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/1@1/2

Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_000000014008A560 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		1_2_000000014008A560
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3008 AdjustTokenPrivileges,CredEnumerateA,		1_2_00000001400D3008

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014003D680 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_000000014003D680

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0000000140073C40 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysStringByteLen,SysFreeString,SysFreeString,

1_2_0000000140073C40

Source: C:\Users\user\Desktop\Loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69635E3D4650
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Loader.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Loader.exe

Static file information: File size 3276800 > 1048576

Source: Loader.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x309c00

Source: Loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Loader.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014003C5E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003C5E0

Source: Loader.exe	Static PE information: section name: .00cfg
Source: Loader.exe	Static PE information: section name: .gxfg
Source: Loader.exe	Static PE information: section name: .retplne
Source: Loader.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014004CBE2 push rbp; retf

1_2_000000014004CBE5

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014007B500 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

1_2_000000014007B500

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\Loader.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-74130

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E3CA90 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E4E3CA90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400B9DB8 FindClose,FindFirstFileExW,GetLastError,	1_2_00000001400B9DB8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D3100 FindFirstFileW,	1_2_00000001400D3100
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400B9E68 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	1_2_00000001400B9E68
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E3CAF1 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF7E4E3CAF1

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00000001400978F8 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_00000001400978F8

Source: Loader.exe, 00000001.00000003.1677304331.0000029E6C194000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1828988568.0000029E6C13D000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000002.1829842240.0000029E6C13E000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1828988568.0000029E6C197000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Loader.exe, 00000001.00000003.1677304331.0000029E6C194000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1828988568.0000029E6C197000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWk;

Source: C:\Users\user\Desktop\Loader.exe	API call chain: ExitProcess graph end node			graph_1-74075
Source: C:\Users\user\Desktop\Loader.exe	API call chain: ExitProcess graph end node			graph_1-74071

Source: C:\Users\user\Desktop\Loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00000001400D3700 LdrEnumerateLoadedModules,

1_2_00000001400D3700

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00007FF7E4E37760 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7E4E37760

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_00000001400BC0C4 GetLastError,IsDebuggerPresent,OutputDebugStringW,

1_2_00000001400BC0C4

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014003C5E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_000000014003C5E0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00007FF7E4E39E10 GetProcessHeap,

0_2_00007FF7E4E39E10

Source: C:\Users\user\Desktop\Loader.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E37760 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E4E37760
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E3C0E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E4E3C0E8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E354D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E4E354D4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FF7E4E354C4 SetUnhandledExceptionFilter,	0_2_00007FF7E4E354C4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400D32D8 SetUnhandledExceptionFilter,	1_2_00000001400D32D8
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_0000000140096828 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0000000140096828
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400ADB78 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00000001400ADB78
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00000001400ADD58 SetUnhandledExceptionFilter,	1_2_00000001400ADD58
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E37760 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7E4E37760
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E354D4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF7E4E354D4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E354C4 SetUnhandledExceptionFilter,	1_2_00007FF7E4E354C4
Source: C:\Users\user\Desktop\Loader.exe	Code function: 1_2_00007FF7E4E3C0E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF7E4E3C0E8

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Users\user\Desktop\Loader.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Loader.exe

Thread register set: target process: 7624

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_000000014007A320 ShellExecuteW,

1_2_000000014007A320

Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00007FF7E4E417D0 cpuid

0_2_00007FF7E4E417D0

Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	1_2_000000014009C3A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	1_2_00000001400D3398
Source: C:\Users\user\Desktop\Loader.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00000001400A74C4
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A7820
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	1_2_000000014009C8E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	1_2_00000001400A78F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00000001400A7988
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_00000001400B9A28
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	1_2_00000001400A7BD0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00000001400A7D28
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	1_2_00000001400A7DD8
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00000001400A7F0C

Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_00007FF7E4E35304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E4E35304

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0000000140084FB0 GetUserNameW,

1_2_0000000140084FB0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 1_2_0000000140086250 GetTimeZoneInformation,

1_2_0000000140086250

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.Loader.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Loader.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7624, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\walletsntr
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\configtataa,sz:!
Source: Loader.exe, 00000001.00000003.1691732772.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet7-Ziplr:;
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreofilesDrB;
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet7-Ziplr:;
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\simple-storage.jsonbjsonM~i;
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreofilesDrB;
Source: Loader.exe, 00000001.00000003.1702611451.0000029E6C1DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreofilesDrB;

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: Loader.exe PID: 7624, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match	File source: 1.2.Loader.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Loader.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 7624, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 File Deletion	NTDS	34 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Loader.exe	39%	ReversingLabs	Win32.Ransomware.MeduzaStealer

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ns.microsoft.t/Regi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/B	Loader.exe, 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Loader.exe, 00000001.00000003.1679763052.0000029E6C1AB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECDB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ED10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679960665.0000029E6ED62000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679544542.0000029E6ECA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	Loader.exe, 00000001.00000003.1694149732.0000029E6E000000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6EDFF000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692025439.0000029E6E008000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692831305.0000029E6EDF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1692144032.0000029E6ED08000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1694414972.0000029E6EEC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Loader.exe, 00000001.00000003.1679960665.0000029E6ED87000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1680614566.0000029E6EC89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Loader.exe, 00000001.00000003.1679763052.0000029E6C1AB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECE6000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECDB000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ED10000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1678045974.0000029E6ECF7000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679960665.0000029E6ED62000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1679544542.0000029E6ECA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Loader.exe, 00000001.00000003.1679960665.0000029E6ED87000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1680614566.0000029E6EC89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.microsoft.t/Regi	Loader.exe, 00000001.00000003.1828750732.0000029E6E9B4000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1828719030.0000029E6E9B0000.00000004.00000020.00020000.00000000.sdmp, Loader.exe, 00000001.00000003.1676773188.0000029E6E9A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Loader.exe, 00000001.00000003.1697408114.0000029E6F80C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Loader.exe, 00000001.00000003.1698453906.0000029E6C1AD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
147.45.44.216	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582593
Start date and time:	2024-12-31 00:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/1@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 85 Number of non-executed functions: 133
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
147.45.44.216	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	104.26.12.205
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tg.exe	Get hash	malicious	Babadeda	Browse	172.67.74.152
	tg.exe	Get hash	malicious	Babadeda	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.177.88
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	https://compliance-central.com/route/ed5305641af2fd214861ba268e4a42aa2938b075/	Get hash	malicious	Unknown	Browse	1.1.1.1
	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.154.95
FREE-NET-ASFREEnetEU	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	147.45.44.216
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131
	search.hta	Get hash	malicious	Unknown	Browse	147.45.112.248
	e9aa0b4540115b3dcec3af70b6de27e54e4a0fa96d1d3.exe	Get hash	malicious	RedLine	Browse	147.45.44.224
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	147.45.49.155
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	147.45.44.151
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	7ZAg3nl9Fu.exe	Get hash	malicious	Unknown	Browse	147.45.44.166
	7ZAg3nl9Fu.exe	Get hash	malicious	Unknown	Browse	147.45.44.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	setup.msi	Get hash	malicious	Unknown	Browse	104.26.13.205
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	104.26.13.205
	Open Purchase Order Summary Details-16-12-2024.vbs	Get hash	malicious	LodaRAT, XRed	Browse	104.26.13.205
	Open Purchase Order Summary Sheet.vbs	Get hash	malicious	LodaRAT, XRed	Browse	104.26.13.205
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	104.26.13.205
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	104.26.13.205
	xyxmml.msi	Get hash	malicious	XRed	Browse	104.26.13.205
	valyzt.msi	Get hash	malicious	XRed	Browse	104.26.13.205
	VKKDXE.exe	Get hash	malicious	LodaRAT, XRed	Browse	104.26.13.205
	New PO - Supplier 16-12-2024-Pdf.exe	Get hash	malicious	XRed	Browse	104.26.13.205

Dropped Files

⊘No context

Created / dropped Files

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.825671547285939
Encrypted:	false
SSDEEP:	6:PzXULmWxHLTpUrraGbsW3CNcwAFeMmvVOIHJFxMVlmJHaVFtIk3:P+pTpcraGbsTDAFSkIrxMVlmJHaVPN
MD5:	048DC6B94735C4768D20ED5E3F14F565
SHA1:	6B92CCD1E038396F675090384C6E8DFC742614ED
SHA-256:	6D0C347234F09E710D6B842ED14CD27792E71E5B906E9E806E77AFE8FF08E1BE
SHA-512:	88DF2342FFD4D303BEF828A12F7BEB505DC06E0BE6E91FF7FDA74DE31FAA289089557C036293EE3B0EE55A62D62CC804953C0D89591E662A0B513525AA40093E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=6ms TTL=51....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 6ms, Maximum = 6ms, Average = 6ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	4.438107918678631
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Loader.exe
File size:	3'276'800 bytes
MD5:	b3fad209b07f4d66570c24a40f30d5c7
SHA1:	0bd9c9aee1eafebdb435593c393392753b879e0f
SHA256:	f8840621ccce4e993283ac91d322c35cacd42619856477e057eac1cb1127bd6b
SHA512:	6188bde615cc58ee74ab37146ba4b4db26e33d8a74adbd17efb4b43282ddf014f67cb68ab44f47ae91eeedecad4a1ac5f56141b72e1193c94881997f713eefd1
SSDEEP:	24576:qiiadv30/H2HYi9PnBivY2w66eCIuZLBQZh+Bt5THuO1GJYS6O0/shnaoN4DmAOs:UM0f2HpCrwTeYBNqO1GJYSISsMQ
TLSH:	1EE522016FE875F9C4398334A0976E05BEA278504B609EEF43D416872F66AD09E3EF35
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....lg.........."...........0......P.........@.............................p2...........`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400050b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676C189D [Wed Dec 25 14:37:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	25224432afaf13c692f24efcb620c38b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6684E04A00h
dec eax
add esp, 28h
jmp 00007F6684E0462Fh
int3
int3
dec eax
sub esp, 28h
call 00007F6684E047C4h
dec eax
neg eax
sbb eax, eax
neg eax
dec eax
dec eax
add esp, 28h
ret
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
cmp dword ptr [00318ABEh], FFFFFFFFh
dec eax
mov ebx, ecx
jne 00007F6684E047B9h
call 00007F6684E066B9h
jmp 00007F6684E047C1h
dec eax
mov edx, ebx
dec eax
lea ecx, dword ptr [00318AA8h]
call 00007F6684E0661Ch
xor edx, edx
test eax, eax
dec eax
cmove edx, ebx
dec eax
mov eax, edx
dec eax
add esp, 20h
pop ebx
ret
int3
int3
dec eax
sub esp, 18h
dec esp
mov eax, ecx
mov eax, 00005A4Dh
cmp word ptr [FFFFAED5h], ax
jne 00007F6684E0482Ah
dec eax
arpl word ptr [FFFFAF08h], cx
dec eax
lea edx, dword ptr [FFFFAEC5h]
dec eax
add ecx, edx
cmp dword ptr [ecx], 00004550h
jne 00007F6684E04811h
mov eax, 0000020Bh
cmp word ptr [ecx+18h], ax
jne 00007F6684E04806h
dec esp
sub eax, edx
movzx edx, word ptr [ecx+14h]
dec eax
add edx, 18h
dec eax
add edx, ecx
movzx eax, word ptr [ecx+06h]
dec eax
lea ecx, dword ptr [eax+eax*4]
dec esp
lea ecx, dword ptr [edx+ecx*8]
dec eax
mov dword ptr [esp], edx
dec ecx
cmp edx, ecx
je 00007F6684E047CAh
mov ecx, dword ptr [edx+0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31ad90	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x325000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x31f000	0x15a8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x326000	0x680	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13040	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31b038	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11c80	0x11e00	0d92c650fbbfcda227074d695da6f26f	False	0.5210063374125874	data	6.374503128582078	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x309b1c	0x309c00	183b28ad00a84574c0d187d7f38cfd6c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x31d000	0x1e70	0xc00	b04cb412c442d91003948daef4dbac9b	False	0.15234375	DOS executable (block device driver)	2.184963466978745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x31f000	0x15a8	0x1600	56e480cd444c6dbe71d072aaf68fc92d	False	0.46732954545454547	data	4.964764994621124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x321000	0x38	0x200	5d344f072ffe90545ae42e007d19a6b2	False	0.072265625	data	0.4473268792999391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gxfg	0x322000	0xf60	0x1000	935a6a7d4fef213de176a26de65d5b15	False	0.418212890625	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.923789045505213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retplne	0x323000	0x8c	0x200	8c950f651287cbc1296bcb4e8cd7e990	False	0.126953125	data	1.050583247971927
_RDATA	0x324000	0x1f4	0x200	e263646b1cb66aae2718bfe9d251bd12	False	0.5234375	data	3.7577827584492653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x325000	0x1a8	0x200	fc0936b2f8c7ff2ad90016c364cae0a2	False	0.482421875	data	4.178189311747683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x326000	0x680	0x800	210679776348707cee9b93231a7eb5cc	False	0.51171875	data	4.9546245438601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x325060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateFileW, CreateProcessA, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetThreadContext, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadProcessMemory, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadContext, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAllocEx, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteProcessMemory

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T00:52:02.424899+0100	2046303	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1	1	192.168.2.4	49730	147.45.44.216	15666	TCP
2024-12-31T00:52:02.424899+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.4	49730	147.45.44.216	15666	TCP
2024-12-31T00:52:02.430129+0100	2046303	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1	1	192.168.2.4	49730	147.45.44.216	15666	TCP
2024-12-31T00:52:02.430129+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.4	49730	147.45.44.216	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 00:51:57.587785959 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:51:57.592809916 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:51:57.592885971 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:51:57.704158068 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:57.704215050 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:57.704309940 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:57.715070963 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:57.715090990 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.175426960 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.175610065 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.224138021 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.224168062 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.224549055 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.228180885 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.229296923 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.271332026 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.347666025 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.347758055 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:51:58.347982883 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.358448982 CET	49731	443	192.168.2.4	104.26.13.205
Dec 31, 2024 00:51:58.358480930 CET	443	49731	104.26.13.205	192.168.2.4
Dec 31, 2024 00:52:02.424899101 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.429986954 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430027008 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430075884 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430119991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430129051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430152893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430185080 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430214882 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430224895 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430255890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430304050 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430324078 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430330992 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430363894 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.430365086 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430404902 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.430416107 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436043024 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436072111 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436141968 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436146975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436168909 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436197042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436199903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436222076 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436223984 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436244965 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436269045 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436275005 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436304092 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436378002 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436642885 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436729908 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436760902 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436794043 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436815023 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436829090 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436856985 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.436877966 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.436903954 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.441987991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442043066 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442074060 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442126989 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.442634106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442687035 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442739010 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442755938 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.442796946 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.442820072 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442852974 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442907095 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.442931890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.442962885 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443017006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443061113 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443089008 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443114996 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443135977 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443151951 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443156958 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443180084 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443201065 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443207026 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443224907 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443248987 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443253994 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443300962 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443344116 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443346024 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443375111 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443401098 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443424940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443439007 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443449020 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443476915 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443502903 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443526030 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443527937 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443546057 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443564892 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443588018 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443592072 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443598032 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443624973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.443634033 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.443888903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448059082 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448087931 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448113918 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448158026 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448182106 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448561907 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448630095 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448646069 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448657036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448700905 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448704958 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448733091 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448779106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448781967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448807001 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448833942 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448856115 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448867083 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.448874950 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.448915958 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.449246883 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449275017 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449321985 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449328899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.449350119 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449397087 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449404001 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.449424028 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449471951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.449810982 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449839115 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449889898 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.449915886 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449944973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.449992895 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450002909 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450020075 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450064898 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450071096 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450099945 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450149059 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450150013 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450179100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450217962 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450229883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450248957 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450269938 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450293064 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450304031 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450331926 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450354099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450357914 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450381041 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450387001 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450406075 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450434923 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450464964 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450488091 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450490952 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450520039 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450520992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450531960 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450548887 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450568914 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450577021 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450625896 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450633049 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450654030 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450680971 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450701952 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450707912 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450720072 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450736046 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450754881 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450762987 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450778008 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450812101 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450839043 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450865984 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450865984 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450880051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450897932 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450923920 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450925112 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450939894 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450953007 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.450962067 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.450994968 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451014042 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451020956 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451039076 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451049089 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451052904 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451092005 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451376915 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451404095 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451452971 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451453924 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451481104 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451527119 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451529026 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451555014 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451606989 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451617956 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451644897 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451670885 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451698065 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451704025 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451725006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451738119 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451746941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451773882 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451801062 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451818943 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451827049 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.451853037 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.451872110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.453722000 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454298973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454366922 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.454385042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454412937 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454441071 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.454462051 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454463959 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.454490900 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454539061 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.454953909 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.454982042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455032110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455077887 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455106020 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455154896 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455157042 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455183029 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455214024 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455236912 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455240011 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455290079 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455290079 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455333948 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455359936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455384016 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455385923 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455396891 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455424070 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455434084 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455461979 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455482006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455488920 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455514908 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455538988 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455563068 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455566883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455590963 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455641031 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455662012 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455689907 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455739021 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455739975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455787897 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455815077 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455841064 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455841064 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455866098 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455899954 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455902100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455929995 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455956936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.455977917 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.455984116 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456003904 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456028938 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456032991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456063032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456078053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456449032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456476927 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456504107 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456517935 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456526041 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456552982 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456584930 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456599951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456634045 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456654072 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456681967 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456707954 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456737041 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456749916 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456754923 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456783056 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456799030 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456829071 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456856012 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456882954 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456883907 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456893921 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456912041 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456934929 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456939936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456954956 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.456965923 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.456984043 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457004070 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457015991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457043886 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457070112 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457097054 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457103014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457113981 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457123995 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457139015 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457150936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457170010 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457201004 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457230091 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457252026 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457257032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457266092 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457285881 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457302094 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457313061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457341909 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457367897 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457379103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457390070 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457417965 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457437992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457444906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457472086 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457487106 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457499027 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457521915 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457530022 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457537889 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457559109 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457586050 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457622051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457633018 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457660913 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457678080 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457688093 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457715034 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457732916 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457742929 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457767963 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457771063 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457778931 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457799911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457827091 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457848072 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457854033 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457869053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457885981 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457911968 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457931042 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457937002 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457966089 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.457983971 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.457993031 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458007097 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458020926 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458048105 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458071947 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458075047 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458095074 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458103895 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458127975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458131075 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458138943 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458158970 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458185911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458210945 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458213091 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458225012 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458241940 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458268881 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458268881 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458296061 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458300114 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458319902 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458340883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458353043 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458384991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458410025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458436012 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458442926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458455086 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458456993 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458470106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458473921 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458482027 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458494902 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458501101 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458507061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458511114 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458520889 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458530903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458544016 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458549023 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458560944 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458571911 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458583117 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458595037 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458595991 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458606005 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458607912 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458626986 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458635092 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458647966 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458674908 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458720922 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458765984 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458779097 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458796978 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458808899 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458823919 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458834887 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458851099 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458856106 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458864927 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458893061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458905935 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458908081 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458936930 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458947897 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.458950043 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458981991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.458993912 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459002972 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459026098 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459027052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459041119 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459049940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459063053 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459069014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459076881 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459093094 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459106922 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459213018 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459225893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459238052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459249973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459260941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459273100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459279060 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459295988 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459310055 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459310055 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459328890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459328890 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459352016 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459364891 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459367990 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459407091 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459707022 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459722042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459762096 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459774017 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459786892 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459815025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459825993 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459832907 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459860086 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459872961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459873915 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459902048 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459924936 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.459940910 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459953070 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.459966898 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460000038 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.460340023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460541010 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.460799932 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460906029 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460917950 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460941076 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460952997 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.460956097 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.460983992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461009979 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461014032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461029053 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461050987 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461057901 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461066008 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461070061 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461085081 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461091042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461101055 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461106062 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461148024 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461150885 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461186886 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461216927 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461229086 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461236000 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461255074 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461262941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461275101 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461276054 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461303949 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461311102 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461313963 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461324930 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461358070 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461369991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461378098 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461391926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461395025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.461420059 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.461438894 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463368893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463448048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463479042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463502884 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463527918 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463547945 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463577032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463593006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463627100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463670969 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463673115 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463725090 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463737965 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463767052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463778973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463778973 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463802099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463823080 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463824034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463838100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463886023 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.463908911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463922977 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.463968992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464008093 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464020967 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464056015 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464067936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464075089 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464102030 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464102983 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464113951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464127064 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464143991 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464158058 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464169979 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464170933 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464199066 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464210033 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464220047 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464232922 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464268923 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464281082 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464293003 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464324951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464343071 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464345932 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464358091 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464396954 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464406013 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464418888 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464461088 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464498043 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464512110 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464554071 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464562893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464576960 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464612961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464624882 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464626074 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464660883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464678049 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464689970 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464703083 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464729071 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464736938 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464742899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464827061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464843035 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464885950 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464889050 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464903116 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464932919 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464941978 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.464958906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.464973927 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465003967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465013981 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465023994 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465037107 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465080023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465084076 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465092897 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465147018 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465148926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465159893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465183020 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465194941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465210915 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465229988 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465250969 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465265036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465292931 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465311050 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465311050 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465326071 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465358973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465370893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465375900 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465400934 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465426922 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465441942 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465454102 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465476036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465481997 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465488911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465522051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465538979 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465557098 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465569973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465590954 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465603113 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465641022 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465642929 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465656042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465668917 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465692997 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465701103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465708017 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465742111 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465753078 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465761900 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465775967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465787888 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465801001 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465804100 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465822935 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465831041 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465843916 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465845108 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465872049 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465888977 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465892076 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465905905 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465934038 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465944052 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.465967894 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.465981960 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466001034 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466012001 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466013908 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466026068 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466037035 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466048956 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466108084 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466120958 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466142893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466154099 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466155052 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466187000 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466195107 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466207981 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466221094 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466249943 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466258049 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466259956 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466270924 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466317892 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466327906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466341972 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466394901 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466407061 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466408014 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466439962 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466454029 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466454029 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466485023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466496944 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466496944 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466527939 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.466533899 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.466537952 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.467935085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.507386923 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.508748055 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.508825064 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.508882046 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.508948088 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509002924 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509066105 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509116888 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509174109 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509227991 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509280920 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509325981 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509390116 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.509433985 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518040895 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.518074036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.518107891 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.518496990 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518567085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518615007 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518673897 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518719912 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518774986 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.518812895 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.563409090 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.564131975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.614419937 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.615734100 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616033077 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616082907 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616127968 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616182089 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616235971 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616295099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616343975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616399050 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616446972 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.616503954 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.620691061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.621361017 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.621431112 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.621464014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.667427063 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.667957067 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.672903061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.672985077 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.673132896 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.673192024 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.673237085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.673299074 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.673342943 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.673428059 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.675039053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.715413094 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.715953112 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.746715069 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.746758938 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.746908903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747117996 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747173071 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747220993 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747267008 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747323036 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747380972 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.747406006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.751904964 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.752058983 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.795440912 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.795505047 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.809864044 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.809885979 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.810066938 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810122967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810164928 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810220003 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810260057 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810312033 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810364962 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810419083 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.810441017 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815052986 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.815253019 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815320969 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815372944 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815424919 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815470934 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815529108 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.815546989 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.859606028 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.859689951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868055105 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.868187904 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868246078 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868623972 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868668079 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868709087 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868753910 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868793964 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868849993 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868894100 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868947983 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.868988037 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.869050026 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.869102001 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.869163036 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.869208097 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.869256973 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873016119 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873069048 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873121023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873152018 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873172045 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873184919 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873193979 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873226881 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873239040 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873287916 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873298883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873316050 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873332977 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873359919 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873366117 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873394966 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873411894 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873421907 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873445034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873450994 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873466015 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873478889 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873502970 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873526096 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873529911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873558998 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873579025 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873585939 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873605967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873614073 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873630047 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873657942 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873668909 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873696089 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873716116 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873727083 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873747110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873755932 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873778105 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873785973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873807907 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873815060 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873831987 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873845100 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873858929 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873873949 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873891115 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873900890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873915911 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873945951 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.873955011 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873982906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.873999119 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874012947 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874041080 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874068975 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874099016 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874126911 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874155998 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874156952 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874172926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874183893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874205112 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874212980 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874233961 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874242067 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874264002 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874272108 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874295950 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874300957 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874320030 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874330044 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874361038 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874372005 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874387980 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874416113 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874435902 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874444008 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874459028 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874471903 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874488115 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874500036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874514103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874528885 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874557018 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874569893 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874587059 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874612093 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874615908 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874639034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874644995 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874655962 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874672890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874690056 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874701023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874720097 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874728918 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874737024 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874757051 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874773979 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874787092 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874810934 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874816895 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874845028 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874857903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874867916 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874875069 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874891043 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874902010 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874921083 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874929905 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874938965 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874958992 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.874977112 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.874985933 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875003099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875014067 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875030041 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875041962 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875063896 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875082970 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875092983 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875134945 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875138998 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875161886 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875176907 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875190973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875212908 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875219107 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875246048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875272989 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875291109 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875300884 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875346899 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875346899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875375986 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875389099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875402927 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875422955 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875431061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875448942 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875458002 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875463009 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875485897 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875495911 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875514984 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875529051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875545025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875555992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875574112 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875587940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875602007 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875622034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875632048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875643969 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875659943 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875682116 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875689030 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875714064 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875725031 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875735044 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875752926 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875772953 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875780106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875803947 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875808954 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875825882 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875849009 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875858068 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875900030 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875902891 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875929117 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875937939 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875957966 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.875969887 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.875988007 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876003027 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876014948 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876029015 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876044035 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876053095 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876071930 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876082897 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876100063 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876111984 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876127005 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876140118 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876156092 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876172066 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876183033 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876193047 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876210928 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876224041 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876239061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876251936 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876266956 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876279116 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876295090 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876308918 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876322031 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876338959 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876348972 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876358986 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876377106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876386881 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876405001 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876415968 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876435995 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876446009 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876463890 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876476049 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876492023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876506090 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876521111 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876535892 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876549006 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876559019 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876581907 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876595020 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876620054 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876621962 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876648903 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876661062 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876677036 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876691103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876704931 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876715899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876733065 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876746893 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876760960 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876771927 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876789093 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876801968 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876816034 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876831055 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876843929 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876857042 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876873016 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876893997 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876902103 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876912117 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876929998 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876948118 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876957893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876969099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.876986027 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.876993895 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877012968 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.877026081 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877041101 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.877057076 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877068996 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.877079964 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877096891 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.877106905 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877125025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.877137899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.877162933 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.919595957 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.919920921 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920025110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920089960 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920142889 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920209885 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920268059 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920329094 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920397997 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920464993 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920516014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920559883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920607090 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920649052 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920696974 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920738935 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920787096 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920829058 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920877934 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.920902014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925064087 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925086975 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925123930 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925143003 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925177097 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925194025 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925195932 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925232887 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925237894 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925252914 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925276995 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925287962 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925288916 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925307035 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925327063 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925339937 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925340891 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925359964 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925383091 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925394058 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925395966 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925412893 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925435066 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925446033 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925456047 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925466061 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925489902 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925498009 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925501108 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925517082 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925539017 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925554037 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925565958 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925584078 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925604105 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925606966 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925622940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925622940 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925647020 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925658941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925662041 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925681114 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925700903 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925714016 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925744057 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925762892 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925787926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925796032 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925801992 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925816059 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925837994 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925848961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925852060 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925868988 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925889969 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925908089 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.925965071 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.925983906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926012993 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926017046 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926024914 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926035881 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926062107 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926069975 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926074028 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926089048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926111937 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926120996 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926126957 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926140070 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926163912 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926173925 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926178932 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926192999 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926211119 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926219940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926229954 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926233053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926250935 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926265001 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926265955 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926285028 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926302910 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926306963 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926317930 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926322937 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926340103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926357985 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926357985 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926378012 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926397085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926398039 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926417112 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926418066 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926436901 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926450968 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926459074 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926471949 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926490068 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926493883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926506042 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926508904 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926526070 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926544905 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926546097 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926565886 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926589012 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926599026 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926605940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926618099 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926636934 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926639080 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926659107 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926659107 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926671028 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926695108 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926717043 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926736116 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926757097 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926759958 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926774025 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926775932 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926795959 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926810980 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926814079 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926830053 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926856995 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926876068 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926876068 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926894903 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926913023 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926913977 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926928997 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926947117 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926959038 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.926970959 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926989079 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.926991940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927005053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927009106 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927022934 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927027941 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927048922 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927072048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927077055 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927092075 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927109957 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927114010 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927125931 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927129030 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927145958 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927149057 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927169085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927185059 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927185059 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927206039 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927225113 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927228928 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927242994 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927243948 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927263021 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927263021 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927282095 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927284956 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927304029 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927304983 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927325964 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927337885 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927350998 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927370071 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927388906 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927395105 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927407026 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927407980 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927426100 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927427053 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927447081 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927448034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927468061 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927478075 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927483082 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927500963 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927519083 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927521944 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927534103 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927539110 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927551985 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927557945 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927576065 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927578926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927591085 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927608967 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927612066 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927632093 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927649975 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927659035 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927669048 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927671909 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927690029 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927691936 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927700996 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927711964 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927731991 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927743912 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927747011 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927767038 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927788973 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927800894 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927802086 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927820921 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927839041 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927845001 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927862883 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927875042 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927895069 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927908897 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927913904 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927925110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927933931 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927936077 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927952051 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927964926 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.927968025 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.927988052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928005934 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928010941 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928025961 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928025961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928044081 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928046942 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928069115 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928081036 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928082943 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928102970 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928121090 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928124905 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928141117 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928141117 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928162098 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928174973 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928179026 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928198099 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928216934 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928220987 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928236008 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928236961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928251028 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928271055 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928272009 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928291082 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928308964 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928313971 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928325891 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928328991 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928349018 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928360939 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928366899 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928385973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928404093 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928410053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928416967 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928426027 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928441048 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928443909 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928452969 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928457022 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928469896 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928482056 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928484917 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928498983 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928503990 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928518057 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928518057 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928529978 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928541899 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928541899 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928566933 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928571939 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928579092 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928586006 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928594112 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928606033 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928613901 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928630114 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928632975 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928642988 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928654909 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928683043 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928736925 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928750038 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928760052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928771973 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928790092 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928792953 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928802013 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928807020 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928817034 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928817987 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928828955 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928833961 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928853989 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928858995 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928865910 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928872108 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928881884 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928895950 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928896904 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928909063 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928911924 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928921938 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928932905 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928932905 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928946018 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928957939 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928961039 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928971052 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.928975105 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928993940 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.928996086 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929007053 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929009914 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929032087 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929044962 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929045916 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929059029 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929080963 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929090023 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929092884 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929119110 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929131985 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929135084 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929148912 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929162979 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929181099 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929194927 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929220915 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929234028 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929254055 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929265976 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929275036 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929287910 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929313898 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929327011 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929347992 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929359913 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929369926 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929382086 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929399014 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929399014 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929411888 CET	15666	49730	147.45.44.216	192.168.2.4
Dec 31, 2024 00:52:02.929418087 CET	49730	15666	192.168.2.4	147.45.44.216
Dec 31, 2024 00:52:02.929429054 CET	49730	15666	192.168.2.4	147.45.44.216

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 00:51:57.691831112 CET	192.168.2.4	1.1.1.1	0x57af	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 00:51:57.698724031 CET	1.1.1.1	192.168.2.4	0x57af	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:51:57.698724031 CET	1.1.1.1	192.168.2.4	0x57af	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 00:51:57.698724031 CET	1.1.1.1	192.168.2.4	0x57af	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.26.13.205	443	7624	C:\Users\user\Desktop\Loader.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 23:51:58 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-12-30 23:51:58 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 23:51:58 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8fa5f0dd496c4321-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1586&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=738&delivery_rate=1773997&cwnd=249&unsent_bytes=0&cid=5eb80c97e9e6b000&ts=182&x=0"
2024-12-30 23:51:58 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	18:51:56
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x7ff7e4e30000
File size:	3'276'800 bytes
MD5 hash:	B3FAD209B07F4D66570C24A40F30D5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:51:56
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x7ff7e4e30000
File size:	3'276'800 bytes
MD5 hash:	B3FAD209B07F4D66570C24A40F30D5C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000001.00000002.1829787979.0000029E6C117000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_meduzastealer, Description: Finds MeduzaStealer samples based on specific strings, Source: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Sekoia.io
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:52:12
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x7ff76f6c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:52:12
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:52:12
Start date:	30/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 1.1.1.1 -n 1 -w 3000
Imagebase:	0x7ff76dd50000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1332
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF7E4E39B9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7E4E39B6C,?,?,00000000,00007FF7E4E3BCDB,?,?,00000003,00007FF7E4E36809), ref: 00007FF7E4E39D18
GetProcAddress.KERNEL32(?,?,?,00007FF7E4E39B6C,?,?,00000000,00007FF7E4E3BCDB,?,?,00000003,00007FF7E4E36809), ref: 00007FF7E4E39D24

Strings

MZx, xrefs: 00007FF7E4E39BBB, 00007FF7E4E39CA1, 00007FF7E4E39D01
api-ms-, xrefs: 00007FF7E4E39C62
ext-ms-, xrefs: 00007FF7E4E39C75

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 22012f02682711b3799a961ab12125ad5bd7006ea3965d99f2077911abd80764
Instruction ID: 672fff71cef5829e4ecab3e383766a6b11fc4a617cacda937379c3a9c14a6a21
Opcode Fuzzy Hash: 22012f02682711b3799a961ab12125ad5bd7006ea3965d99f2077911abd80764
Instruction Fuzzy Hash: 0541FF66B19A0341EB17EF17A8A0775A2D5BF48F90F885536CD4D87788EF3CE4068322

Function 00007FF7E4E34340 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7E4E34399

Part of subcall function 00007FF7E4E34630: CreateProcessA.KERNELBASE ref: 00007FF7E4E3469E

Strings

h, xrefs: 00007FF7E4E343DA
@, xrefs: 00007FF7E4E344C7
U, xrefs: 00007FF7E4E3441F

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CreateFileModuleNameProcess
String ID: @$U$h
API String ID: 2157755880-1769436074
Opcode ID: ca72520b2b583654da5c17d2c27a1f2376d242dddeac6599049d2290f9a7c289
Instruction ID: 1e3365fd5add29436541bd292b1ea0f080156eace45c6b3a35aa9fd3f751da81
Opcode Fuzzy Hash: ca72520b2b583654da5c17d2c27a1f2376d242dddeac6599049d2290f9a7c289
Instruction Fuzzy Hash: C6711B7A60CB8681DA60DF46F4903AAB760FBC9B94F405126EACE83B59DF3CD0458F51

Function 00007FF7E4E34F3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E4E35210: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7E4E35224

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7E4E34F60
__scrt_release_startup_lock.LIBCMT ref: 00007FF7E4E34FCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7E4E35021

Strings

MZx, xrefs: 00007FF7E4E35036

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID: MZx
API String ID: 3251591375-2575928145
Opcode ID: fc8042bb87e420838d7706c2e1d2f26ac8af05287a7a71abb2327b768e75cc79
Instruction ID: c26e7b45bed8017d571ed8a4885d80ce25704a09cb27f8fc6661146242a51dc6
Opcode Fuzzy Hash: fc8042bb87e420838d7706c2e1d2f26ac8af05287a7a71abb2327b768e75cc79
Instruction Fuzzy Hash: A2319E29A0C25342FA16BF27A4A23B9A2919F41B44FC45437E98E473D7DE3DA8048773

Function 00007FF7E4E399F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(00000001,00007FF7E4E3AB53), ref: 00007FF7E4E39A95
LCMapStringW.KERNEL32(00000001,00007FF7E4E3AB53), ref: 00007FF7E4E39AC9

Strings

LCMapStringEx, xrefs: 00007FF7E4E39A25

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: f9633275d9ee9d3b20b8a7fa8d609a387c4e2dab78c2b7ebc5d766684dffdc6a
Instruction ID: 3702613240998159b93e4c4a40c25d7de4dfe65007535083e2ab243a7baac850
Opcode Fuzzy Hash: f9633275d9ee9d3b20b8a7fa8d609a387c4e2dab78c2b7ebc5d766684dffdc6a
Instruction Fuzzy Hash: AD212F35A08B8186DB64DF16F48029AB7A5FB88BD0F444136EACD83B19DF3CD550CB50

Function 00007FF7E4E36824 Relevance: 4.5, APIs: 3, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00000003,00007FF7E4E3691C), ref: 00007FF7E4E36835
TerminateProcess.KERNEL32(?,?,00000003,00007FF7E4E3691C), ref: 00007FF7E4E36840
ExitProcess.KERNEL32 ref: 00007FF7E4E3684F

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d1b5e31b8130739252ba024cd7ee30c115cd396cc8feb26cc4374d0b0c240fe4
Instruction ID: 4c740411a919d375bcc4d1a6d264aa15949fb2300dbc8f00b7cea15eedc59da3
Opcode Fuzzy Hash: d1b5e31b8130739252ba024cd7ee30c115cd396cc8feb26cc4374d0b0c240fe4
Instruction Fuzzy Hash: 33D09E18B1870B43EE253F7268E537992615F88F11F90283AC95FC7397ED7CA44D8262

Function 00007FF7E4E3AFC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32 ref: 00007FF7E4E3B00A

Strings

, xrefs: 00007FF7E4E3B04D

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 741c4182e17423b6762c14ee47741467d08430751a7f72457cdc24d02ab79553
Instruction ID: 0e63c924d25f72813a2445dbdc80319d3fd3ece77aac9437b8f92587bcf85850
Opcode Fuzzy Hash: 741c4182e17423b6762c14ee47741467d08430751a7f72457cdc24d02ab79553
Instruction Fuzzy Hash: 07519036A1C2C28AE7229F25E0847AEB7A0F749B44F944137D7CE47A8ACB7CD545CB11

Function 00007FF7E4E3A8C8 Relevance: 3.2, APIs: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E4E3AB88: GetOEMCP.KERNEL32 ref: 00007FF7E4E3ABB2

IsValidCodePage.KERNEL32 ref: 00007FF7E4E3A935
GetCPInfo.KERNEL32 ref: 00007FF7E4E3A979

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 2dc6afea859580e6037be6593a21ed62edb713420741d641145777749c96bdf2
Instruction ID: bf3b7f97504669479533d2d439f5edf93e6eccbdf88bf684959dac709a8ed578
Opcode Fuzzy Hash: 2dc6afea859580e6037be6593a21ed62edb713420741d641145777749c96bdf2
Instruction Fuzzy Hash: 7981D56AA0C68346F726BF26A094379F7A1EB44B40FC44077C6CD67A91DE3DE581C322

Function 00007FF7E4E34E38 Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E4E359E0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A30
Part of subcall function 00007FF7E4E359E0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A71

_set_fmode.LIBCMT ref: 00007FF7E4E34E6F
_RTC_Initialize.LIBCMT ref: 00007FF7E4E34E90

Part of subcall function 00007FF7E4E36BBC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7E4E36BEE

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFileHeaderInitializeRaise_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 2451193124-0
Opcode ID: f3c0430470f07399e506a1be3701e989bbb1d8738ebd37febbeea140212f0efb
Instruction ID: bb1509a2534122a8477c86e00f26fd2e29dd37d5bb84f4d0ea750bf6d14572e9
Opcode Fuzzy Hash: f3c0430470f07399e506a1be3701e989bbb1d8738ebd37febbeea140212f0efb
Instruction Fuzzy Hash: 6E21AF58E0924345FA16BFB384C23B891915F94B41FD04476E5CE4A2DBDDBDB8418773

Function 00007FF7E4E3B380 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7E4E3BF8A,?,?,?,00007FF7E4E3BE8B,?,?,00000000,00007FF7E4E3C9A9,?,?,?,00007FF7E4E3C8B3), ref: 00007FF7E4E3B396
GetLastError.KERNEL32(?,?,?,00007FF7E4E3BF8A,?,?,?,00007FF7E4E3BE8B,?,?,00000000,00007FF7E4E3C9A9,?,?,?,00007FF7E4E3C8B3), ref: 00007FF7E4E3B3A0

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: ee630889352ed936ae553ba63d3b4f6f14bc721ad53d24028daf506015ee0002
Instruction ID: 2c215b053c00a7c065edf9af43833e0884e67d0f5e2f294bca0cff726f81c502
Opcode Fuzzy Hash: ee630889352ed936ae553ba63d3b4f6f14bc721ad53d24028daf506015ee0002
Instruction Fuzzy Hash: 93E08655F0820742FF06BFB368E6234A2605F48F50F845132C94DC2256EE3CA8854372

Function 00007FF7E4E3671C Relevance: 1.6, APIs: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7E4E3687F

Part of subcall function 00007FF7E4E36790: GetModuleHandleExW.KERNEL32 ref: 00007FF7E4E367B5
Part of subcall function 00007FF7E4E36790: GetProcAddress.KERNEL32 ref: 00007FF7E4E367CB
Part of subcall function 00007FF7E4E36790: FreeLibrary.KERNEL32 ref: 00007FF7E4E367F2

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 883d2c84c99c049fafe14cfb7c78426d52a6edd162f08307a95ee2a3b685a9ec
Instruction ID: 8dfd5ec59a0371b35554d880f48712830c1cf2101557ef925ecf33048cc2edb1
Opcode Fuzzy Hash: 883d2c84c99c049fafe14cfb7c78426d52a6edd162f08307a95ee2a3b685a9ec
Instruction Fuzzy Hash: FE21B476E047428AEB65AF75C0843AC77B0EB84B1CF844636D69C06AC4DF38D448C751

Function 00007FF7E4E3D464 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7E4E3D48F

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 01c91395c1916870b6ebb99eb882ff78e046b85d5793e410e623a649603b4a33
Instruction ID: ebf0e39f9d044d92ae35f6bd19b5838291a67e5ff4782d1b4355d86e0777d0db
Opcode Fuzzy Hash: 01c91395c1916870b6ebb99eb882ff78e046b85d5793e410e623a649603b4a33
Instruction Fuzzy Hash: 0311303A90C65782E312BF16A891A79F3A4FF40B40F950536E69D477A6DF3CF8108762

Function 00007FF7E4E326F0 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7E4E32733

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c26739b86664f408db0c9997770f65723e3fc929f09927d10a92c6213d1838f9
Instruction ID: 097be477609b90fb38b3e0558d5a04117e02c729ca68a747c5ef3d127aac7664
Opcode Fuzzy Hash: c26739b86664f408db0c9997770f65723e3fc929f09927d10a92c6213d1838f9
Instruction Fuzzy Hash: 4CF0FF2651DB4681D661AF06F4C132EE3A0FF84BA4F501232F7DE42BA5CE3CD8A18B51

Function 00007FF7E4E34630 Relevance: 1.5, APIs: 1, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF7E4E3469E

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55f193832a280cde99d3965d7a83e62b7f155f16e8e51956fffb024c732bc776
Instruction ID: 9116282469b2cce38adb4773f1fce5dd497ebcc12ff5f6b509254a00770484ff
Opcode Fuzzy Hash: 55f193832a280cde99d3965d7a83e62b7f155f16e8e51956fffb024c732bc776
Instruction Fuzzy Hash: 80F0CF76618B9482E710CB56F49070BBBA5F3C9794F604519EBC887B28CBBDC065CF40

Function 00007FF7E4E34C44 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7E4E34C74

Part of subcall function 00007FF7E4E34E18: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7E4E34E21

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 931c02c4fcd203e15d47adf75942f4b0e5fe0fb3ee4ad08f730a2a0a270399f2
Instruction ID: cee18bef78dbc9b299f6b9bf43838818281d970f5b06548f6cac76a033bbe287
Opcode Fuzzy Hash: 931c02c4fcd203e15d47adf75942f4b0e5fe0fb3ee4ad08f730a2a0a270399f2
Instruction Fuzzy Hash: 91E0EC49E5930B05F96B3E7355D537880804F45F70EDD1772D9FD092C2AD3DA4514172

Function 00007FF7E4E346F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE ref: 00007FF7E4E34749

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 590438e11f57b6ac7bad76fc945ab05e233fba6b9bcb9c07e7f5b99c2efd162e
Instruction ID: e972cd16634150941fc9b6ea76269619c6f22b08c842b0c82c41bf003a0680b5
Opcode Fuzzy Hash: 590438e11f57b6ac7bad76fc945ab05e233fba6b9bcb9c07e7f5b99c2efd162e
Instruction Fuzzy Hash: 3FF0FF36518B8482C6509B45F49170AB7B4F39AB94FA0511AFAC953B28CF7DC0648B00

Function 00007FF7E4E34760 Relevance: 1.5, APIs: 1, Instructions: 20injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF7E4E347BB

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9ea2c8076de443cf59f910db1f613f80aa3e07039da84784684faed62c920b0f
Instruction ID: 03870921615c518e64f4106259937d22a06636358fc7ea7ccdc36adbdff2b7ce
Opcode Fuzzy Hash: 9ea2c8076de443cf59f910db1f613f80aa3e07039da84784684faed62c920b0f
Instruction Fuzzy Hash: B3F00C3A518F8882C6609B45F48074AB7B4F79AB94F605116EBCD83B28DF3DC1648B00

Function 00007FF7E4E35210 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7E4E35224

Part of subcall function 00007FF7E4E364CC: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF7E4E364D4
Part of subcall function 00007FF7E4E364CC: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF7E4E364D9

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: e9d6ae88fc6a71f53c5a11da52503330d916ee548e66a10f83e59118ebd616ce
Instruction ID: ffcc86dc7c07e1d178202c8455ce69fc0687c35eb2ac57205dd15d9ed04b00ea
Opcode Fuzzy Hash: e9d6ae88fc6a71f53c5a11da52503330d916ee548e66a10f83e59118ebd616ce
Instruction Fuzzy Hash: C3E0926CD0C14394FEAABE7221923B982501F62B44FD0147AD9DE522839E3E214A1733

Function 00007FF7E4E3C1C8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7E4E3A072,?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08), ref: 00007FF7E4E3C21D

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 135306cfd6f981af923da4fe000d2c37e782639362960f7bd737ffabaa1f0f79
Instruction ID: 49cff517b3ed37c3a699838edac8aaa49303d3238e7ca70014bd484bb75242b2
Opcode Fuzzy Hash: 135306cfd6f981af923da4fe000d2c37e782639362960f7bd737ffabaa1f0f79
Instruction Fuzzy Hash: 67F0621AB0960B81FE56BFA374A23B5D2905F89F40FCC5133C98E866C1EE3CE8814132

Function 00007FF7E4E3C240 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7E4E3F389,?,?,00000000,00007FF7E4E3D083,?,?,?,00007FF7E4E370BF,?,?,?,00007FF7E4E372FD), ref: 00007FF7E4E3C27E

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 81c4a1072c291bc039217ef3688a7505bcb60df8785fb09408a2d79300e577ee
Instruction ID: bd571a583254cf0b1e1aa11f8d61dff2b45eeaadf84831c1ca40c537da0507c7
Opcode Fuzzy Hash: 81c4a1072c291bc039217ef3688a7505bcb60df8785fb09408a2d79300e577ee
Instruction Fuzzy Hash: F9F0545AA0860B41FE56BFF358D2375D1805F85FA0F8C4636DDAE862C1DE3CE4414132

Non-executed Functions

Function 00007FF7E4E3CA90 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7E4E3CAE4
FindFirstFileExW.KERNEL32 ref: 00007FF7E4E3CBEE

Strings

C:\Users\user\Desktop\Loader.exe, xrefs: 00007FF7E4E3CA9E

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Loader.exe
API String ID: 2227656907-3241315448
Opcode ID: e225d3fb6d4ae7c10b93392ed77da4608c0e544a1bff775a08a37f312803c6a9
Instruction ID: 997b447e5cc4f2d1702543e295303036bead482ae2d3373adb4beb6005f59042
Opcode Fuzzy Hash: e225d3fb6d4ae7c10b93392ed77da4608c0e544a1bff775a08a37f312803c6a9
Instruction Fuzzy Hash: CAB1B52BB1869741EA62AF23A4853B9E350EB44FD4FC45533EA9E47789DE3CE441C312

Function 00007FF7E4E354D4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7E4E354F0
RtlCaptureContext.KERNEL32 ref: 00007FF7E4E3551D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E4E35537
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E4E35578
IsDebuggerPresent.KERNEL32 ref: 00007FF7E4E355CC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E355E9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E355F4

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 5f043ce2f24c5dd1fc7556dc09ed2e4de8428533f533a7f6f2f8a904c65be6c1
Instruction ID: a19f4d4dd226900b17526e20b5fafa90e03417e286ce2ffd30ddf7d13e5ead07
Opcode Fuzzy Hash: 5f043ce2f24c5dd1fc7556dc09ed2e4de8428533f533a7f6f2f8a904c65be6c1
Instruction Fuzzy Hash: 67316576608B8586EB609F61F8907EDB360FB44B44F84443ADA4E87B99EF38D548C721

Function 00007FF7E4E37760 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7E4E377D9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E4E377F1
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E4E3782C
IsDebuggerPresent.KERNEL32 ref: 00007FF7E4E37865
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E3786F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E3787A

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 0682ff08e83aaada5c55492228567788b13ab54fda938eba02d557cdfddf4092
Instruction ID: ad0f95758fd167a0fd64ab865eefe04252a62a320204b8bc2b7d772ca4270480
Opcode Fuzzy Hash: 0682ff08e83aaada5c55492228567788b13ab54fda938eba02d557cdfddf4092
Instruction Fuzzy Hash: 16318736608F8186DB60DF25E8507AEB3A0FB84B54F900136EA9D87B59EF3CD545CB11

Function 00007FF7E4E35304 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E4E35330
GetCurrentThreadId.KERNEL32 ref: 00007FF7E4E3533E
GetCurrentProcessId.KERNEL32 ref: 00007FF7E4E3534A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7E4E3535A

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1ef9cfd6a28bfbf257edefedf7c8203de68038772214ee7f848650bd26ef0748
Instruction ID: 5f7e12e76bee5f0e6e3dedb7664e20730f3461ac4a07ab1e8a2c9a0807655ffc
Opcode Fuzzy Hash: 1ef9cfd6a28bfbf257edefedf7c8203de68038772214ee7f848650bd26ef0748
Instruction Fuzzy Hash: E2114F22B14B0589EF009F60F8643B873A4F758B58F841A32DA6D87758EF78D1558350

Function 00007FF7E4E39E10 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7E4E39E14

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 04e430f214420386c097ea80a3f65c29a15293500482715ba298f06b5bffda18
Instruction ID: 061ebfa1d82994469942876d636f0bc7f10cc421545f63801b26802048eda7c1
Opcode Fuzzy Hash: 04e430f214420386c097ea80a3f65c29a15293500482715ba298f06b5bffda18
Instruction Fuzzy Hash: 4CB09220E0BB0AC2EA497B657CAA31463A47F48F10FD8503AC00CC1324EE3C20A58722

Function 00007FF7E4E32DD0 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2493b7593c7a72a3c048878eaa47db4bf64ef86c7613569d36cef1db600bd04e
Instruction ID: 77fcffb5c2f9810da0c19e67f0f8a37083c05785ca25e96e5b92e50ae9bb93c9
Opcode Fuzzy Hash: 2493b7593c7a72a3c048878eaa47db4bf64ef86c7613569d36cef1db600bd04e
Instruction Fuzzy Hash: DB42747B6086048AC764DF1AD09161ABBF0F7CCFA8B194216EB8D83765DB39D582CF50

Function 00007FF7E4E37008 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e5e308dfeada57223cb931c0b5dfaffe289988bed981820dc51f875181d83110
Instruction ID: a6402d033a21d2e76667970d87adc8ab587cbc9a0976825b2628eeeaa4b43f06
Opcode Fuzzy Hash: e5e308dfeada57223cb931c0b5dfaffe289988bed981820dc51f875181d83110
Instruction Fuzzy Hash: 8941F676714A5981EF04DF2AE964679B3A1FB48FC0B89A033DE4D97B58EE3CD4428301

Function 00007FF7E4E417D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e227a93ecbd0eaa87d54bff9a39891396378540c1ebb38e19a135996851a4b
Instruction ID: 8886148a2b716ab130b28e4ceebd5068aea7248dbe4fe585ce9b48a373619e76
Opcode Fuzzy Hash: 36e227a93ecbd0eaa87d54bff9a39891396378540c1ebb38e19a135996851a4b
Instruction Fuzzy Hash: 31F06872B182558AEB949F39B452729B7D0F708780FD4D13AD58DC3B08D67C9091CF15

Function 00007FF7E4E354C4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f9b99e833d81c9360031323baeb257995531fff9fb24a03fa220d7ef962a05
Instruction ID: fa14e8f9197c72f642a1ca3a5b79d7b8c483f18db1ca54d4d40b608bd9dec4b1
Opcode Fuzzy Hash: f3f9b99e833d81c9360031323baeb257995531fff9fb24a03fa220d7ef962a05
Instruction Fuzzy Hash: A0A0016591880A91EA05AF11A8A1A39A320AB90B40B805572C04E81164AE3CA5018326

Function 00007FF7E4E38F5C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7E4E38FB9

Part of subcall function 00007FF7E4E38424: __GetUnwindTryBlock.LIBCMT ref: 00007FF7E4E38467
Part of subcall function 00007FF7E4E38424: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7E4E3848C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7E4E39091
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7E4E392DF
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7E4E393EC

Strings

csm, xrefs: 00007FF7E4E390B4
csm, xrefs: 00007FF7E4E3903A
csm, xrefs: 00007FF7E4E38FD3

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3761cf37712abdcf1e6db3273805001c4b0028c3034cc92ba4d43b14fc4efdf9
Instruction ID: 4a8ad397a79cc99d1452e9872f915c247bcf326e907c62c69331acbf9bbb4070
Opcode Fuzzy Hash: 3761cf37712abdcf1e6db3273805001c4b0028c3034cc92ba4d43b14fc4efdf9
Instruction Fuzzy Hash: 4ED18F76A0874286EB21EF66D4813ADB7A0FB45B88F900136EE8D57795CF38E481C752

Function 00007FF7E4E3D75C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7E4E3D5F1,?,?,00000000,00007FF7E4E38034), ref: 00007FF7E4E3D7E1
GetLastError.KERNEL32(?,?,?,00007FF7E4E3D5F1,?,?,00000000,00007FF7E4E38034), ref: 00007FF7E4E3D7EF
LoadLibraryExW.KERNEL32(?,?,?,00007FF7E4E3D5F1,?,?,00000000,00007FF7E4E38034), ref: 00007FF7E4E3D819
FreeLibrary.KERNEL32(?,?,?,00007FF7E4E3D5F1,?,?,00000000,00007FF7E4E38034), ref: 00007FF7E4E3D887
GetProcAddress.KERNEL32(?,?,?,00007FF7E4E3D5F1,?,?,00000000,00007FF7E4E38034), ref: 00007FF7E4E3D893

Strings

MZx, xrefs: 00007FF7E4E3D77A, 00007FF7E4E3D82A, 00007FF7E4E3D870
api-ms-, xrefs: 00007FF7E4E3D801

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MZx$api-ms-
API String ID: 2559590344-259127448
Opcode ID: e3e0607afb2d36fe791d2cb7d0cfe75f8ab5f5604bbfa85aa404c328e2221570
Instruction ID: b8ea4295c107d053e6a5ac8fe7a67d8027b0bb33e2b8b7e4c96f5c9ff7e6094d
Opcode Fuzzy Hash: e3e0607afb2d36fe791d2cb7d0cfe75f8ab5f5604bbfa85aa404c328e2221570
Instruction Fuzzy Hash: A0318125A1A64391EE13BF03A890A75A2A8BF48F64F890536DD5D47794EF3CF4458322

Function 00007FF7E4E39E98 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7E4E39EA7
FlsGetValue.KERNEL32 ref: 00007FF7E4E39EBC
FlsSetValue.KERNEL32 ref: 00007FF7E4E39EDD
FlsSetValue.KERNEL32 ref: 00007FF7E4E39F0A
FlsSetValue.KERNEL32 ref: 00007FF7E4E39F1B
FlsSetValue.KERNEL32 ref: 00007FF7E4E39F2C
SetLastError.KERNEL32 ref: 00007FF7E4E39F47

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 8eb7e9acec1751e613be6750b9c04c95c48d5d700aaadb3b6e51bf6b1cebdfde
Instruction ID: 07c785cdfb48b6f99bc0a73153326d619973a5fd15daeb5d9c835331de8f2384
Opcode Fuzzy Hash: 8eb7e9acec1751e613be6750b9c04c95c48d5d700aaadb3b6e51bf6b1cebdfde
Instruction Fuzzy Hash: D2217F28B0D20742FA5A7B236AD1379D1915F84FA4FC41636E9AE476C6EF3CA4018222

Function 00007FF7E4E40CA0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7E4E40CD1
GetLastError.KERNEL32 ref: 00007FF7E4E40CDD
CloseHandle.KERNEL32 ref: 00007FF7E4E40CF5
CreateFileW.KERNEL32 ref: 00007FF7E4E40D20
WriteConsoleW.KERNEL32 ref: 00007FF7E4E40D3F

Strings

CONOUT$, xrefs: 00007FF7E4E40D01

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: eccb84783a33b6acb2369927ad856cb4a6f1e39df1dbbcb1c74e1911e2e9c731
Instruction ID: eae4bfb8c083e0692cd4f6268983dec34201a1e8c08b7e627dacda113d9eb37c
Opcode Fuzzy Hash: eccb84783a33b6acb2369927ad856cb4a6f1e39df1dbbcb1c74e1911e2e9c731
Instruction Fuzzy Hash: 6611B421718A4582E7509F12F864729A3A0FB48FE4F941235D95DC7B98DF3CD8448755

Function 00007FF7E4E3A010 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A01F
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A055
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A082
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A093
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A0A4
SetLastError.KERNEL32(?,?,?,00007FF7E4E3C125,?,?,?,?,00007FF7E4E37D08,?,?,?,?,00007FF7E4E34E74), ref: 00007FF7E4E3A0BF

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: b62c077a2562629968d0e64dfe6611344bf88aff198bfc4a34faf3d636af4a9f
Instruction ID: 2a89a42f5f99c00bfe5f848b77ea2893f3975fe4cac8237e30aa8c9761774516
Opcode Fuzzy Hash: b62c077a2562629968d0e64dfe6611344bf88aff198bfc4a34faf3d636af4a9f
Instruction Fuzzy Hash: 46119F28B0C20342FA1A7B2266D1379E1525F44FB0FC40736D8BE57AD6DE3CA4818663

Function 00007FF7E4E3E510 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7E4E3E58F
WriteFile.KERNEL32 ref: 00007FF7E4E3E857
WriteFile.KERNEL32 ref: 00007FF7E4E3E89D
GetLastError.KERNEL32 ref: 00007FF7E4E3E953

Strings

MZx, xrefs: 00007FF7E4E3E566, 00007FF7E4E3E5E7, 00007FF7E4E3E69C

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 6ce917d528adb3b7ec2eb0403480b4a9e68144bd1b8ad96170a743d827fd017e
Instruction ID: d1c8cf039d274e1fe3774f28fc69a65805f06740cf5de206c350a0af52060462
Opcode Fuzzy Hash: 6ce917d528adb3b7ec2eb0403480b4a9e68144bd1b8ad96170a743d827fd017e
Instruction Fuzzy Hash: C8D13936B08A4289E712DF7AD4803BCB771FB54B98B814236DE9D97B89DE38D406C711

Function 00007FF7E4E36790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7E4E367B5
GetProcAddress.KERNEL32 ref: 00007FF7E4E367CB
FreeLibrary.KERNEL32 ref: 00007FF7E4E367F2

Strings

mscoree.dll, xrefs: 00007FF7E4E367AC
CorExitProcess, xrefs: 00007FF7E4E367C4

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 56dec27a48c382bae8c9dbc998320d3297bdff6e0d22f776c03b946996f6de0c
Instruction ID: c6d8d84720fd6ae2f1313f65956cbb14b16d02e5e04c1e425e315cbc5edd905b
Opcode Fuzzy Hash: 56dec27a48c382bae8c9dbc998320d3297bdff6e0d22f776c03b946996f6de0c
Instruction Fuzzy Hash: AFF06865A1960681EF206F35F4543799360EF85F61FD41237C56D851E8DF3CD048C322

Function 00007FF7E4E415E0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7E4E41608
_set_statfp.LIBCMT ref: 00007FF7E4E41623
_set_statfp.LIBCMT ref: 00007FF7E4E4163F
_set_statfp.LIBCMT ref: 00007FF7E4E4167B

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
Instruction ID: 7a05c3dbcfdc48c25ebeef28d2c14fb46630c93b3759fd792914f038a7c82263
Opcode Fuzzy Hash: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
Instruction Fuzzy Hash: 2E1121AAE18A0305FE943D76E5D9375D2406F953B0E9C0E76E9EE062D68E7CFC404126

Function 00007FF7E4E3A0D8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7E4E37A3F,?,?,00000000,00007FF7E4E378EE,?,?,?,?,?,00007FF7E4E37B02), ref: 00007FF7E4E3A0F7
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E37A3F,?,?,00000000,00007FF7E4E378EE,?,?,?,?,?,00007FF7E4E37B02), ref: 00007FF7E4E3A116
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E37A3F,?,?,00000000,00007FF7E4E378EE,?,?,?,?,?,00007FF7E4E37B02), ref: 00007FF7E4E3A13E
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E37A3F,?,?,00000000,00007FF7E4E378EE,?,?,?,?,?,00007FF7E4E37B02), ref: 00007FF7E4E3A14F
FlsSetValue.KERNEL32(?,?,?,00007FF7E4E37A3F,?,?,00000000,00007FF7E4E378EE,?,?,?,?,?,00007FF7E4E37B02), ref: 00007FF7E4E3A160

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 315fd457ddef81b560e09b51ca76df7db0b77885c296541c44264b052bdf0a77
Instruction ID: 7ca47fe57b9dd738964a8147b8df59dca0d900560020d35899196d71c2669e27
Opcode Fuzzy Hash: 315fd457ddef81b560e09b51ca76df7db0b77885c296541c44264b052bdf0a77
Instruction Fuzzy Hash: CA116068F0C30341FA5A7B2779D1379E2515F44FE0EC8533AD8AD57AD6DE3CA8418222

Function 00007FF7E4E39F6C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7E4E39F7D
FlsSetValue.KERNEL32 ref: 00007FF7E4E39F9C
FlsSetValue.KERNEL32 ref: 00007FF7E4E39FC4
FlsSetValue.KERNEL32 ref: 00007FF7E4E39FD5
FlsSetValue.KERNEL32 ref: 00007FF7E4E39FE6

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3583ea58da392ae5e1a25b37852758e3d7efc9f279aafc2945d021ad744b599d
Instruction ID: db90085583cc6d47910d16b3c15957aaefe80f357a8e279765788496f3270e3e
Opcode Fuzzy Hash: 3583ea58da392ae5e1a25b37852758e3d7efc9f279aafc2945d021ad744b599d
Instruction Fuzzy Hash: 92114F18A0C20701FA5ABB2758D13B991425F40F64EC8073AE5BE476C6EE3CB4418233

Function 00007FF7E4E35A88 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7E4E35AB3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7E4E35B4A
RtlUnwindEx.KERNEL32 ref: 00007FF7E4E35BA4

Strings

csm, xrefs: 00007FF7E4E35B31

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b8fdca9cded4bbb6aa06f1f5ade378c1037bc301aacae7e2f84c1045c81e75ca
Instruction ID: 4cd7bee9a26cc419e8b81d2986580f1948a8901570d81832d37b3b683d29d3e3
Opcode Fuzzy Hash: b8fdca9cded4bbb6aa06f1f5ade378c1037bc301aacae7e2f84c1045c81e75ca
Instruction Fuzzy Hash: 5C51D33AB196038ADB15EF16E484B7DB391EB44F88F958172DA8A43748DF3CE841C711

Function 00007FF7E4E3891C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7E4E38D4C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7E4E38E34

Strings

csm, xrefs: 00007FF7E4E38E86
csm, xrefs: 00007FF7E4E38D6E

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: dad56c49b405efa0f0b0dfcbe895a6a6fea9ee740eef188aff0589e1bfe89b6b
Instruction ID: 9f0466f866ee4ff427f77e06671de2da4f11fe575c64fa0ace73db801e6d04ac
Opcode Fuzzy Hash: dad56c49b405efa0f0b0dfcbe895a6a6fea9ee740eef188aff0589e1bfe89b6b
Instruction Fuzzy Hash: A1618D3AD0828786EB66AF13948437CB6E1BB54F84F944136EADC47A91CF3CE450C792

Function 00007FF7E4E39500 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7E4E3955F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7E4E395AB

Strings

RCC, xrefs: 00007FF7E4E3957B
MOC, xrefs: 00007FF7E4E39573

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: ba93ea01ede6b7901e4f1a42dd3188ba1bf94f5b48d2c5fd38b2079bf7c360a5
Instruction ID: 2e7da2e513639e17fbf96c73367f028812467a1694eb269069ac0658dd49409e
Opcode Fuzzy Hash: ba93ea01ede6b7901e4f1a42dd3188ba1bf94f5b48d2c5fd38b2079bf7c360a5
Instruction Fuzzy Hash: D8618236908B8681D721AF26E4807A9B7A0FB85B84F444226EBDC07B99DF7CD190CB11

Function 00007FF7E4E3E0E8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7E4E3E4FB), ref: 00007FF7E4E3E204
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF7E4E3E4FB), ref: 00007FF7E4E3E28F

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 88b8c225d62e374fe023bc9d5a4caf48daae308facaf316e88f45816378adbdd
Instruction ID: 77d1143338a7119e8188cf14c4359fdf9d7b1cec57cdaf42470b99042e2929a3
Opcode Fuzzy Hash: 88b8c225d62e374fe023bc9d5a4caf48daae308facaf316e88f45816378adbdd
Instruction Fuzzy Hash: 2391E736E0865385F752EF6A94C03BDABA0BB14F88F95413ADE8E53684DF38D441C722

Function 00007FF7E4E38A64 Relevance: 6.2, APIs: 4, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF7E4E38B87
__AdjustPointer.LIBCMT ref: 00007FF7E4E38BD2
__AdjustPointer.LIBCMT ref: 00007FF7E4E38CA9

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 506d3401bf5a93b8ca173106f1f1787cf44583c133506b40ded6fba249d7dab6
Instruction ID: e96cf7c03c3ff926b32b2f96160c8c1469c34fe3cbf8ddb91e53704026a04f87
Opcode Fuzzy Hash: 506d3401bf5a93b8ca173106f1f1787cf44583c133506b40ded6fba249d7dab6
Instruction Fuzzy Hash: 99718269E0A64381EE66AE2395C077CA2D4FF44F80F894877DA8D07685DE3CE44583A3

Function 00007FF7E4E36BBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7E4E36BEE

Part of subcall function 00007FF7E4E3B380: RtlFreeHeap.NTDLL(?,?,?,00007FF7E4E3BF8A,?,?,?,00007FF7E4E3BE8B,?,?,00000000,00007FF7E4E3C9A9,?,?,?,00007FF7E4E3C8B3), ref: 00007FF7E4E3B396
Part of subcall function 00007FF7E4E3B380: GetLastError.KERNEL32(?,?,?,00007FF7E4E3BF8A,?,?,?,00007FF7E4E3BE8B,?,?,00000000,00007FF7E4E3C9A9,?,?,?,00007FF7E4E3C8B3), ref: 00007FF7E4E3B3A0

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7E4E34EAD), ref: 00007FF7E4E36C0C

Strings

C:\Users\user\Desktop\Loader.exe, xrefs: 00007FF7E4E36BFA

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Loader.exe
API String ID: 3580290477-3241315448
Opcode ID: a645f223ce12f83b0f8d23c07915082202de851ed736994d0ec83cfc9196f6a2
Instruction ID: bbbe218deacaacb2e592f5852a39f4c2bd70e00bdcaa598d5c919129cad12aef
Opcode Fuzzy Hash: a645f223ce12f83b0f8d23c07915082202de851ed736994d0ec83cfc9196f6a2
Instruction Fuzzy Hash: 09418635A0871785EB15BF32A4912BDB794EF84F84BC55036E98E47745DE3CE4418352

Function 00007FF7E4E3EBA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7E4E3ECBF
GetLastError.KERNEL32 ref: 00007FF7E4E3ECE1

Strings

U, xrefs: 00007FF7E4E3EC6B

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 6e6dc1b65bfd63166fd0bb342432b01ffd91828e93f14cbc7104de6985ace0a7
Instruction ID: 89ead30a20bd16dcceb0d53b747a976d3c97590e3f83350b03132f3d9b215ecd
Opcode Fuzzy Hash: 6e6dc1b65bfd63166fd0bb342432b01ffd91828e93f14cbc7104de6985ace0a7
Instruction Fuzzy Hash: CA41C72271868685DB21DF2AE4847B9B7A0F798F94F814032EE8D87748EF3CD441C751

Function 00007FF7E4E359E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A30
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A71

Strings

csm, xrefs: 00007FF7E4E35A5E

Memory Dump Source

Source File: 00000000.00000002.1669392025.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000000.00000002.1669369400.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669413079.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669677828.00007FF7E514D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669755517.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669792713.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 967fbbe814c9c1e701ed63cdd0d532d980ddcea8b093fe1b68fbd27a0b08e2d1
Instruction ID: 61329c0a98d5c637fec39467c87a442690352db6dfe335f04bcf1c09a643fd24
Opcode Fuzzy Hash: 967fbbe814c9c1e701ed63cdd0d532d980ddcea8b093fe1b68fbd27a0b08e2d1
Instruction Fuzzy Hash: 9A114936619B8582EB219F15F490269B7E5FB88F84F984232DECC47758DF3CD5518B00

Analysis Process: Loader.exePID: 7624, Parent PID: 7608COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00000001400849D0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 0000000140084A11
GetSystemMetrics.USER32 ref: 0000000140084A1F
GetSystemMetrics.USER32 ref: 0000000140084A2D
GetSystemMetrics.USER32 ref: 0000000140084A3B
GetDC.USER32 ref: 0000000140084A45
GetDeviceCaps.GDI32 ref: 0000000140084A5B
GetDeviceCaps.GDI32 ref: 0000000140084A6B
CreateCompatibleDC.GDI32 ref: 0000000140084A78
CreateCompatibleBitmap.GDI32 ref: 0000000140084A90
SelectObject.GDI32 ref: 0000000140084AA6
BitBlt.GDI32 ref: 0000000140084ADC
SHCreateMemStream.SHLWAPI ref: 0000000140084B12
SelectObject.GDI32 ref: 0000000140084B28
DeleteDC.GDI32 ref: 0000000140084B31
ReleaseDC.USER32 ref: 0000000140084B3C
DeleteObject.GDI32 ref: 0000000140084B45
EnterCriticalSection.KERNEL32 ref: 0000000140084C3C
LeaveCriticalSection.KERNEL32 ref: 0000000140084C4E
IStream_Size.SHLWAPI ref: 0000000140084C85
IStream_Reset.SHLWAPI ref: 0000000140084C96
IStream_Read.SHLWAPI ref: 0000000140084D1B
SelectObject.GDI32 ref: 0000000140084D75
DeleteDC.GDI32 ref: 0000000140084D7E
ReleaseDC.USER32 ref: 0000000140084D8B
DeleteObject.GDI32 ref: 0000000140084D94

Strings

, xrefs: 0000000140084AB1

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: b8ad9de3582fef1955ac4035c1c75ac334f415ebc7e19910e4ff908aacfd4282
Instruction ID: 8a9b4e0b064338a6d8d553899a54bca9af0a5e421b87f50a1b45792b9aa8e9a5
Opcode Fuzzy Hash: b8ad9de3582fef1955ac4035c1c75ac334f415ebc7e19910e4ff908aacfd4282
Instruction Fuzzy Hash: 91B11B72618BC086E761DB22E8543DEB7A5F789BC0F508615EA8E43B69DF3CC185CB10

Function 0000000140086BE0 Relevance: 22.6, APIs: 3, Strings: 9, Instructions: 1600COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140085AD0: GetCurrentHwProfileW.ADVAPI32 ref: 0000000140085B0C

Part of subcall function 00000001400853A0: EnumDisplayDevicesW.USER32 ref: 00000001400854B7
Part of subcall function 00000001400853A0: EnumDisplayDevicesW.USER32 ref: 000000014008555B

Part of subcall function 00000001400852C0: RegGetValueA.ADVAPI32 ref: 0000000140085329

Part of subcall function 0000000140084FB0: GetUserNameW.ADVAPI32 ref: 0000000140084FF5

Part of subcall function 0000000140085050: GetComputerNameW.KERNEL32 ref: 0000000140085095

GlobalMemoryStatusEx.KERNEL32 ref: 000000014008736C
wcsftime.LIBCMT ref: 0000000140087B62
GetModuleFileNameA.KERNEL32 ref: 0000000140087CF6

Strings

cpu, xrefs: 0000000140087208
time, xrefs: 0000000140087C31
%d-%m-%Y, %H:%M:%S, xrefs: 0000000140087B4F
ram, xrefs: 000000014008744B
gpu, xrefs: 0000000140087112
user_name, xrefs: 000000014008701F
timezone, xrefs: 0000000140088004
system, xrefs: 0000000140086FD4, 00000001400870C3, 00000001400871B9, 00000001400872B3, 00000001400873FB, 00000001400874F5, 00000001400875E8, 000000014008776F, 0000000140087960, 0000000140087BE1, 0000000140087DA4, 0000000140087FBE, 000000014008815D, 0000000140088307, 00000001400883CD
computer_name, xrefs: 0000000140087544

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Name$DevicesDisplayEnum$ComputerCurrentFileGlobalMemoryModuleProfileStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 2509368203-1182675529
Opcode ID: a46e5203c657c07eb4b7182e7fef379a7db23a876a87c17c3647340b6bfc226d
Instruction ID: 0cfcea1034b7f9981394cb5387c0e5e44c922b0cc561fc60f0db12949e2aba7b
Opcode Fuzzy Hash: a46e5203c657c07eb4b7182e7fef379a7db23a876a87c17c3647340b6bfc226d
Instruction Fuzzy Hash: DDF26B73614BC085DB22CB26E8903DD77A1F799798F419616FB8D17BA9EB78C290C700

Function 000000014003C5E0 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000000014003C6CC
GetProcAddress.KERNEL32 ref: 000000014003C7D7
GetProcAddress.KERNEL32 ref: 000000014003C899
GetProcAddress.KERNEL32 ref: 000000014003C913
GetProcAddress.KERNEL32 ref: 000000014003C995
GetProcAddress.KERNEL32 ref: 000000014003CA0F
GetProcAddress.KERNEL32 ref: 000000014003CA93
FreeLibrary.KERNEL32 ref: 000000014003D5C1

Strings

vault, xrefs: 000000014003D423
system, xrefs: 000000014003D3CD
cannot use push_back() with , xrefs: 000000014003D60F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2449869053-1741236777
Opcode ID: 0d948670e934948f9399bcc25d98691fce76d742d32ec229edf0addd9f7a4c44
Instruction ID: 2ec4e2a7ae8c91d38f5a8356c21f69af9047b71e87f6ad347462173074feb4f2
Opcode Fuzzy Hash: 0d948670e934948f9399bcc25d98691fce76d742d32ec229edf0addd9f7a4c44
Instruction Fuzzy Hash: 3F925E72205BC489DB628F26E8843DE77B4F749798F104216EB9D4BBA9EF74C694C300

Function 000000014007B500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 161
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007E710: GetCurrentProcess.KERNEL32 ref: 000000014007E74B
Part of subcall function 000000014007E710: OpenProcessToken.ADVAPI32 ref: 000000014007E75E
Part of subcall function 000000014007E710: GetTokenInformation.ADVAPI32 ref: 000000014007E79A
Part of subcall function 000000014007E710: CloseHandle.KERNEL32 ref: 000000014007E7BB

ExitProcess.KERNEL32 ref: 000000014007B547
OpenMutexA.KERNEL32 ref: 000000014007B662
ExitProcess.KERNEL32 ref: 000000014007B672
CreateMutexA.KERNEL32 ref: 000000014007B691
ExitProcess.KERNEL32 ref: 000000014007B6B7

Part of subcall function 000000014007EA50: GetModuleFileNameW.KERNEL32 ref: 000000014007EA9A

Part of subcall function 0000000140089330: CoInitializeEx.OLE32 ref: 000000014008939A

Strings

SeImpersonatePrivilege, xrefs: 000000014007B55A
SeDebugPrivilege, xrefs: 000000014007B54E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Process$Exit$MutexOpenToken$CloseCreateCurrentFileHandleInformationInitializeModuleName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 4279366119-3768118664
Opcode ID: c15579a596aae32c568705457757ddd2bb20bc35d715638889c75400a0ff4399
Instruction ID: 962da8f413caa45279bf650923a9d6b93aba050168666a2f2076e0c646855bcd
Opcode Fuzzy Hash: c15579a596aae32c568705457757ddd2bb20bc35d715638889c75400a0ff4399
Instruction Fuzzy Hash: AF619F72218A8581EA26AB66E4553EEA391FBCD7C4F505615F78E43AF6EF3CC040CB11

Function 0000000140034B70 Relevance: 15.3, APIs: 3, Strings: 5, Instructions: 1343registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014003509B
RegQueryValueExA.ADVAPI32 ref: 00000001400350E9
RegCloseKey.ADVAPI32 ref: 0000000140035186

Strings

content, xrefs: 00000001400355A3, 0000000140035BF6, 0000000140036120
status, xrefs: 0000000140036403, 0000000140036413
directory_iterator::directory_iterator, xrefs: 0000000140036441
filename, xrefs: 000000014003549A, 0000000140035A28, 0000000140035F59
exists, xrefs: 0000000140036398, 00000001400363E3, 000000014003647A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: 175320917f964c83a506369eff2fb3a54cecadb9ef131e354b589dabf4103beb
Instruction ID: 23406d12f56c9c9c5856e535017d7a69c74f1142575ed8a38387d0c1f75b00f7
Opcode Fuzzy Hash: 175320917f964c83a506369eff2fb3a54cecadb9ef131e354b589dabf4103beb
Instruction Fuzzy Hash: 81E25F72614BC08AEB62DF35D8803DD73A5F789798F505216EB9D4BAA9EF74C684C300

Function 0000000140032CA0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 789
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140033022
RegQueryValueExA.ADVAPI32 ref: 000000014003306A
RegCloseKey.ADVAPI32 ref: 00000001400330F7

Strings

content, xrefs: 0000000140033694
status, xrefs: 00000001400339F9
directory_iterator::directory_iterator, xrefs: 00000001400339DD
filename, xrefs: 0000000140033500
exists, xrefs: 00000001400339BE

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: bd29fab57e6ba89ddd447dda21f70310d0c0f8bbbc31d0296f751e6485ff42c4
Instruction ID: 62805d46291fcd4fccf0c70bfe2eedc485df16924868f35b375ef2d556690b27
Opcode Fuzzy Hash: bd29fab57e6ba89ddd447dda21f70310d0c0f8bbbc31d0296f751e6485ff42c4
Instruction Fuzzy Hash: FB825C72611BC48AEB228F36D8803DE73A1F789798F505216EB9D57BA9EF74C584C300

Function 00000001400A16FC Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00000001400A1741

Part of subcall function 00000001400A0DA8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A0DBC

Part of subcall function 000000014009BC88: HeapFree.KERNEL32 ref: 000000014009BC9E
Part of subcall function 000000014009BC88: GetLastError.KERNEL32 ref: 000000014009BCA8

Part of subcall function 00000001400AA344: _invalid_parameter_noinfo.LIBCMT ref: 00000001400AA28F

_get_daylight.LIBCMT ref: 00000001400A1730

Part of subcall function 00000001400A0E08: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A0E1C

_get_daylight.LIBCMT ref: 00000001400A19A6
_get_daylight.LIBCMT ref: 00000001400A19B7
_get_daylight.LIBCMT ref: 00000001400A19C8
GetTimeZoneInformation.KERNEL32 ref: 00000001400A19EF

Strings

Eastern Summer Time, xrefs: 00000001400A1AAD
Eastern Standard Time, xrefs: 00000001400A1A95

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 355007559-239921721
Opcode ID: f970efac1f66613c336eacff4caa9cfbe84d0ab26aa53302a62d3075d5a24a6d
Instruction ID: 0e2af64cfaed83a3ab014c0441055b0818baa83ef077c612d66b586912d86e0e
Opcode Fuzzy Hash: f970efac1f66613c336eacff4caa9cfbe84d0ab26aa53302a62d3075d5a24a6d
Instruction Fuzzy Hash: 40D1E43670064086E762EF67E8513E967A1F7ACBD4F448225FF4947AE5DB38D481CB40

Function 00000001400840A0 Relevance: 13.9, APIs: 9, Instructions: 408
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000000014008426B
InternetOpenUrlA.WININET ref: 0000000140084348
HttpQueryInfoW.WININET ref: 00000001400843A9
HttpQueryInfoW.WININET ref: 0000000140084442
InternetQueryDataAvailable.WININET ref: 0000000140084486
InternetReadFile.WININET ref: 0000000140084549
InternetQueryDataAvailable.WININET ref: 0000000140084614
InternetCloseHandle.WININET ref: 00000001400846BE
Concurrency::cancel_current_task.LIBCPMT ref: 000000014008471B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen$CloseConcurrency::cancel_current_taskFileHandleRead
String ID:
API String ID: 1475545111-0
Opcode ID: 5564f8b7e3b8cda5b9e7844f531143998aac2b6f73e955ce09d41620cba67f2b
Instruction ID: f0be8985bf0e26381fb0b58506fa69bef840138c90a8d4bbed39db66bf6f3b00
Opcode Fuzzy Hash: 5564f8b7e3b8cda5b9e7844f531143998aac2b6f73e955ce09d41620cba67f2b
Instruction Fuzzy Hash: 27024933A14B9486EB11CB6AE84039E77A5F7997D8F104215FF9857BA9EF78C190C700

Function 00000001400BEF18 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400BEAFC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BEB3D
Part of subcall function 00000001400BEAFC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BEBBB
Part of subcall function 00000001400BEAFC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BEC0C

CreateFileW.KERNEL32 ref: 00000001400BF01E
CreateFileW.KERNEL32 ref: 00000001400BF06E
GetLastError.KERNEL32 ref: 00000001400BF09E
GetFileType.KERNEL32 ref: 00000001400BF0B3
GetLastError.KERNEL32 ref: 00000001400BF0BD
CloseHandle.KERNEL32 ref: 00000001400BF0F0
CloseHandle.KERNEL32 ref: 00000001400BF253
CreateFileW.KERNEL32 ref: 00000001400BF288
GetLastError.KERNEL32 ref: 00000001400BF297

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: ad973e6908b5c5e029224e3ab01ca94b19cb4adaabd133e22d80478e6497b413
Instruction ID: 320eb96e718149e4e7e60864c9bbf8eacca92e1ca184eaa25a96958780752bf2
Opcode Fuzzy Hash: ad973e6908b5c5e029224e3ab01ca94b19cb4adaabd133e22d80478e6497b413
Instruction Fuzzy Hash: 41C1AB76720A418AEB11CFAAC4917EC37B1E74DBE8F115615EB2A9B7A5CB38C452C700

Function 0000000140065250 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

recursive_directory_iterator::recursive_directory_iterator, xrefs: 000000014006958F, 00000001400695C9, 000000014006971F
status, xrefs: 0000000140069500, 00000001400695D9, 0000000140069690, 0000000140069763, 0000000140069785, 000000014006979B, 00000001400697BD
directory_iterator::directory_iterator, xrefs: 0000000140069753, 0000000140069775, 00000001400697AD
recursive_directory_iterator::operator++, xrefs: 0000000140069578, 0000000140069645, 0000000140069708
cannot use push_back() with , xrefs: 0000000140069525, 00000001400695FE, 00000001400696B5
exists, xrefs: 00000001400694DE, 00000001400695AC, 000000014006966E, 000000014006973C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 3645842244-1862120484
Opcode ID: faa1d1145ba5e556b848c73fd33eef50efad81b8938a0009e7cdda006ddcc96c
Instruction ID: 031dd4974e96f4dd573688d53c9078fa1c6111530a30c886699dc0fc79c76709
Opcode Fuzzy Hash: faa1d1145ba5e556b848c73fd33eef50efad81b8938a0009e7cdda006ddcc96c
Instruction Fuzzy Hash: FED21272519BC885D6718B1AF88139BB3A1F79D784F505229EBCD53B69EB7CC290CB00

Function 00000001400320B0 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 684
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140032409
RegQueryValueExA.ADVAPI32 ref: 000000014003244E
RegCloseKey.ADVAPI32 ref: 00000001400324F7

Strings

content, xrefs: 0000000140032915
directory_iterator::directory_iterator, xrefs: 0000000140032C64
filename, xrefs: 0000000140032787
exists, xrefs: 0000000140032C42

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 3677997916-1400943384
Opcode ID: 2316d6660ad33f69ae55bd29c0a13a611ed398c49c268220a2994983f1843a00
Instruction ID: fdd2384dfce0150235b7be390f6418f44b90b76628f1849b6480400e0b2e9a5f
Opcode Fuzzy Hash: 2316d6660ad33f69ae55bd29c0a13a611ed398c49c268220a2994983f1843a00
Instruction Fuzzy Hash: 7D724C72611BC499EB228F36D8803DD77A0F789798F109215EB9D5BBA9EF74C680C340

Function 000000014007DF10 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSize.KERNEL32 ref: 000000014007E151
SetFilePointer.KERNEL32 ref: 000000014007E204
ReadFile.KERNEL32 ref: 000000014007E233

Strings

ios_base::failbit set, xrefs: 000000014007E66D
ios_base::eofbit set, xrefs: 000000014007E674
ios_base::badbit set, xrefs: 000000014007E661, 000000014007E6DF
exists, xrefs: 000000014007E6BA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: File$PointerReadSize
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 404940565-15404121
Opcode ID: 0683f384183c2aee485083eaa643c96062efc2106c8fae226bcd34debfb2e5c9
Instruction ID: a7efa278b789a091a952ecf7804818e508a819529244d4e7b1ee4b8bfe63f7b0
Opcode Fuzzy Hash: 0683f384183c2aee485083eaa643c96062efc2106c8fae226bcd34debfb2e5c9
Instruction Fuzzy Hash: 69322632611BC489EB21CF35D8807DD77A1F789B88F508226EB8D5BBA9EB74C645C700

Function 00000001400A1978 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00000001400A19A6

Part of subcall function 00000001400A0E08: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A0E1C

_get_daylight.LIBCMT ref: 00000001400A19B7

Part of subcall function 00000001400A0DA8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A0DBC

_get_daylight.LIBCMT ref: 00000001400A19C8

Part of subcall function 00000001400A0DD8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A0DEC

Part of subcall function 000000014009BC88: HeapFree.KERNEL32 ref: 000000014009BC9E
Part of subcall function 000000014009BC88: GetLastError.KERNEL32 ref: 000000014009BCA8

GetTimeZoneInformation.KERNEL32 ref: 00000001400A19EF

Strings

Eastern Summer Time, xrefs: 00000001400A1AAD
Eastern Standard Time, xrefs: 00000001400A1A95

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 346ab8a5c4df6500431c541ba2f0bca230f1ecc7217e036000549d6e711d945f
Instruction ID: 4ab37d3fa7c9fdb582fe448a726573fe52a466e20a16ed51a879e3e0b2c8cc1e
Opcode Fuzzy Hash: 346ab8a5c4df6500431c541ba2f0bca230f1ecc7217e036000549d6e711d945f
Instruction Fuzzy Hash: 8951613621064086F762EF67F9817D97760F7ACBC4F444626FB4987AB6DB38D4818B40

Function 0000000140097A4C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140097A6E
_get_daylight.LIBCMT ref: 0000000140097ACE
_get_daylight.LIBCMT ref: 0000000140097ADF
_get_daylight.LIBCMT ref: 0000000140097AF0
_isindst.LIBCMT ref: 0000000140097B41
_isindst.LIBCMT ref: 0000000140097B94

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 500d264b94c76e10bb7ad506ef0a555ed75bc66b43a59da6eb24dc754e51f7a2
Instruction ID: 28c35c292e486cd51e7828065e4e2486622d87188324d2f30eb372141ce4aa21
Opcode Fuzzy Hash: 500d264b94c76e10bb7ad506ef0a555ed75bc66b43a59da6eb24dc754e51f7a2
Instruction Fuzzy Hash: 1A81C7B3B012458BEB598F36D9417EC63A5E798BC8F049129EB0D8B7A9EB38D541C740

Function 0000000140048E80 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 0000000140049034
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140049042
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400492C5
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400492D3

Strings

value, xrefs: 0000000140048F5A, 00000001400491F3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: f3ab481adf26e7fc62f689a1b14253d57f24bd398a58451cc93ee0ee3af88f39
Instruction ID: 4157f297126a23fe588f45231007c796bee3a81a254ffe5b804a119b388bf979
Opcode Fuzzy Hash: f3ab481adf26e7fc62f689a1b14253d57f24bd398a58451cc93ee0ee3af88f39
Instruction Fuzzy Hash: 17028B72624BC085EB02DB76D4803ED6761E78A7E4F515222FB9E43AEADF78C185C700

Function 000000014003D680 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003D6CA
Process32FirstW.KERNEL32 ref: 000000014003D70C
Process32NextW.KERNEL32 ref: 000000014003D903
CloseHandle.KERNEL32 ref: 000000014003DB7A

Strings

[PID: , xrefs: 000000014003D74E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 420147892-2210602247
Opcode ID: 0c950f8b155bc2ef1efead22239ab0028e84ac47bfa0f278c3d4f43e35984d4a
Instruction ID: cece93d552114422a5db79efb6cb5b095d6d34e54e317ad826c2fed787882349
Opcode Fuzzy Hash: 0c950f8b155bc2ef1efead22239ab0028e84ac47bfa0f278c3d4f43e35984d4a
Instruction Fuzzy Hash: 54E16172614BC085EB22DB26E8803DE77A5F7897A4F505216FB9D47BA9DF78C284C700

Function 000000014008A560 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014008A5AE
OpenProcessToken.ADVAPI32 ref: 000000014008A5C1
LookupPrivilegeValueW.ADVAPI32 ref: 000000014008A5E2
AdjustTokenPrivileges.ADVAPI32 ref: 000000014008A628
CloseHandle.KERNEL32 ref: 000000014008A648

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 012d78ec9778671e051357f93a4634913505e7a4763b4c3b036141e78afb5143
Instruction ID: e6ed573dd5adc179a62c0c43ff1dd623381a8e6f68e1d36954cd8c9a6a60e3b9
Opcode Fuzzy Hash: 012d78ec9778671e051357f93a4634913505e7a4763b4c3b036141e78afb5143
Instruction Fuzzy Hash: 8E215C32218B8082E761CF22F45439AB7A0FB8DBD0F598125FB8947B68DF7DC5568B00

Function 000000014003BA80 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32 ref: 000000014003BAE2
CredFree.ADVAPI32 ref: 000000014003C506

Strings

cannot use push_back() with , xrefs: 000000014003C554

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 3403564193-4122110429
Opcode ID: fbaaafad7e4c248f5a6ccb509bfbe2770017f78eb61105b3f1b1e9e1a46d0c20
Instruction ID: 15e837bc0680750b5105bb68f1ec756bb9003d5bb125d07902e424ac5bc16deb
Opcode Fuzzy Hash: fbaaafad7e4c248f5a6ccb509bfbe2770017f78eb61105b3f1b1e9e1a46d0c20
Instruction Fuzzy Hash: 34627D72614BC489EB228F26E8803DE7761F789798F504316EBAD57BA9DB74C294C700

Function 0000000140086250 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 0000000140086580

Strings

[UTC, xrefs: 0000000140086553

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: dae8efce5d2530c78139cd26f997094fb4b1ed245d954789b40324fff528bad9
Instruction ID: 0f088bd619a210dec1cb0986f13bb44e3f6854156ff9e1ffbd8192f932ae259b
Opcode Fuzzy Hash: dae8efce5d2530c78139cd26f997094fb4b1ed245d954789b40324fff528bad9
Instruction Fuzzy Hash: 5CB12832614BC88AD7718F2AE84139AB7A5F79C788F105315EBCC57B69EB78C250CB44

Function 000000014007B7D0 Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014007B833
ShellExecuteW.SHELL32 ref: 000000014007BE7A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShell
String ID:
API String ID: 1703432166-0
Opcode ID: 8cf5c74d64a0911ccf009ca7f061b764517e4121d83dc6aa143f050b31a04890
Instruction ID: fcdc6028fe68c1de9c1d61a4c27d8a3d82f381935235dac80c5d4554a44c27d4
Opcode Fuzzy Hash: 8cf5c74d64a0911ccf009ca7f061b764517e4121d83dc6aa143f050b31a04890
Instruction Fuzzy Hash: AA121772625F848ADB418F2AE88079EB3A4F788788F506215FFDD57B69EB38C150C700

Function 0000000140076AA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0000000140076AF8
LocalFree.KERNEL32 ref: 0000000140076B8A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 0f57a5f6f00cf3114cdad985b88ad97b4443b737a92ed5702ae11a0636d70846
Instruction ID: 7804563b8dd68e9e0661087fd5dbb69b584154c51fa0838d7a27f1f595743b83
Opcode Fuzzy Hash: 0f57a5f6f00cf3114cdad985b88ad97b4443b737a92ed5702ae11a0636d70846
Instruction Fuzzy Hash: FC416032614B80CAE3219F75E4403ED37A4F75978CF084229BB8907E9ADB79C6A4C758

Function 0000000140084FB0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0000000140084FF5

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e5988426a38de09ee6cf2dd1c57c0096c2fcff121a7d67ee165aa271772a2a34
Instruction ID: 4cc3c8844ba736298f8bd32032979993a0d240d019a900159361ccb08714f342
Opcode Fuzzy Hash: e5988426a38de09ee6cf2dd1c57c0096c2fcff121a7d67ee165aa271772a2a34
Instruction Fuzzy Hash: FC011B3261868082E762DF26E8513DAB3A4F79C7C8F441226FB8D47669DBBCC194CB40

Function 000000014007DAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007D860: InitializeCriticalSectionEx.KERNEL32 ref: 000000014007D8B1
Part of subcall function 000000014007D860: GetLastError.KERNEL32 ref: 000000014007D8BB

EnterCriticalSection.KERNEL32 ref: 000000014007DB21
GdiplusStartup.GDIPLUS ref: 000000014007DB48
LeaveCriticalSection.KERNEL32 ref: 000000014007DB56
LeaveCriticalSection.KERNEL32 ref: 000000014007DB84
GdipGetImageEncodersSize.GDIPLUS ref: 000000014007DB92
GdipGetImageEncoders.GDIPLUS ref: 000000014007DC26
GdipCreateBitmapFromScan0.GDIPLUS ref: 000000014007DCF0
GdipSaveImageToStream.GDIPLUS ref: 000000014007DD0E
GdipDisposeImage.GDIPLUS ref: 000000014007DD73
GdipDisposeImage.GDIPLUS ref: 000000014007DD87

Strings

&, xrefs: 000000014007DCEA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: 0b8d952391a50375ef43d6746334d8a0080f61def9520b6ac6a34ec75f65a789
Instruction ID: 9499a8a96b76f9eeaec96d38e309a061bbf0e919148de72399f1f56bad800c58
Opcode Fuzzy Hash: 0b8d952391a50375ef43d6746334d8a0080f61def9520b6ac6a34ec75f65a789
Instruction Fuzzy Hash: EE911932200B819AEB229F22E8407D977B4F75CBD8F558217FB5957BA4DB38C995C380

Function 000000014007EB00 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 226
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140084730: GetUserGeoID.KERNEL32 ref: 0000000140084757
Part of subcall function 0000000140084730: GetGeoInfoA.KERNEL32 ref: 0000000140084771
Part of subcall function 0000000140084730: GetGeoInfoA.KERNEL32 ref: 00000001400847C1

WSAStartup.WS2_32 ref: 000000014007EC1E
socket.WS2_32 ref: 000000014007EC3B
htons.WS2_32 ref: 000000014007EC60
inet_pton.WS2_32 ref: 000000014007ECA2
connect.WS2_32 ref: 000000014007ECBC
closesocket.WS2_32 ref: 000000014007ECDB
WSACleanup.WS2_32 ref: 000000014007ECE1

Strings

system, xrefs: 000000014007EB8A
geo, xrefs: 000000014007EBCB

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 213021568-2364779556
Opcode ID: a5fc31a0c41ff5a27f15f016aa5db4085f620b944739da052a686bf5863c471a
Instruction ID: a025bd78097a622ce99f6dd631d164278a997d1e4bf617748a8d7ff18237b3ae
Opcode Fuzzy Hash: a5fc31a0c41ff5a27f15f016aa5db4085f620b944739da052a686bf5863c471a
Instruction Fuzzy Hash: BEB18D72B11A8095FB02DBB6D4803DC33B2AB9DB98F415216EB5927BF9DE38C546C340

Function 000000014009F1EC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009F619

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5d540c859c83c58d2e94c1ec18d5dac562cac1a1d1764d75889ecbbe6435b051
Instruction ID: 89a76c2e7bd64f2e292d0171c67a85ad1a22fb2b88445312a06a55af962eb3af
Opcode Fuzzy Hash: 5d540c859c83c58d2e94c1ec18d5dac562cac1a1d1764d75889ecbbe6435b051
Instruction Fuzzy Hash: 2EC1F372218B8192EB629F57A4403FE7BA4F799BD4F594111FB4A077B1CFB8C8859700

Function 000000014007D940 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000000014007D983
EnterCriticalSection.KERNEL32 ref: 000000014007D995
EnterCriticalSection.KERNEL32 ref: 000000014007D9A5
GdiplusShutdown.GDIPLUS ref: 000000014007D9B3
LeaveCriticalSection.KERNEL32 ref: 000000014007D9C0
LeaveCriticalSection.KERNEL32 ref: 000000014007D9CA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 311328e0c1a3d6f09e9d2e4e36d225c093cfd7f693314f7d25c72e43ed53fafa
Instruction ID: ccad471ceb86da12b8052557114d3172f4fe174a1baea1f974d0ccb94854474a
Opcode Fuzzy Hash: 311328e0c1a3d6f09e9d2e4e36d225c093cfd7f693314f7d25c72e43ed53fafa
Instruction Fuzzy Hash: 19112532511B5091EB169F26E84039D73B4FB48FA8F288216AB6E076B4CF39C897C350

Function 0000000140083890 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000000140083A6C
recv.WS2_32 ref: 0000000140083F4C
closesocket.WS2_32 ref: 0000000140083F5E
WSACleanup.WS2_32 ref: 0000000140083F64

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: recv$Cleanupclosesocket
String ID:
API String ID: 146070474-0
Opcode ID: e3529e4f086e916588a050fb794958e2ac0093eb24aceede0b4d9dbc2b460c77
Instruction ID: 2da43283a9dc6e515e407d9e93031c35698a04021dc8004dc304920df4a58cdd
Opcode Fuzzy Hash: e3529e4f086e916588a050fb794958e2ac0093eb24aceede0b4d9dbc2b460c77
Instruction Fuzzy Hash: 6E128D73618BC481EA229B26E4443DEA761F7DD7D0F505216EBAD47AEADF78C580CB00

Function 000000014007E710 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014007E74B
OpenProcessToken.ADVAPI32 ref: 000000014007E75E
GetTokenInformation.ADVAPI32 ref: 000000014007E79A
CloseHandle.KERNEL32 ref: 000000014007E7BB

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 90ae23b39752d8e562d256ccd9c16a94bf4e7d6f39fa52c22aeb40f361b48fa7
Instruction ID: b5218933ea7703c7e048df4ba95b441abb8dda8107fd4ab30233c47b2b803c5e
Opcode Fuzzy Hash: 90ae23b39752d8e562d256ccd9c16a94bf4e7d6f39fa52c22aeb40f361b48fa7
Instruction Fuzzy Hash: 5211FB72219B8082E7519F16F84038AB7A0FB8DB80F559125FB9947B68CF3CC455CB40

Function 00000001400852C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32 ref: 0000000140085329

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 000000014008531B
ProductName, xrefs: 0000000140085314

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3702945584-1787575317
Opcode ID: 45beb6f7e78784f3d9509a1d3ea3717a7d34e9a73ec6a4c6398bfce9d8be6136
Instruction ID: 0923dad602657fcfdd4189dd7accdda6bd0898d30bf99b6bbaeadf04a2d916fd
Opcode Fuzzy Hash: 45beb6f7e78784f3d9509a1d3ea3717a7d34e9a73ec6a4c6398bfce9d8be6136
Instruction Fuzzy Hash: 55115E32208B8082EB219F22F4413DAB3A4F79DB88F904215EB9C47B69DFBCC155CB40

Function 0000000140083C17 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000000140083F4C
closesocket.WS2_32 ref: 0000000140083F5E
WSACleanup.WS2_32 ref: 0000000140083F64

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: 95e3429f520675f56c4b97f154f99d7dc85828c673adf1d39d37ca96e1e6d654
Instruction ID: 7db60b0abc5ae50f8d1ed737cd1e66b44ba841ec5a06357c0ac7b1b80de7ea70
Opcode Fuzzy Hash: 95e3429f520675f56c4b97f154f99d7dc85828c673adf1d39d37ca96e1e6d654
Instruction Fuzzy Hash: 989150B3A14BC481EA228B26E4443DE6761F7D97E0F505315EBAD07AEADF78C581C700

Function 0000000140085FB1 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140085FC9
RegEnumKeyExA.ADVAPI32 ref: 000000014008600E
RegCloseKey.ADVAPI32 ref: 0000000140086204

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: fa56d9e272c57ab1efd7a57ecb14589b071b14ab9fb351ea4e3d4cd9b7db20a5
Instruction ID: 3126900138017e27c26b7e97fdf396bcda76f2f26d0a694c5074764b3548d2ce
Opcode Fuzzy Hash: fa56d9e272c57ab1efd7a57ecb14589b071b14ab9fb351ea4e3d4cd9b7db20a5
Instruction Fuzzy Hash: DF716C73A04B8486EB11CB66E44479E7761F7897E8F104616FBA917AEADF78C1C1C700

Function 0000000140085F40 Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140085FC9
RegEnumKeyExA.ADVAPI32 ref: 000000014008600E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: 6550f83a76ef02cb639577a8c322407ba9ca0699da3057204f7e0e5f7f356cfe
Instruction ID: d7a65414a419a411271327cc786576db46dcb625295add4502772783f8e551d9
Opcode Fuzzy Hash: 6550f83a76ef02cb639577a8c322407ba9ca0699da3057204f7e0e5f7f356cfe
Instruction Fuzzy Hash: CB319C32600B8086EB218BA2E854B9E77A4F7497D8F200615EF9917B65DF38C192C700

Function 00000001400ACB04 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00000001400ACB1D
FreeEnvironmentStringsW.KERNEL32 ref: 00000001400ACB8F

Part of subcall function 000000014009D17C: HeapAlloc.KERNEL32 ref: 000000014009D1BA

FreeEnvironmentStringsW.KERNEL32 ref: 00000001400ACBEE

Part of subcall function 000000014009BC88: HeapFree.KERNEL32 ref: 000000014009BC9E
Part of subcall function 000000014009BC88: GetLastError.KERNEL32 ref: 000000014009BCA8

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 852ce6a3aa10158de52a943532ee1263c9941556433ed56d8c0fe7e0096677f1
Instruction ID: 258d45838a42909b4d495c2cc59036331f00c14b156d323c19056bd3fcf00d93
Opcode Fuzzy Hash: 852ce6a3aa10158de52a943532ee1263c9941556433ed56d8c0fe7e0096677f1
Instruction Fuzzy Hash: F831B13122478081EA269F2768417EA76A4B79CFD4F494319BB4A57BE5DF39C4818B00

Function 0000000140085C7B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140085C97
RegQueryValueExA.ADVAPI32 ref: 0000000140085CD6
RegCloseKey.ADVAPI32 ref: 0000000140085D74

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 98a3e54482a17532a660a8fa1cab900c309b5f6fda42c005ceacfcf74f8e1bea
Instruction ID: 3f4b0842e8fc82fdf074bf0f3e32c2781c2fe54cfa2cd97e6c43f32abcda0346
Opcode Fuzzy Hash: 98a3e54482a17532a660a8fa1cab900c309b5f6fda42c005ceacfcf74f8e1bea
Instruction Fuzzy Hash: AD218173614B8481EA619B26E49439EA760FBDD7D4F505212FB8E47AB9EE3CC185CB00

Function 0000000140084730 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 0000000140084757
GetGeoInfoA.KERNEL32 ref: 0000000140084771
GetGeoInfoA.KERNEL32 ref: 00000001400847C1

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 09ae55b4e622fe248be01bc66097043d67a2342efe4101a7f522a741858beff8
Instruction ID: 0da6c51708aae802c1c715e5ab97e643279c3131667dc25065de9ec91bfb8954
Opcode Fuzzy Hash: 09ae55b4e622fe248be01bc66097043d67a2342efe4101a7f522a741858beff8
Instruction Fuzzy Hash: 3811BF32A1878183D7118F62F41479EB3A2FB84FC8F445125EB8503B69DF7CD5908B84

Function 00000001400A3820 Relevance: 4.5, APIs: 3, Instructions: 15COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000001400A3831
TerminateProcess.KERNEL32 ref: 00000001400A383C
ExitProcess.KERNEL32 ref: 00000001400A384B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8894e589db04ddd2d14810d04fdd379fe1a67dc706d1f09feb04222f201663c3
Instruction ID: 2ea921b5de8585c7ead1c9c47d07aa2049e2c11de3f04c0e1d401d775a7a3a6d
Opcode Fuzzy Hash: 8894e589db04ddd2d14810d04fdd379fe1a67dc706d1f09feb04222f201663c3
Instruction Fuzzy Hash: 84D0923870070693EB1A6B7268963EC52266F6DBC1F14292CBA03073B3CE3D888E4611

Function 0000000140040E70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014004105C

Strings

, xrefs: 0000000140040EF3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-3916222277
Opcode ID: b97fa85fd6d080112689539a1df79cb63ca38774697952c274d3f990b54ca2e5
Instruction ID: 4a1abb7f16d831aa52622629eddc64690d6838a0f628c8f588688f42a2f75156
Opcode Fuzzy Hash: b97fa85fd6d080112689539a1df79cb63ca38774697952c274d3f990b54ca2e5
Instruction Fuzzy Hash: 93515572304B8496EB268F2AD19439C33A0F388BD4F954622EF5D53BA5CF79D4A6C304

Function 0000000140085AD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 0000000140085B0C

Strings

Unknown, xrefs: 0000000140085BC6

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 370ad8d10583bea3bf14cf6bd73c985662e30a083e550bf09a4d6a2d7c1b6686
Instruction ID: fc0f38fc8322fcab52c5dd085439699fc5d39dddd363d65fb3ed261f826ffc69
Opcode Fuzzy Hash: 370ad8d10583bea3bf14cf6bd73c985662e30a083e550bf09a4d6a2d7c1b6686
Instruction Fuzzy Hash: 8A31CD33628BC086E711CF22E4403DAB760F7A9B84F545215FBCA17A6ADB7CC695CB00

Function 00000001400474A0 Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400475E0
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400476DF

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 7b4fe20866bdcc0bac301f3d6566340bd892cf834fe267d167d240e53d73b122
Instruction ID: 71a22894ff747ab8b3437f2b7930de81b013a1e249af08e6b7946cdfb5fda7e0
Opcode Fuzzy Hash: 7b4fe20866bdcc0bac301f3d6566340bd892cf834fe267d167d240e53d73b122
Instruction Fuzzy Hash: BB5106B2301B4095EE269F27A5007E96256E74CBE4F590631FF6D0B7F6EE78C4818304

Function 000000014007DDC0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 000000014007DE19
CoTaskMemFree.OLE32 ref: 000000014007DEDA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: FolderFreeKnownPathTask
String ID:
API String ID: 969438705-0
Opcode ID: 802f0dca9c775e43cdb46f403647510168036d8998da0434065c44830da239a0
Instruction ID: 55715e2a66dfc52912f6fef3d118ca5409f61bb99c4b7665450f664eadaf1565
Opcode Fuzzy Hash: 802f0dca9c775e43cdb46f403647510168036d8998da0434065c44830da239a0
Instruction Fuzzy Hash: BE316672A14B8081E621CF26E44139EB761F79D7F4F105316FBAD47AA9DB7CC1818B40

Function 0000000140092F08 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140092F2F

Part of subcall function 0000000140092EC4: _invalid_parameter_noinfo.LIBCMT ref: 0000000140092EDB

_invalid_parameter_noinfo.LIBCMT ref: 0000000140092FE3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 634ca63b1299db0c69c46a9c87062dc1bde1b4139033e41e1825c3da2e6d69db
Instruction ID: d670c74a3cad8dea1a861d3376d60556d5dbf12abfbe617c3eb3189632f6d3bf
Opcode Fuzzy Hash: 634ca63b1299db0c69c46a9c87062dc1bde1b4139033e41e1825c3da2e6d69db
Instruction Fuzzy Hash: BB31DD72210A4481EE56EB56E8613E963A0E79CBC0F940631F75E473F2EB38C545CB00

Function 000000014007C400 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007C451
RegCloseKey.ADVAPI32 ref: 000000014007C463

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: e2db2b8549d09c46c0c409d88c472a4204a4d469fc154098e38cf9eddf7af88f
Instruction ID: 33e98342e1dbc51f3766f630471af370cdcb195a6e8e0b13f4e2b894d56ac143
Opcode Fuzzy Hash: e2db2b8549d09c46c0c409d88c472a4204a4d469fc154098e38cf9eddf7af88f
Instruction Fuzzy Hash: C221A332725A8045EE519B23E8507EAA760FB9DFD4F495125FB4E43BA9DF3CC4818700

Function 000000014007B6CC Relevance: 3.1, APIs: 2, Instructions: 57synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003D680: CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003D6CA
Part of subcall function 000000014003D680: Process32FirstW.KERNEL32 ref: 000000014003D70C

Part of subcall function 000000014003BA80: CredEnumerateA.ADVAPI32 ref: 000000014003BAE2

Part of subcall function 0000000140083890: recv.WS2_32 ref: 0000000140083A6C

ReleaseMutex.KERNEL32 ref: 000000014007B736
CloseHandle.KERNEL32 ref: 000000014007B73F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: 8b8447a8b915974071f3a08b26181bd4282b7d5f4d27517d31bd520b905839d0
Instruction ID: f10cd317d46a8061a63238d510a0afd0e99a1dcd5fca171a1b6c180d916f7be3
Opcode Fuzzy Hash: 8b8447a8b915974071f3a08b26181bd4282b7d5f4d27517d31bd520b905839d0
Instruction Fuzzy Hash: 3C218C7160868141FA27B7B7A4563EE6340AFCE7D0F145A21FB9A436F7DE3CC0809622

Function 00000001400AD888 Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00000001400AD89F
_RTC_Initialize.LIBCMT ref: 00000001400AD8C0

Part of subcall function 00000001400BC3C8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BC3FA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: 9f55e90913658458d0baa701b2b7b8f387f595ce9a8c9f74acf3b7ee8b8922bb
Instruction ID: bf1a4c9bad61c6cf295336fbe84c7c5893434da79de8b2b3da9e20f25465f2a6
Opcode Fuzzy Hash: 9f55e90913658458d0baa701b2b7b8f387f595ce9a8c9f74acf3b7ee8b8922bb
Instruction Fuzzy Hash: 0211A23466024142FE177BF3445B7ED31954BBD3C0F441A29B756972F3EEB889814AA2

Function 000000014007B6FD Relevance: 3.0, APIs: 2, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140083890: recv.WS2_32 ref: 0000000140083A6C

ReleaseMutex.KERNEL32 ref: 000000014007B736
CloseHandle.KERNEL32 ref: 000000014007B73F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: 795b393336643d9005e1441f54a42898eca0ffb56d6f142cab5f3b3c29d99d1b
Instruction ID: 7c7df572d18e132df0cc7954c78060e49782440cc91fd5e23d273308c34aa20c
Opcode Fuzzy Hash: 795b393336643d9005e1441f54a42898eca0ffb56d6f142cab5f3b3c29d99d1b
Instruction Fuzzy Hash: 24116D7261868141FA67B777A4163EE6350AFCEBD0F145221BB99076F7DE3CC080C611

Function 000000014009F75C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000000014009F7A8
GetLastError.KERNEL32 ref: 000000014009F7B2

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bf64b2ca6c828aa2865472cbc32df9119e6dc20bcb509235e4a2de8cfbd7474d
Instruction ID: 46564ee9d56e3c7b5ba1a1fab28bafcdd2752c4fc38c25dfd0f57ce0032245ed
Opcode Fuzzy Hash: bf64b2ca6c828aa2865472cbc32df9119e6dc20bcb509235e4a2de8cfbd7474d
Instruction Fuzzy Hash: 4711A076318B8081EA218B26A4443A9A761E798FF4F644312FF794B7F9DF78C0918740

Function 000000014007B724 Relevance: 3.0, APIs: 2, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 000000014007B736
CloseHandle.KERNEL32 ref: 000000014007B73F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 9c337312b80d2d38a3baa7b6c66967634573851b1351c332d2a925c877b67f73
Instruction ID: 534bebf3c5aab0f9e7bb800e237f7db9ba722c6094160e883dbefabcf6144a52
Opcode Fuzzy Hash: 9c337312b80d2d38a3baa7b6c66967634573851b1351c332d2a925c877b67f73
Instruction Fuzzy Hash: FC018F72A086C142FA66AB3BE4153DD6350ABCDBE1F145311BB9A076F6EF3CC081C600

Function 00000001400AD148 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400AD178

Part of subcall function 00000001400AE19C: std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400AE1A5

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400AD17E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ba3aa8670788eabeaf193c5d6875b73550c8a9037df0e5da198d367d2e00ed63
Instruction ID: 8a138c7820b728ff1b6e361a71ad5426c6f0f74126902d65813b18e6a5a28ee9
Opcode Fuzzy Hash: ba3aa8670788eabeaf193c5d6875b73550c8a9037df0e5da198d367d2e00ed63
Instruction Fuzzy Hash: 21E0127061110555FD2B267318153F520401F6D7F0F1C1B217FB6076F3A978C4D18D10

Function 000000014009BC88 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014009BC9E
GetLastError.KERNEL32 ref: 000000014009BCA8

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 394618f50db7fbbd1fef49d22478318aab263d5d118c1dceebe5262d95cd9652
Instruction ID: 0b5330ced0e29f78a79284f3cf9380b093bbeb4d8d894d7985c437e0057f45df
Opcode Fuzzy Hash: 394618f50db7fbbd1fef49d22478318aab263d5d118c1dceebe5262d95cd9652
Instruction Fuzzy Hash: 0BE017F5B0160162FF1BA7F3A8563EA12915FACBD0F048420BB19932B2EE3888958610

Function 000000014008DAF0 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014008DD40

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b4170ca246f7b06beccc7ac9e070f92329930d084c876b8179c86b6049eff60d
Instruction ID: d0d4a9a4096f2515e684ff415137a2abc53100603a9f39e4ea57f913a362a5d5
Opcode Fuzzy Hash: b4170ca246f7b06beccc7ac9e070f92329930d084c876b8179c86b6049eff60d
Instruction Fuzzy Hash: E2616873301A8485EA169E17D1543AD37A2F349FD8F558622EF6E0B3E5DB78CA86D300

Function 000000014002E2A0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 000000014002E3D3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: 4ad4d258e8038ebb62c4665b52b0a199e7f30c3b6c0de5d0078ad3618b3c21bd
Instruction ID: cf3e95423c2b5032186d8df5afcb552741feadb5e4544773b76807159a3cd90b
Opcode Fuzzy Hash: 4ad4d258e8038ebb62c4665b52b0a199e7f30c3b6c0de5d0078ad3618b3c21bd
Instruction Fuzzy Hash: 0E61C472B40A8096FB12DF7AD4903ED23A1E74D7E8F40462AFF1957BE5EA34C9918300

Function 0000000140047D80 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140047F15

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 03ce9d0e3375c82842fa70db0fb78aa8d24b2234106e7cf032a5740499f0bb4c
Instruction ID: e4b19214cd8291f7c2a3f7ba8663091feaa898583f7ef6e0799addca7407a7b1
Opcode Fuzzy Hash: 03ce9d0e3375c82842fa70db0fb78aa8d24b2234106e7cf032a5740499f0bb4c
Instruction Fuzzy Hash: 7141BC72304A8481EA229F27E5443ED6365F74DBD4F580A35EFAD0B7A6DF38C8418304

Function 0000000140047F30 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400480AC

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 91c1d0024a4ceec18961aef921753dc9ec11f4d7a9d20682904b5b8028ae8ee7
Instruction ID: 14160285011a48e7f41132f3120126f3728569180f830c231f43946f66594cc4
Opcode Fuzzy Hash: 91c1d0024a4ceec18961aef921753dc9ec11f4d7a9d20682904b5b8028ae8ee7
Instruction Fuzzy Hash: 0D41D172310B4485EE62AB17A5043EDA251B34CFD4F584A32BF6D0B7E6DE78C585D308

Function 000000014009C188 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009C1B0

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5bafbbcb6e6413927c3fc9517177ef75b85603921594b8b89ab5417e025dbab1
Instruction ID: d81f1f3b013fd9dff1d6c6ed14603e01849b91a5f7cc6777860c49fb60551185
Opcode Fuzzy Hash: 5bafbbcb6e6413927c3fc9517177ef75b85603921594b8b89ab5417e025dbab1
Instruction Fuzzy Hash: B041D1B262064087EA768B5AE5507E973A4F75ABD0F141205FB8A877F1CB38D803CB51

Function 0000000140047C10 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140047D6B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: fe21941772a21cb610d908efc03c2bf21678114c0b14b86b5384dc1c549e5956
Instruction ID: ae97ad5adc726308d7a98a4495e6a17c3d23bec2a58afecb9af88f47ba5ca4d6
Opcode Fuzzy Hash: fe21941772a21cb610d908efc03c2bf21678114c0b14b86b5384dc1c549e5956
Instruction Fuzzy Hash: 8D310372305B8095EE26AF27A5447EC6266E70CBD4F590635BF6D0B7E6DE78C081C304

Function 00000001400850F0 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 0000000140085180

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 8c851119c1025d19680f206ef99bf1d565e4006ab44c0d104981a73e61e7a8bc
Instruction ID: 3e4f4deb163ecf7065a35b7f87b05c89be95e7df2a8154597d23eeef62723db6
Opcode Fuzzy Hash: 8c851119c1025d19680f206ef99bf1d565e4006ab44c0d104981a73e61e7a8bc
Instruction Fuzzy Hash: C9518E33A14B8089E712CF79E8443DD7760F799788F504212EB8C57AA9DF78C684CB40

Function 0000000140041970 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140041A78

Part of subcall function 000000014002B820: __std_exception_copy.LIBVCRUNTIME ref: 000000014002B868

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 317858897-0
Opcode ID: b2d8e5f1be8f2f8d542de75146d83861674ac033b6a07a4ff179556af76ea083
Instruction ID: a8f0adb98431b775425e9ead8c3c05668da373c0a0ccb6e90c9b6137a0fdfd0e
Opcode Fuzzy Hash: b2d8e5f1be8f2f8d542de75146d83861674ac033b6a07a4ff179556af76ea083
Instruction Fuzzy Hash: 0121E972702B5441EA1AAB56E1403E86290E788BE4F254731EB7C07BE5EE78C9E29340

Function 000000014009F0CC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009F152

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b4453dcf53b1a406caf81c0f7e08a99bf745a785fcbd5ce79fe073e0462c5a7f
Instruction ID: 039b51f25f9133a0960bb8f5086f042a09a8f8d88124adaea2b7abbcf7265592
Opcode Fuzzy Hash: b4453dcf53b1a406caf81c0f7e08a99bf745a785fcbd5ce79fe073e0462c5a7f
Instruction Fuzzy Hash: 8131E3B2614640D6F727AFA7D8413ED6B90A748BE4F810205FB65433F2DBB8C8829B51

Function 00000001400A3751 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400A377F

Part of subcall function 00000001400A3878: GetModuleHandleExW.KERNEL32 ref: 00000001400A389D
Part of subcall function 00000001400A3878: GetProcAddress.KERNEL32 ref: 00000001400A38B3
Part of subcall function 00000001400A3878: FreeLibrary.KERNEL32 ref: 00000001400A38DA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9a4319b1a9349b175a2ab261d3967c41928b3e2b203d956efbe5c9eb3dbfe620
Instruction ID: 1fc59b4a59ae85b46f6b9166bdbff0bb4c7d0c063c157e92636b79c63da886d1
Opcode Fuzzy Hash: 9a4319b1a9349b175a2ab261d3967c41928b3e2b203d956efbe5c9eb3dbfe620
Instruction Fuzzy Hash: 84214AB6A00B848EEB268F65C8443EC37B0E758758F545B2AF72947AE5DF38C585CB40

Function 00000001400BE7B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BE7DB

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d348ac23900305c462c0690c0df5af421cd1f821f12a258e8e5c958353d8cc37
Instruction ID: 963f332baa30f0764726ce0e89d6d1f8c441babd3b41037a9d74ad3d40288263
Opcode Fuzzy Hash: d348ac23900305c462c0690c0df5af421cd1f821f12a258e8e5c958353d8cc37
Instruction Fuzzy Hash: F6219672214EC087DB669F6AE4403A977B1E788BD4F644224F75D4B6F5DB39C8008B00

Function 00000001400BCAC0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BCA1D

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction ID: 76031a156d145f1e75ff053a72b768cc5537241a87ef5f05dfead53edc72914a
Opcode Fuzzy Hash: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction Fuzzy Hash: 11119631224A4481FA62DF9394107EEA3B4F78DBC8F444421FB94577B6DB7DC8418B52

Function 000000014007FC60 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000000014007FCA8

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 7b014de7d978259952d8fbf9b19179fb3552117fbf4d6986a0cc05869dadf4b1
Instruction ID: ed63c22e22b379f3c336386ece21b3ad8a2337843b1b8e3a89cebf0bef14ddfa
Opcode Fuzzy Hash: 7b014de7d978259952d8fbf9b19179fb3552117fbf4d6986a0cc05869dadf4b1
Instruction Fuzzy Hash: DE016D36718A8881EB518F2BBA4076AA7A0F78CFD4F589135EF9D43B58DA38C8418740

Function 0000000140095C34 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140095C53

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction ID: 12817fefe43cbe0e35e8e44782809c7bb200d723c329c7900ab39acf6a87230c
Opcode Fuzzy Hash: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction Fuzzy Hash: 8BE092B121674085EF267BBBA1813AD65509B0C7F0F548321B774076F6DB74C8604B01

Function 00000001400B9D78 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00000001400B9D7C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 05abf0131c8b098d1a61f2295ae7c7f0a4315664c5cc964735d2d131e1c6be8e
Instruction ID: d77e7af20007b7e33648d6574d0470e4b7856eca6e046ac06dd638d9c475ad65
Opcode Fuzzy Hash: 05abf0131c8b098d1a61f2295ae7c7f0a4315664c5cc964735d2d131e1c6be8e
Instruction Fuzzy Hash: 16C09238F16902D2E65A2FB75CC338A12E0AB9C780F844020E304822B1DA3C81E7CB31

Function 00000001400BB974 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00000001400BB97D

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: a58d1d1940ea9a1276aa9ae53fd9a4567027d1a2ff5bbf1696185df6648e20bf
Instruction ID: 2d4ebf22e8ea44c3de85ce703a090383597d96474293fc5e484319a26ec3cfd3
Opcode Fuzzy Hash: a58d1d1940ea9a1276aa9ae53fd9a4567027d1a2ff5bbf1696185df6648e20bf
Instruction Fuzzy Hash: 2AB09236A148C0E7C612EB04E8422497331FB98B18FD00000E38943624CF2CDA2A8E10

Function 000000014009D17C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009D1BA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: e225fa2b0dbec660310bef0d9b6d64f65c59680a2a45183e3c4b35eee9a22bf5
Instruction ID: 02b13d49a3f81dd7a96231731d72b5532a686b3fe38c3284392ef13d9092b2b0
Opcode Fuzzy Hash: e225fa2b0dbec660310bef0d9b6d64f65c59680a2a45183e3c4b35eee9a22bf5
Instruction Fuzzy Hash: C8F0377A39524456FE675BB368113E962905B4C7E0F4857217F26873F1DE7CC441C610

Non-executed Functions

Function 0000000140088FE0 Relevance: 34.3, APIs: 18, Strings: 1, Instructions: 1015stringmemorynativeCOMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 0000000140089023
NtAllocateVirtualMemory.NTDLL ref: 000000014008905B
lstrcpyW.KERNEL32 ref: 00000001400890BD
lstrcatW.KERNEL32 ref: 0000000140089172
NtAllocateVirtualMemory.NTDLL ref: 00000001400891F9
lstrcpyW.KERNEL32 ref: 00000001400892AC
RtlInitUnicodeString.NTDLL ref: 00000001400892C1
RtlInitUnicodeString.NTDLL ref: 00000001400892D6
LdrEnumerateLoadedModules.NTDLL ref: 00000001400892E9
RtlReleasePebLock.NTDLL ref: 00000001400892EF

Part of subcall function 000000014007DDC0: SHGetKnownFolderPath.SHELL32 ref: 000000014007DE19
Part of subcall function 000000014007DDC0: CoTaskMemFree.OLE32 ref: 000000014007DEDA

CoInitializeEx.OLE32 ref: 000000014008939A
lstrcpyW.KERNEL32 ref: 0000000140089579
lstrcatW.KERNEL32 ref: 000000014008977E
CoGetObject.OLE32 ref: 000000014008979C
lstrcpyW.KERNEL32 ref: 0000000140089E19
lstrcatW.KERNEL32 ref: 000000014008A03C
CoGetObject.OLE32 ref: 000000014008A05A
CoUninitialize.OLE32 ref: 000000014008A522

Strings

0, xrefs: 0000000140089C5A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocateInitLockMemoryObjectStringUnicodeVirtual$AcquireEnumerateFolderFreeInitializeKnownLoadedModulesPathReleaseTaskUninitialize
String ID: 0
API String ID: 1424456515-4108050209
Opcode ID: f9a4b21bba6b5778666b90edc385f803ff7b984533bf3915daa45dc885927a08
Instruction ID: e604d7167b34311c8e0fe99e090bcd918b4f7d2940aac51addfe585592677c6d
Opcode Fuzzy Hash: f9a4b21bba6b5778666b90edc385f803ff7b984533bf3915daa45dc885927a08
Instruction Fuzzy Hash: F8C2B836626F988AD7908F69E88169EB3B5F788B88F105215FFCD57B18EB38C154C740

Function 00000001400B9E68 Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00000001400B9F15
GetLastError.KERNEL32 ref: 00000001400B9F1F
FindFirstFileW.KERNEL32 ref: 00000001400B9F36
GetLastError.KERNEL32 ref: 00000001400B9F42
FindClose.KERNEL32 ref: 00000001400B9F50
__std_fs_open_handle.LIBCPMT ref: 00000001400B9FE3
CloseHandle.KERNEL32 ref: 00000001400B9FF9
CloseHandle.KERNEL32 ref: 00000001400BA16C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: 49566460a907a601e1f093275e7cedc738230c471b32bdcbe51d950a59750163
Instruction ID: bd0a7feb077c907354969762849b34151d67fe78fda9ec3b2a3bd20647f569a0
Opcode Fuzzy Hash: 49566460a907a601e1f093275e7cedc738230c471b32bdcbe51d950a59750163
Instruction Fuzzy Hash: 42914131310E0146EAB69FABA8547EA62A0AB9E7F4F144714FB76477F4DB3CC8458710

Function 00000001400888E0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 351nativelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000140088926
GetProcAddress.KERNEL32 ref: 0000000140088936
OpenProcess.KERNEL32 ref: 0000000140088968
NtQuerySystemInformation.NTDLL ref: 0000000140088990
NtQuerySystemInformation.NTDLL ref: 00000001400889BE
GetCurrentProcess.KERNEL32 ref: 0000000140088A83
NtQueryObject.NTDLL ref: 0000000140088AC9
GetFinalPathNameByHandleA.KERNEL32 ref: 0000000140088BBD
CloseHandle.KERNEL32 ref: 0000000140088CD8
CloseHandle.KERNEL32 ref: 0000000140088D68

Strings

NtDuplicateObject, xrefs: 000000014008892F
ntdll.dll, xrefs: 000000014008891F
File, xrefs: 0000000140088AFA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Handle$Query$CloseInformationProcessSystem$AddressCurrentFinalModuleNameObjectOpenPathProc
String ID: File$NtDuplicateObject$ntdll.dll
API String ID: 2729825427-3955674919
Opcode ID: bf9a0ccce2cd6c5d3e29f71ce3efbea8b02204595c9946da31666db7e6f30529
Instruction ID: 88f1b79f6286c0e5e0663165defaf3d7e800104a22575653cc64f1d0f6badeec
Opcode Fuzzy Hash: bf9a0ccce2cd6c5d3e29f71ce3efbea8b02204595c9946da31666db7e6f30529
Instruction Fuzzy Hash: 60E19D73B14A8089FB12DBA6D4143ED23A1F759BD8F408521EF5D57BA9DE38C64A8300

Function 0000000140073C40 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 0000000140073C9F

Strings

@, xrefs: 0000000140073E26

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @
API String ID: 2538663250-2766056989
Opcode ID: a125fe2303840c706b5ee053514d2150593645abf7ef0f0a97918224f0960ca1
Instruction ID: 316128c581b16c4d3f4b3da09d2500f057a97763de5d99de1d399ef9cdafa0b3
Opcode Fuzzy Hash: a125fe2303840c706b5ee053514d2150593645abf7ef0f0a97918224f0960ca1
Instruction Fuzzy Hash: C6A14872B04A808AF722CF76E41479D7771B78CB98F104225EF9A17AA8EB39C555C384

Function 000000014007A320 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 465COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000014007A8A7

Strings

open, xrefs: 000000014007A81D
runas, xrefs: 000000014007A826
.cmd, xrefs: 000000014007A3E3
.exe, xrefs: 000000014007A46D
ios_base::failbit set, xrefs: 000000014007AAC5
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;', xrefs: 000000014007A4B4
.vbs, xrefs: 000000014007A412
ios_base::eofbit set, xrefs: 000000014007AACC
.ps1, xrefs: 000000014007A3B4
.exe, xrefs: 000000014007A385
ios_base::badbit set, xrefs: 000000014007AABA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: .cmd$.exe$.exe$.ps1$.vbs$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
API String ID: 587946157-4093014531
Opcode ID: 3919d5103fc52e39aa8093160adb8a9ff8b111d864faf494cefd85f1eaf09e41
Instruction ID: 1c4fe17788cb8f09727e1eb0c249120cc654e615ca3ad5b5903190ad2158ec18
Opcode Fuzzy Hash: 3919d5103fc52e39aa8093160adb8a9ff8b111d864faf494cefd85f1eaf09e41
Instruction Fuzzy Hash: 78229D72A10B8099EB11DF3AE8843DD77A1F789798F505216FB5D07AA9EF78C584C700

Function 0000000140077340 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 00000001400773D8
BCryptSetProperty.BCRYPT ref: 0000000140077402
BCryptGenerateSymmetricKey.BCRYPT ref: 000000014007743B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140077561

Strings

AES, xrefs: 00000001400773CD
ChainingModeGCM, xrefs: 00000001400773F0
ChainingMode, xrefs: 00000001400773F7

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmConcurrency::cancel_current_taskGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 2222192889-1213888626
Opcode ID: 9a1a3cd6e6ddd17ddf90823c6e7be3f2930cf914a1463a096f49e54039a43834
Instruction ID: 8d1d121c70002e2b68f3aba67cbb1f4ecb0d904613cd8cca5b9a22352f8360ed
Opcode Fuzzy Hash: 9a1a3cd6e6ddd17ddf90823c6e7be3f2930cf914a1463a096f49e54039a43834
Instruction Fuzzy Hash: B061D472700B8482EB269B66E8407E96760E78DBE8F544725BF6C07BF6DB78C5918300

Function 00007FF7E4E3CAF1 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 258fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7E4E3CBEE
FindNextFileW.KERNEL32 ref: 00007FF7E4E3CC77
FindClose.KERNEL32 ref: 00007FF7E4E3CCB4
FindClose.KERNEL32 ref: 00007FF7E4E3CCF2

Strings

*, xrefs: 00007FF7E4E3CB1E
., xrefs: 00007FF7E4E3CC35

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID: *$.
API String ID: 1164774033-3886413389
Opcode ID: 1ad28d0ae4af48d40e9119588df1c5008e8f9d7b3627aa4813c3e566a8eb1879
Instruction ID: bb8dae3c1409eb6689c1f28325972438da041be7112d086679c92e1d07e8a173
Opcode Fuzzy Hash: 1ad28d0ae4af48d40e9119588df1c5008e8f9d7b3627aa4813c3e566a8eb1879
Instruction Fuzzy Hash: D7A1D82BB1865741EA62AF2394853B9E350EB44FE4FC45533EA9E47BC9DE3CE4418312

Function 00000001400A74C4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

TranslateName.LIBCMT ref: 00000001400A752E
TranslateName.LIBCMT ref: 00000001400A7569
GetACP.KERNEL32 ref: 00000001400A75B0
IsValidCodePage.KERNEL32 ref: 00000001400A75E8
GetLocaleInfoW.KERNEL32 ref: 00000001400A77A5

Strings

utf8, xrefs: 00000001400A76CC

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: b6b5f0871776deda8e7c69fea737524f09f83080a3327ccb47b1bd94534ebeda
Instruction ID: d5ac7b476c8a9bce444684ebd37fc73749f6f001cbd1fa0b2ab8da16a1f6a6e0
Opcode Fuzzy Hash: b6b5f0871776deda8e7c69fea737524f09f83080a3327ccb47b1bd94534ebeda
Instruction Fuzzy Hash: 74918E36700B4081EB669F23D941BED63A4E7ACBC0F448221EF4D477A6EB78C592CB50

Function 00000001400A7F0C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 00000001400987F1

GetUserDefaultLCID.KERNEL32 ref: 00000001400A807C

Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 000000014009881E
Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 000000014009882F
Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 0000000140098840

EnumSystemLocalesW.KERNEL32 ref: 00000001400A8063
ProcessCodePage.LIBCMT ref: 00000001400A80A6
IsValidCodePage.KERNEL32 ref: 00000001400A80B8
IsValidLocale.KERNEL32 ref: 00000001400A80CE
GetLocaleInfoW.KERNEL32 ref: 00000001400A812A
GetLocaleInfoW.KERNEL32 ref: 00000001400A8146

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: b1335ece248e5c8e3195e4a98367805ba8d0dabbc837c8d301c8a4141c46c529
Instruction ID: eff23689320ff5adc5df77f7c9cc30a6b599853c8a01bd4f4dfa4f293dad0dfa
Opcode Fuzzy Hash: b1335ece248e5c8e3195e4a98367805ba8d0dabbc837c8d301c8a4141c46c529
Instruction Fuzzy Hash: E6718E3270060099FB629B62D850BED33B4BB5CBC4F448625EF59577E5EB38C98ACB50

Function 00007FF7E4E354D4 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7E4E354F0
RtlCaptureContext.KERNEL32 ref: 00007FF7E4E3551D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E4E35537
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E4E35578
IsDebuggerPresent.KERNEL32 ref: 00007FF7E4E355CC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E355E9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E355F4

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 703016598f4b49543d9c9636df41fb7a299657f8bb96d1c8adaf98595dcbe2c0
Instruction ID: a19f4d4dd226900b17526e20b5fafa90e03417e286ce2ffd30ddf7d13e5ead07
Opcode Fuzzy Hash: 703016598f4b49543d9c9636df41fb7a299657f8bb96d1c8adaf98595dcbe2c0
Instruction Fuzzy Hash: 67316576608B8586EB609F61F8907EDB360FB44B44F84443ADA4E87B99EF38D548C721

Function 00000001400ADB78 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000001400ADB94
RtlCaptureContext.KERNEL32 ref: 00000001400ADBC1
RtlLookupFunctionEntry.KERNEL32 ref: 00000001400ADBDB
RtlVirtualUnwind.KERNEL32 ref: 00000001400ADC1C
IsDebuggerPresent.KERNEL32 ref: 00000001400ADC70
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400ADC8D
UnhandledExceptionFilter.KERNEL32 ref: 00000001400ADC98

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 3efb770cfb16d5d0ed57f42d694c11b3d6a4fbf3d96f685e31a20390ead54e25
Instruction ID: 9f7744655287aa887559b9cff32dfa778d51491bd1e8afa760c84834dbf292cd
Opcode Fuzzy Hash: 3efb770cfb16d5d0ed57f42d694c11b3d6a4fbf3d96f685e31a20390ead54e25
Instruction Fuzzy Hash: B0315072615B8086EB619F61E8403ED7374F798784F44452AEB4E47BA8DF78C649CB10

Function 000000014006F1C0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 000000014006F374
__std_exception_destroy.LIBVCRUNTIME ref: 000000014006F382
__std_exception_destroy.LIBVCRUNTIME ref: 000000014006F605
__std_exception_destroy.LIBVCRUNTIME ref: 000000014006F613

Strings

value, xrefs: 000000014006F29A, 000000014006F533

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: 82c3d6565131afdded86e4ebd0b109237adc3dcd0665d894327a522c76d62dca
Instruction ID: 4e7bf3bedcc79ae228617acf5de83c008c58e0c15488d6f1396da54890448ec7
Opcode Fuzzy Hash: 82c3d6565131afdded86e4ebd0b109237adc3dcd0665d894327a522c76d62dca
Instruction Fuzzy Hash: 18028E72614BC095EB02CB76D8803ED6761E79A7E4F605612FB9D43AEADF78C185C700

Function 00007FF7E4E37760 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7E4E377D9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E4E377F1
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E4E3782C
IsDebuggerPresent.KERNEL32 ref: 00007FF7E4E37865
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E3786F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7E4E3787A

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 84edda72ec9d520141983e74228c668a6a8178568ee7aa51ae599cd2c23f2f3d
Instruction ID: ad0f95758fd167a0fd64ab865eefe04252a62a320204b8bc2b7d772ca4270480
Opcode Fuzzy Hash: 84edda72ec9d520141983e74228c668a6a8178568ee7aa51ae599cd2c23f2f3d
Instruction Fuzzy Hash: 16318736608F8186DB60DF25E8507AEB3A0FB84B54F900136EA9D87B59EF3CD545CB11

Function 0000000140096828 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400968A1
RtlLookupFunctionEntry.KERNEL32 ref: 00000001400968B9
RtlVirtualUnwind.KERNEL32 ref: 00000001400968F4
IsDebuggerPresent.KERNEL32 ref: 000000014009692D
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140096937
UnhandledExceptionFilter.KERNEL32 ref: 0000000140096942

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 18b3e5fdd1cd8cc2a5e6ef0b7725685d0a25d59a69a4c718c7a281717e56691c
Instruction ID: d26cc2fd36ed465307e52bae6993abbfc5e3a174f8213072b128481ce9152def
Opcode Fuzzy Hash: 18b3e5fdd1cd8cc2a5e6ef0b7725685d0a25d59a69a4c718c7a281717e56691c
Instruction Fuzzy Hash: E9315E32614B8096DB61CF26E8403EE73A4F788794F544226FB9D43BA9DF38C5568B00

Function 0000000140033A30 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 699COMMON

Download Yara Rule

Strings

content, xrefs: 0000000140034749
filename, xrefs: 0000000140034624
ios_base::badbit set, xrefs: 0000000140034A48, 0000000140034A8C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmProvider$CloseGenerateOpenPropertySymmetric
String ID: content$filename$ios_base::badbit set
API String ID: 4024084497-879919306
Opcode ID: 14c71fb6276344ef19c53a2a71fb7fb04c5672c6c98d0b482d8362fcc0b25232
Instruction ID: 6a15648fd45475ec90e58d21107993b85f51eda2aafa867f6bfef3ffdab46c03
Opcode Fuzzy Hash: 14c71fb6276344ef19c53a2a71fb7fb04c5672c6c98d0b482d8362fcc0b25232
Instruction Fuzzy Hash: EF82D132119BC595D6B28B15F8803DAB3A4F7C9780F505226EBCD53BA9EF78C594CB40

Function 00000001400BC0C4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400BC125
IsDebuggerPresent.KERNEL32 ref: 00000001400BC13D
OutputDebugStringW.KERNEL32 ref: 00000001400BC14E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001400BC147

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 43761d7ed95dfb62d4f325219cf79311bad23dd39b30918d63012676194dbb3d
Instruction ID: b65f4da7e0dac3f6acdcda201eed9de570067186433dc723f279dd9dd717984a
Opcode Fuzzy Hash: 43761d7ed95dfb62d4f325219cf79311bad23dd39b30918d63012676194dbb3d
Instruction Fuzzy Hash: 90115A32210B40A7FB469B67E6953E933A4FB48794F448125D74983AA1EF78D0B8C750

Function 00000001400978F8 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000014009794F
GetSystemInfo.KERNEL32 ref: 0000000140097968
VirtualAlloc.KERNEL32 ref: 00000001400979D6
VirtualProtect.KERNEL32 ref: 00000001400979F1

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 98c2ba8c49363c7f84277756ec2bc7ed58b48c13a2b72fa2159cecfb20083f2f
Instruction ID: 2998d681f4290f3cdbfd7160d335f1a03f64a6088aad891686837b0353e6d884
Opcode Fuzzy Hash: 98c2ba8c49363c7f84277756ec2bc7ed58b48c13a2b72fa2159cecfb20083f2f
Instruction Fuzzy Hash: 45312632310A819EDB21CF22D8447DD63A5F749B88F844525AA4E47B68DA38D646C700

Function 00000001400B9A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00000001400B9A4E
FormatMessageA.KERNEL32 ref: 00000001400B9A81

Strings

!x-sys-default-locale, xrefs: 00000001400B9A41

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 55a1076e367a08c173ecc78b5cea65c2f0ec9f8033976bc3287741c8c55a0f17
Instruction ID: ecd46ce48cd802a89ea887e817bce2d3b7e480950ffb0d184572ec913a52b2bd
Opcode Fuzzy Hash: 55a1076e367a08c173ecc78b5cea65c2f0ec9f8033976bc3287741c8c55a0f17
Instruction Fuzzy Hash: 73018CB2704B8182E7268B53B4507AAA7A5F788BD4F088015EB4547AA9DB3CC505C740

Function 00000001400A7988 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 00000001400987F1

GetLocaleInfoW.KERNEL32 ref: 00000001400A79F4

Part of subcall function 000000014008E460: _invalid_parameter_noinfo.LIBCMT ref: 000000014008E47D

GetLocaleInfoW.KERNEL32 ref: 00000001400A7A3D

Part of subcall function 000000014008E460: _invalid_parameter_noinfo.LIBCMT ref: 000000014008E4D6

GetLocaleInfoW.KERNEL32 ref: 00000001400A7B05

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 673738c239811e8e6aaf94bb473114a5deef8476c39fa87607a7713143cb4c6a
Instruction ID: 9e1b7eb3e14f3d8ac36dcfc1f2b4f11521ad031e9c983c2225f320651a2be65f
Opcode Fuzzy Hash: 673738c239811e8e6aaf94bb473114a5deef8476c39fa87607a7713143cb4c6a
Instruction Fuzzy Hash: 6761C3722106419AEB368F12E940BED73A5F7A87C4F04C225EB9E976E1DB3CD591CB10

Function 000000014009C8E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000000014009C954

Strings

GetLocaleInfoEx, xrefs: 000000014009C8FC, 000000014009C90D

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2b548483d6ca9974e9528b0b11ada6c599aa6070ea1349b93d38a40a587da536
Instruction ID: faaad8ddc682d51d181ac9566c78053e2375318c11b0efb789bebad2f8088488
Opcode Fuzzy Hash: 2b548483d6ca9974e9528b0b11ada6c599aa6070ea1349b93d38a40a587da536
Instruction Fuzzy Hash: E8016D71704B8096EB469B57F4447DAA760EB9CBD0F584026FF4907BB9CE38C5428750

Function 0000000140076F20 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

APIs

BCryptDecrypt.BCRYPT ref: 00000001400770E0

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CryptDecrypt
String ID:
API String ID: 2620231605-0
Opcode ID: 3f72a23f1a509a65aa81e6d6b4530ce515d9c6eb0a3b9f4af59a408d351eb8e9
Instruction ID: d84c1dc56733cdec245b05dd482f086fb593878f4377b85cef3af088a038052b
Opcode Fuzzy Hash: 3f72a23f1a509a65aa81e6d6b4530ce515d9c6eb0a3b9f4af59a408d351eb8e9
Instruction Fuzzy Hash: 1FB16872B08B809AEB12CB66E4507AD37B1F3497C8F008216EF5C17BA9DB79C599D340

Function 0000000140036C90 Relevance: 3.1, APIs: 2, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0000000140036D1D
LocalFree.KERNEL32 ref: 0000000140036DAF

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: e459822f5a965e7c6491091ff3b3fd437f3160b492302602bf1c7777a9c0efb9
Instruction ID: 4a8dd4eae84605777de1b5a55a80b2e635676b3498c47d1070251cd38370cd5e
Opcode Fuzzy Hash: e459822f5a965e7c6491091ff3b3fd437f3160b492302602bf1c7777a9c0efb9
Instruction Fuzzy Hash: DB616932B14B809AF712DFB5E4503DD77A1E75978CF008229EB8917EAADB78C5A49340

Function 0000000140076DC0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32 ref: 0000000140076E18
LocalFree.KERNEL32 ref: 0000000140076EAA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalProtect
String ID:
API String ID: 2714945720-0
Opcode ID: cb202edfd23743d2fd92808a2a0732f52d9921990abee17e7841283a167b08e9
Instruction ID: fc4154c7915ed78d34f09a56cb44b59f23928a8851b000cbb18bd55c4212d758
Opcode Fuzzy Hash: cb202edfd23743d2fd92808a2a0732f52d9921990abee17e7841283a167b08e9
Instruction Fuzzy Hash: A5414032614B80CAE3219F75E8403ED37A4F75878CF084229BB8917E9ADB79C6A4C754

Function 00000001400A7BD0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

Part of subcall function 00000001400987AC: FlsSetValue.KERNEL32 ref: 00000001400987F1

GetLocaleInfoW.KERNEL32 ref: 00000001400A7C38

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: fded36e5e65a151f08a0f66363fda748c04ed3a24ba9da3fcc630165be26dd08
Instruction ID: 8cd3d3dfa80cbff10c7d00d3e39445a1fedefada0f8de76d674014353bb7882c
Opcode Fuzzy Hash: fded36e5e65a151f08a0f66363fda748c04ed3a24ba9da3fcc630165be26dd08
Instruction Fuzzy Hash: 8F31A23270468586EB69CB23E8417EE73A1F79C7C5F40C229AB4D833A6DF38D5918B00

Function 00000001400A7820 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

EnumSystemLocalesW.KERNEL32 ref: 00000001400A78BE

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 079d62a3b16f0b0a01b59833b99c059b9cb939bc8a4f10147e07732002005d14
Instruction ID: 46995d5bafc0c3402748cc3b4101f87f573535573610cbd06ba996400d9f120b
Opcode Fuzzy Hash: 079d62a3b16f0b0a01b59833b99c059b9cb939bc8a4f10147e07732002005d14
Instruction Fuzzy Hash: B411E473A146448AEB168F16D844BDC7BA0F3A4BE0F558216E719433E4DB38C5D1CB40

Function 00000001400A7DD8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

GetLocaleInfoW.KERNEL32 ref: 00000001400A7E0F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: f3e7ee2f1e66ffaf43a4bced11d96202e06a1caf3c24797c856a856d3c8d1eb4
Instruction ID: f16e9421c9f2d1d566c09731a7727aa721697d00e81b9315a0a2733411359802
Opcode Fuzzy Hash: f3e7ee2f1e66ffaf43a4bced11d96202e06a1caf3c24797c856a856d3c8d1eb4
Instruction Fuzzy Hash: F411A73271465183E77AC626A840F9E7261E79C7E4F548761E76D476E4DA36CCC18B00

Function 00000001400A78F0 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400987AC: GetLastError.KERNEL32 ref: 00000001400987BB
Part of subcall function 00000001400987AC: FlsGetValue.KERNEL32 ref: 00000001400987D0
Part of subcall function 00000001400987AC: SetLastError.KERNEL32 ref: 000000014009885B

EnumSystemLocalesW.KERNEL32 ref: 00000001400A796E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 74688f5bb3302222e7b7870a00f7552f5ce206872596a426f55045067d3bf4cb
Instruction ID: 93d18b90c9ad416a7767668315f223f5f191bc074b56e8ec44abd2766402557f
Opcode Fuzzy Hash: 74688f5bb3302222e7b7870a00f7552f5ce206872596a426f55045067d3bf4cb
Instruction Fuzzy Hash: 0101F77270428086E7264F17E840FDEB6E5E768BE4F45C322E769472E5DB7484C5CB00

Function 00000001400772C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT ref: 00000001400772D9

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AlgorithmCloseCryptProvider
String ID:
API String ID: 3378198380-0
Opcode ID: 1c8b21d10fd9b400f35e2c8dd6f8ddd75c7af018214b600343906388e6c3a10d
Instruction ID: 900497187b3b4a0feb06abdb1ee795e4bdb6587cd79a1e1914cdb7c24f71ecd3
Opcode Fuzzy Hash: 1c8b21d10fd9b400f35e2c8dd6f8ddd75c7af018214b600343906388e6c3a10d
Instruction Fuzzy Hash: 3601C2B2700A8491EB159B22D4147AD2361E74CFC8F944411EF4D076A9EF7DC8958380

Function 000000014009C3A0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 000000014009C3EF

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 12efd337fa0535e7eae3a7ae34cc0435095ae515fa5323edd15366a4afb89750
Instruction ID: af0fca8f4bd2b2ee9942c1d59f6fd3f147f5c30faaa08c128de7f41e83c5a0a7
Opcode Fuzzy Hash: 12efd337fa0535e7eae3a7ae34cc0435095ae515fa5323edd15366a4afb89750
Instruction Fuzzy Hash: 01F032B2300B4083E705DB6AE8917D963A2F7ADBC0F158129EB4987379DE3CC9A1C740

Function 00000001400D3008 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
Instruction ID: feaac658b55cd5a518db28881bd34f119ec81d8d184e8a90d42a3b47355d6b8e
Opcode Fuzzy Hash: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
Instruction Fuzzy Hash: 0AF0CDABA1D7D45AE35356250C7E3CC2FA19BAAFA2F8D804AAB40835D3905A0C079361

Function 00000001400D3718 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8237b216de9d9a066abcd393a2c4069bfa76417ce4e254e20f0625e9b59a03dd
Instruction ID: f7555e13b67f83bd5e4671688c2997cb84ca8aa1e17461c55e46489618308b5b
Opcode Fuzzy Hash: 8237b216de9d9a066abcd393a2c4069bfa76417ce4e254e20f0625e9b59a03dd
Instruction Fuzzy Hash: 11E09AA761EBD04EE3634A350C2938C2FB09BA6F90F8E8097D790832D3D45D0C0A8731

Function 00000001400D3398 Relevance: .0, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2580bbaa354115e7f20c0c041466b1133d77912a340e4dfa20e2b14a994162f
Instruction ID: 807357067a33cd9dbbc180bd060d868107053995f6cb2ef0b650bc1105693623
Opcode Fuzzy Hash: c2580bbaa354115e7f20c0c041466b1133d77912a340e4dfa20e2b14a994162f
Instruction Fuzzy Hash: 7CE04F97A4EAC01DF31742600E3F74C1ED15F7AB01F4C808ED784036E3B89D6D058221

Function 00000001400D3700 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013c9eb1bbae44dc1fe28faa0fbcf7e9e22a98f8467d9c8eac31ad16be168e19
Instruction ID: 0f0087ff7abf1e05183dbc0c12280a4f3ab72410a3df019b4580b266f686766c
Opcode Fuzzy Hash: 013c9eb1bbae44dc1fe28faa0fbcf7e9e22a98f8467d9c8eac31ad16be168e19
Instruction Fuzzy Hash: 89A002FBA548A4ADF77A04058C867C80BD1AF2E350E090000A900434925069445F1150

Function 00000001400D3658 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2399e545077be4c239cdb40de846485da12f3b9bab83b8262a0220d2cfdd1bc
Instruction ID: 8ce1e87cc5c7ca1878e14d3a9fd1ee2c8b6aee086471b09dfc4fcf91158af670
Opcode Fuzzy Hash: a2399e545077be4c239cdb40de846485da12f3b9bab83b8262a0220d2cfdd1bc
Instruction Fuzzy Hash:

Function 00000001400D3090 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01a4154ba30de378ee8f3a0bf3b2dfb59d47392f9fc814d815bb3a6ccc76d7c
Instruction ID: da55c2c18e9676a3eb711f31b27adcba68c4fdb093675fe9984136224095ec55
Opcode Fuzzy Hash: f01a4154ba30de378ee8f3a0bf3b2dfb59d47392f9fc814d815bb3a6ccc76d7c
Instruction Fuzzy Hash:

Function 0000000140073930 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000000140073986
Process32FirstW.KERNEL32 ref: 00000001400739CA
Process32NextW.KERNEL32 ref: 00000001400739DF
OpenProcess.KERNEL32 ref: 0000000140073A1B
OpenProcessToken.ADVAPI32 ref: 0000000140073A42
GetTokenInformation.ADVAPI32 ref: 0000000140073A6E
GetLastError.KERNEL32 ref: 0000000140073A7C
GetTokenInformation.ADVAPI32 ref: 0000000140073ABC
ConvertSidToStringSidA.ADVAPI32 ref: 0000000140073AD3
CloseHandle.KERNEL32 ref: 0000000140073B46
CloseHandle.KERNEL32 ref: 0000000140073B51
CloseHandle.KERNEL32 ref: 0000000140073BB6
Process32NextW.KERNEL32 ref: 0000000140073BC3
CloseHandle.KERNEL32 ref: 0000000140073BE9
CloseHandle.KERNEL32 ref: 0000000140073BF2
CloseHandle.KERNEL32 ref: 0000000140073C07

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertCreateErrorFirstLastSnapshotStringToolhelp32
String ID:
API String ID: 3925315391-0
Opcode ID: 7edf554f1bf2a2b69477646fe94745f43607bc3d76044443717152cf58783ea9
Instruction ID: f53f4db26f8ffbc74954225dbf8234fb85c2b61d4e8944f31e63d5fabcb49364
Opcode Fuzzy Hash: 7edf554f1bf2a2b69477646fe94745f43607bc3d76044443717152cf58783ea9
Instruction Fuzzy Hash: 66813736214B8182FB529B27E84479EA7A4FB8CBD4F404125EF8A57BA8DF7CC545CB00

Function 0000000140056B00 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 202COMMON

Download Yara Rule

Strings

object is not closed with '}', xrefs: 000000014005810F
key opened, but never closed, xrefs: 00000001400582BF
unexpected '}', xrefs: 0000000140058313
unexpected key without object, xrefs: 00000001400581EA
key declared, but no value, xrefs: 000000014005815D, 0000000140058184, 0000000140058298
No closed word, xrefs: 0000000140058217, 000000014005823E
word wasnt properly ended, xrefs: 0000000140058265, 00000001400582EC
quote was opened but not closed., xrefs: 0000000140058136, 00000001400581AB

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID: No closed word$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 0-2700065129
Opcode ID: b9eb38c5ab060a2dda8520568620628a99a67b8189105732fd21080a6df660b0
Instruction ID: f9c7333ff1f4887109b71b21fa7058ec3d63239c43aa84505dd9f7712b489e47
Opcode Fuzzy Hash: b9eb38c5ab060a2dda8520568620628a99a67b8189105732fd21080a6df660b0
Instruction Fuzzy Hash: 0BB11071601AC6A5EB72DF21DC917D833A4F759388F415216E74C4B9B9EF74C689C700

Function 000000014008EB14 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008EB43
_invalid_parameter_noinfo.LIBCMT ref: 000000014008EC13

Strings

0, xrefs: 000000014008EC3D
0, xrefs: 000000014008EBE5
0, xrefs: 000000014008EC4F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0
API String ID: 3215553584-3137946472
Opcode ID: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction ID: 3ec9a172ff9cd9a56723fab73356c2b78239a766e83f6ecce63c72710ed58d98
Opcode Fuzzy Hash: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction Fuzzy Hash: 55E1D3335056D58AF7629F2A94903ED3BA5F35ABC4F588022FB85477F2C7398A5AC301

Function 0000000140079DA0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140079E1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140079E65
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140079FE1
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140079FF4
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140079FFA

Strings

bad locale name, xrefs: 0000000140079FE7
false, xrefs: 0000000140079EED
true, xrefs: 0000000140079F1C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: 89e8eebeb0e5851c78bde8427c4241be1561912327ea848c90b167f0a42bcdf2
Instruction ID: 9f833d7ac4b076529d01c46f3f154de4dc3d8a729371acaec3c7ca5394b3b07c
Opcode Fuzzy Hash: 89e8eebeb0e5851c78bde8427c4241be1561912327ea848c90b167f0a42bcdf2
Instruction Fuzzy Hash: F7711B32702B408AEB16DFB2D4503EC37B6EB58788F144129EB4967BA9DB38C515D344

Function 00007FF7E4E39B9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7E4E39B6C,?,?,00000000,00007FF7E4E3BCDB,?,?,?,00007FF7E4E36809), ref: 00007FF7E4E39D18
GetProcAddress.KERNEL32(?,?,?,00007FF7E4E39B6C,?,?,00000000,00007FF7E4E3BCDB,?,?,?,00007FF7E4E36809), ref: 00007FF7E4E39D24

Strings

MZx, xrefs: 00007FF7E4E39BBB, 00007FF7E4E39CA1, 00007FF7E4E39D01
ext-ms-, xrefs: 00007FF7E4E39C75
api-ms-, xrefs: 00007FF7E4E39C62

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: a5097e6e42886596c98c0385f634c4aef1c640e8f28c7c219958798091b78743
Instruction ID: 672fff71cef5829e4ecab3e383766a6b11fc4a617cacda937379c3a9c14a6a21
Opcode Fuzzy Hash: a5097e6e42886596c98c0385f634c4aef1c640e8f28c7c219958798091b78743
Instruction Fuzzy Hash: 0541FF66B19A0341EB17EF17A8A0775A2D5BF48F90F885536CD4D87788EF3CE4068322

Function 0000000140088720 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140088751
GetProcessId.KERNEL32 ref: 000000014008875A
RmStartSession.RSTRTMGR ref: 000000014008877A
RmRegisterResources.RSTRTMGR ref: 00000001400887A5
RmGetList.RSTRTMGR ref: 00000001400887DE
RmGetList.RSTRTMGR ref: 0000000140088840
RmEndSession.RSTRTMGR ref: 000000014008887B
RmEndSession.RSTRTMGR ref: 00000001400888B2
RmEndSession.RSTRTMGR ref: 00000001400888C7

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Session$ListProcess$CurrentRegisterResourcesStart
String ID:
API String ID: 3299295986-0
Opcode ID: d42b2751b4845f6e5fc378a235a32170e364fb9c24da67feea4ad67c232641f0
Instruction ID: 3625db88a6373b96de9670bab8ed7edf633392ac4bb2a85a491946533c032ab6
Opcode Fuzzy Hash: d42b2751b4845f6e5fc378a235a32170e364fb9c24da67feea4ad67c232641f0
Instruction Fuzzy Hash: A6512A32B10A418AF725CFA6E4507DD33B1B74C7D8F90452AEE0A63BA8DE38C906C750

Function 00007FF7E4E38F5C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7E4E38FB9

Part of subcall function 00007FF7E4E38424: __GetUnwindTryBlock.LIBCMT ref: 00007FF7E4E38467
Part of subcall function 00007FF7E4E38424: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7E4E3848C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7E4E39091
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7E4E392DF
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7E4E393EC

Strings

csm, xrefs: 00007FF7E4E3903A
csm, xrefs: 00007FF7E4E38FD3
csm, xrefs: 00007FF7E4E390B4

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0099af5d98ffdce3721754b948236ddbf4b8c0d9695b8f044c3694728437dd46
Instruction ID: 4a8ad397a79cc99d1452e9872f915c247bcf326e907c62c69331acbf9bbb4070
Opcode Fuzzy Hash: 0099af5d98ffdce3721754b948236ddbf4b8c0d9695b8f044c3694728437dd46
Instruction Fuzzy Hash: 4ED18F76A0874286EB21EF66D4813ADB7A0FB45B88F900136EE8D57795CF38E481C752

Function 00000001400B0304 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000001400B0361

Part of subcall function 00000001400B271C: __GetUnwindTryBlock.LIBCMT ref: 00000001400B275F
Part of subcall function 00000001400B271C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001400B2784

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000001400B0439
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001400B0687
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400B0794

Strings

csm, xrefs: 00000001400B03E2
csm, xrefs: 00000001400B045C
csm, xrefs: 00000001400B037B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 66fcb54f63042a77bb9752ac00b10eb6a43643c2f85347937ebb7186689712c3
Instruction ID: 2dddcf81e393266e6dd364431a01f1ce124f9e37c2573fe0043309711653aeb7
Opcode Fuzzy Hash: 66fcb54f63042a77bb9752ac00b10eb6a43643c2f85347937ebb7186689712c3
Instruction Fuzzy Hash: 9BD14A72A04B808AEB22DFA694413DD77B0F759BD8F104216EF8957BA6DF38D491CB00

Function 00007FF7E4E34340 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7E4E34399

Strings

h, xrefs: 00007FF7E4E343DA
@, xrefs: 00007FF7E4E344C7
U, xrefs: 00007FF7E4E3441F

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: FileModuleName
String ID: @$U$h
API String ID: 514040917-1769436074
Opcode ID: 30403d80bbda924b6a9616881aacd3132cf0f86eb79a681510f7f61da3fc2d23
Instruction ID: 1e3365fd5add29436541bd292b1ea0f080156eace45c6b3a35aa9fd3f751da81
Opcode Fuzzy Hash: 30403d80bbda924b6a9616881aacd3132cf0f86eb79a681510f7f61da3fc2d23
Instruction Fuzzy Hash: C6711B7A60CB8681DA60DF46F4903AAB760FBC9B94F405126EACE83B59DF3CD0458F51

Function 000000014009C41C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000000014009C598
GetProcAddress.KERNEL32 ref: 000000014009C5A4

Strings

api-ms-, xrefs: 000000014009C4E2
ext-ms-, xrefs: 000000014009C4F5

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2932ed60a38164b99968e515f80e2e6bc9311783d2898aba8cd640b210738e5b
Instruction ID: 8b663572d4e9df061dfb5452e7c122c2f59b72ac8eb05063979d288c5e28a2e1
Opcode Fuzzy Hash: 2932ed60a38164b99968e515f80e2e6bc9311783d2898aba8cd640b210738e5b
Instruction Fuzzy Hash: 7641C4B1721B1082FA17DB17A914BDA27D5BB4DBE0F4A4529FF098B7A4DE3CD4868300

Function 00007FF7E4E3D75C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7E4E3D72E,?,?,?,00007FF7E4E398A4,?,?,?,00007FF7E4E364AD), ref: 00007FF7E4E3D7E1
GetLastError.KERNEL32(?,?,?,00007FF7E4E3D72E,?,?,?,00007FF7E4E398A4,?,?,?,00007FF7E4E364AD), ref: 00007FF7E4E3D7EF
LoadLibraryExW.KERNEL32(?,?,?,00007FF7E4E3D72E,?,?,?,00007FF7E4E398A4,?,?,?,00007FF7E4E364AD), ref: 00007FF7E4E3D819
FreeLibrary.KERNEL32(?,?,?,00007FF7E4E3D72E,?,?,?,00007FF7E4E398A4,?,?,?,00007FF7E4E364AD), ref: 00007FF7E4E3D887
GetProcAddress.KERNEL32(?,?,?,00007FF7E4E3D72E,?,?,?,00007FF7E4E398A4,?,?,?,00007FF7E4E364AD), ref: 00007FF7E4E3D893

Strings

MZx, xrefs: 00007FF7E4E3D77A, 00007FF7E4E3D82A, 00007FF7E4E3D870
api-ms-, xrefs: 00007FF7E4E3D801

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MZx$api-ms-
API String ID: 2559590344-259127448
Opcode ID: 5289a04243e8a248cb5820b37202154a20ba6c64b1fa020b3a1c062f1bb2b80b
Instruction ID: b8ea4295c107d053e6a5ac8fe7a67d8027b0bb33e2b8b7e4c96f5c9ff7e6094d
Opcode Fuzzy Hash: 5289a04243e8a248cb5820b37202154a20ba6c64b1fa020b3a1c062f1bb2b80b
Instruction Fuzzy Hash: A0318125A1A64391EE13BF03A890A75A2A8BF48F64F890536DD5D47794EF3CF4458322

Function 000000014007A1D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 000000014007A23B
InternetOpenUrlA.WININET ref: 000000014007A270
InternetReadFile.WININET ref: 000000014007A291
InternetReadFile.WININET ref: 000000014007A2CF
InternetCloseHandle.WININET ref: 000000014007A2DC
InternetCloseHandle.WININET ref: 000000014007A2E5

Strings

File Downloader, xrefs: 000000014007A234

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandleOpenRead
String ID: File Downloader
API String ID: 4038090926-3631955488
Opcode ID: ef0b4a100551ad57f85878d3ad68814330c2d85b7b679f70ec8f93c3db496011
Instruction ID: 0399ce1682de07f0aa1206abe99c22717857691dc5a833c9d493158f508467bf
Opcode Fuzzy Hash: ef0b4a100551ad57f85878d3ad68814330c2d85b7b679f70ec8f93c3db496011
Instruction Fuzzy Hash: C5316732214B8082EB218F26F85479AB3A0FB89BC4F585115FF8943B69DF7DC5928B00

Function 00000001400921B0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400921F3
_invalid_parameter_noinfo.LIBCMT ref: 00000001400925E0
_invalid_parameter_noinfo.LIBCMT ref: 000000014009287C

Strings

p, xrefs: 00000001400922A5
f, xrefs: 0000000140092315
p, xrefs: 000000014009231D

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction ID: b8dc3e9cdc22bec2f5ab832ac5804bf8a86bae0c64d7de0205dfc1d31eeff702
Opcode Fuzzy Hash: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction Fuzzy Hash: 4F12B27260924286FB26AF17E0547FEB6A1F3587D4FD94116F79247AE4D738C980CB10

Function 00000001400B2C8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000001400B2D11
GetLastError.KERNEL32 ref: 00000001400B2D1F
LoadLibraryExW.KERNEL32 ref: 00000001400B2D49
FreeLibrary.KERNEL32 ref: 00000001400B2DB7
GetProcAddress.KERNEL32 ref: 00000001400B2DC3

Strings

api-ms-, xrefs: 00000001400B2D31

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 996ade3048ece8fd6c5d5c54d4ec564cddc8ae1be39e9acb717a9eca008d3d5f
Instruction ID: cc2d99b39676e9a48d292cfa973c6d7b264006a7d65043fdb1f58a40d0113fec
Opcode Fuzzy Hash: 996ade3048ece8fd6c5d5c54d4ec564cddc8ae1be39e9acb717a9eca008d3d5f
Instruction Fuzzy Hash: 8C315A31312A4092EE279F97A90479923A4BB5CBE4F4A4525FE2A4B7B4EF38D446C350

Function 00000001400987AC Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400987BB
FlsGetValue.KERNEL32 ref: 00000001400987D0
FlsSetValue.KERNEL32 ref: 00000001400987F1
FlsSetValue.KERNEL32 ref: 000000014009881E
FlsSetValue.KERNEL32 ref: 000000014009882F
FlsSetValue.KERNEL32 ref: 0000000140098840
SetLastError.KERNEL32 ref: 000000014009885B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bee91ac4fc1df0eaa3ab10e4276ba3f484bc5e8253822d5f97decf6bc27b5b6b
Instruction ID: 4b4d8deacd497249436f39071c19fb311b5fdefea0622a1cc046aa47ab187ae1
Opcode Fuzzy Hash: bee91ac4fc1df0eaa3ab10e4276ba3f484bc5e8253822d5f97decf6bc27b5b6b
Instruction Fuzzy Hash: 2921937070824042FA6767775A927EE52928B4C7F0F544B28BF3657BF6DE38C4524B01

Function 00007FF7E4E40CA0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7E4E40CD1
GetLastError.KERNEL32 ref: 00007FF7E4E40CDD
CloseHandle.KERNEL32 ref: 00007FF7E4E40CF5
CreateFileW.KERNEL32 ref: 00007FF7E4E40D20
WriteConsoleW.KERNEL32 ref: 00007FF7E4E40D3F

Strings

CONOUT$, xrefs: 00007FF7E4E40D01

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: eccb84783a33b6acb2369927ad856cb4a6f1e39df1dbbcb1c74e1911e2e9c731
Instruction ID: eae4bfb8c083e0692cd4f6268983dec34201a1e8c08b7e627dacda113d9eb37c
Opcode Fuzzy Hash: eccb84783a33b6acb2369927ad856cb4a6f1e39df1dbbcb1c74e1911e2e9c731
Instruction Fuzzy Hash: 6611B421718A4582E7509F12F864729A3A0FB48FE4F941235D95DC7B98DF3CD8448755

Function 00000001400AB18C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000001400AB1BD
GetLastError.KERNEL32 ref: 00000001400AB1C9
CloseHandle.KERNEL32 ref: 00000001400AB1E1
CreateFileW.KERNEL32 ref: 00000001400AB20C
WriteConsoleW.KERNEL32 ref: 00000001400AB22B

Strings

CONOUT$, xrefs: 00000001400AB1ED

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 423033ad9a26eeb1fe2838e88a30b5d5e8e126e9df3eade86433f6e59bd70d34
Instruction ID: dccac7cf86dd691c8986e58b5ea5a29b4595da972c7e7c068490d770517f9d1c
Opcode Fuzzy Hash: 423033ad9a26eeb1fe2838e88a30b5d5e8e126e9df3eade86433f6e59bd70d34
Instruction Fuzzy Hash: 23116A31714A8086E7628B57E8543A9A7A0FB9CFE4F444228FF5A87BA4DF7CC9458740

Function 00000001400BBCEC Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00000001400BBD99
MultiByteToWideChar.KERNEL32 ref: 00000001400BBE35
MultiByteToWideChar.KERNEL32 ref: 00000001400BBEDE
MultiByteToWideChar.KERNEL32 ref: 00000001400BBF08
MultiByteToWideChar.KERNEL32 ref: 00000001400BBFB0
CompareStringEx.KERNEL32 ref: 00000001400BBFFD

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: a1f78f492e3696b6019f48ed1e7001af74d1872a9e55038d413a28a56ba35231
Instruction ID: bcf1b6b93dcecc1946cad78135b827772f34e8b074e1d02fcb1409f9e20e2999
Opcode Fuzzy Hash: a1f78f492e3696b6019f48ed1e7001af74d1872a9e55038d413a28a56ba35231
Instruction Fuzzy Hash: D5A1C172210A8086FB329FA6D4547ED77A1E74CBE8F584621FB690B7E5EB78C9458300

Function 00000001400BB98C Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400BB9FC
MultiByteToWideChar.KERNEL32 ref: 00000001400BBA9A
LCMapStringEx.KERNEL32 ref: 00000001400BBB03
LCMapStringEx.KERNEL32 ref: 00000001400BBB55
LCMapStringEx.KERNEL32 ref: 00000001400BBBFA
WideCharToMultiByte.KERNEL32 ref: 00000001400BBC54

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 270ae4f9d9f08dcff0b9067bef15d1f35fc8560d5ec39fb7ed6a8b55e081ca3d
Instruction ID: 3cae8b1818a4245b37a95ea3dbb25334b2cbdcdea68dea16613d2c78e82ac99f
Opcode Fuzzy Hash: 270ae4f9d9f08dcff0b9067bef15d1f35fc8560d5ec39fb7ed6a8b55e081ca3d
Instruction Fuzzy Hash: 8D81B172200B4087EB22CF66E4407A9B7E5FB58BE8F144625FB5A47BE8DFB8C5458700

Function 000000014008F100 Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008F172
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F1A3
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F1E3
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F225
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F25A
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F2D7

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cdce36b549f9a139a57fc9ed1dc92bc6bf26bb61d742b9d05d56d54ff17284a9
Instruction ID: 1d4139813600b4928fe05de513d8c91a672c6bd4c6413c1d6dc083dce2f2dfb8
Opcode Fuzzy Hash: cdce36b549f9a139a57fc9ed1dc92bc6bf26bb61d742b9d05d56d54ff17284a9
Instruction Fuzzy Hash: 0D516177105A84C6FB639F36E4903FD7B91B74ABC4F588011E7C8473A6CA398946D702

Function 00000001400B07D4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000001400B0972
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400B0C9B

Strings

csm, xrefs: 00000001400B0999
csm, xrefs: 00000001400B08B9
csm, xrefs: 00000001400B091B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 9f4e64e61b5b2eeaf6a6c9105b8820c6d72dd74f9dd23350b1755da3e83c2826
Instruction ID: 151a497a614de7a2d148bc646ebc8b93af069f99db54679d45a2247bfb3a51cc
Opcode Fuzzy Hash: 9f4e64e61b5b2eeaf6a6c9105b8820c6d72dd74f9dd23350b1755da3e83c2826
Instruction Fuzzy Hash: 95E17D73504B808AE722DFA6D4813ED7BB0F759B98F144216EF89577A6DB34D582CB00

Function 0000000140098924 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140098933
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140093731,?,?,?,?,000000014009BCBC), ref: 0000000140098969
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140093731,?,?,?,?,000000014009BCBC), ref: 0000000140098996
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140093731,?,?,?,?,000000014009BCBC), ref: 00000001400989A7
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,0000000140093731,?,?,?,?,000000014009BCBC), ref: 00000001400989B8
SetLastError.KERNEL32 ref: 00000001400989D3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: edb01e077f2569079692cbdca2a01a9a7407672766c19d691501073eb6422a11
Instruction ID: 7761718c07057579b4a836c862f773882c17a7b063c5f03bbeab8f09a7883271
Opcode Fuzzy Hash: edb01e077f2569079692cbdca2a01a9a7407672766c19d691501073eb6422a11
Instruction Fuzzy Hash: 91117F7071824042FA67A32756927FE62929B4C7F0F084728BF76577F6DE38C4528B02

Function 00007FF7E4E3E510 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7E4E3E58F
WriteFile.KERNEL32 ref: 00007FF7E4E3E857
WriteFile.KERNEL32 ref: 00007FF7E4E3E89D
GetLastError.KERNEL32 ref: 00007FF7E4E3E953

Strings

MZx, xrefs: 00007FF7E4E3E566, 00007FF7E4E3E5E7, 00007FF7E4E3E69C

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 56001a688be59e779d38c89167cf0233533a9f369d0b07dbb42eba76e8af94f0
Instruction ID: d1c8cf039d274e1fe3774f28fc69a65805f06740cf5de206c350a0af52060462
Opcode Fuzzy Hash: 56001a688be59e779d38c89167cf0233533a9f369d0b07dbb42eba76e8af94f0
Instruction Fuzzy Hash: C8D13936B08A4289E712DF7AD4803BCB771FB54B98B814236DE9D97B89DE38D406C711

Function 000000014002DCE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 000000014002DD3F

Part of subcall function 00000001400B9B18: AreFileApisANSI.KERNEL32 ref: 00000001400B9B2A

__std_exception_destroy.LIBVCRUNTIME ref: 000000014002DFE7
__std_exception_destroy.LIBVCRUNTIME ref: 000000014002E0A1

Strings

", ", xrefs: 000000014002DE2D
: ", xrefs: 000000014002DDFA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy$ApisFile__std_fs_code_page
String ID: ", "$: "
API String ID: 741338541-747220369
Opcode ID: 7236c7701d50e5aacc4dcf5dcf6662693d96fc61544f264361e5dd32f6629178
Instruction ID: 2fc4354da3f7ac5633768660396deded93c7b25156e114866fa5e57279866451
Opcode Fuzzy Hash: 7236c7701d50e5aacc4dcf5dcf6662693d96fc61544f264361e5dd32f6629178
Instruction Fuzzy Hash: 23B1AD72700A8096EB01EF66E0843ED3361E759BC8F508526EF5D17BAADF78C895C384

Function 00007FF7E4E36790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7E4E367B5
GetProcAddress.KERNEL32 ref: 00007FF7E4E367CB
FreeLibrary.KERNEL32 ref: 00007FF7E4E367F2

Strings

mscoree.dll, xrefs: 00007FF7E4E367AC
CorExitProcess, xrefs: 00007FF7E4E367C4

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 56dec27a48c382bae8c9dbc998320d3297bdff6e0d22f776c03b946996f6de0c
Instruction ID: c6d8d84720fd6ae2f1313f65956cbb14b16d02e5e04c1e425e315cbc5edd905b
Opcode Fuzzy Hash: 56dec27a48c382bae8c9dbc998320d3297bdff6e0d22f776c03b946996f6de0c
Instruction Fuzzy Hash: AFF06865A1960681EF206F35F4543799360EF85F61FD41237C56D851E8DF3CD048C322

Function 00000001400A3878 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000001400A389D
GetProcAddress.KERNEL32 ref: 00000001400A38B3
FreeLibrary.KERNEL32 ref: 00000001400A38DA

Strings

CorExitProcess, xrefs: 00000001400A38AC
mscoree.dll, xrefs: 00000001400A3894

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: be92eb9bbaaa625829bc9471fb326967c68e4fbed633ca4a062594c979a01ac3
Instruction ID: ac3b12a74c1955f63a223aafc9c7af301689ef38f5382d6585260c25f0642c2f
Opcode Fuzzy Hash: be92eb9bbaaa625829bc9471fb326967c68e4fbed633ca4a062594c979a01ac3
Instruction Fuzzy Hash: ADF06271301B0592FB158B66E84439E5360AF9D7E1F541315F765472F8DF3CC1868710

Function 00000001400AFBD4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00000001400AFCF7
__AdjustPointer.LIBCMT ref: 00000001400AFD42

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3f39c1b9ed79e73c84211ab22038048c5d1c6819f99b6ac50b6bfdd9f9c1b3ec
Instruction ID: e8579fd3734454176f596904cbd10330809381039630ccf5f49c986ac4bd2f62
Opcode Fuzzy Hash: 3f39c1b9ed79e73c84211ab22038048c5d1c6819f99b6ac50b6bfdd9f9c1b3ec
Instruction Fuzzy Hash: 29B19332201A8485EA67DF93D1807F967A1EB6CBD4F198626BF49077B5DB74C4C2EB00

Function 000000014009FA88 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014009FAC7
_set_statfp.LIBCMT ref: 000000014009FAE5
_set_statfp.LIBCMT ref: 000000014009FB0E
_set_statfp.LIBCMT ref: 000000014009FD4A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9c3edce3a00c59cfada856729e56e09c68419cddf2c103ca818f489642505782
Instruction ID: 932a995cfb9503593ddab9fc7f713a1ab8e6f93bff8132766f35255785ab954d
Opcode Fuzzy Hash: 9c3edce3a00c59cfada856729e56e09c68419cddf2c103ca818f489642505782
Instruction Fuzzy Hash: 2481D232604A4886F7778F37E9503FA66A1EB5D7D8F148301BF5A275F5D734C982AA00

Function 00007FF7E4E415E0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7E4E41608
_set_statfp.LIBCMT ref: 00007FF7E4E41623
_set_statfp.LIBCMT ref: 00007FF7E4E4163F
_set_statfp.LIBCMT ref: 00007FF7E4E4167B

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
Instruction ID: 7a05c3dbcfdc48c25ebeef28d2c14fb46630c93b3759fd792914f038a7c82263
Opcode Fuzzy Hash: 52608bc6d143c9dc7bfa0a8c4855f078bb6d55b13afd5a83babe45fd19c9ed63
Instruction Fuzzy Hash: 2E1121AAE18A0305FE943D76E5D9375D2406F953B0E9C0E76E9EE062D68E7CFC404126

Function 00000001400989EC Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000001400967B7,?,?,00000000,0000000140096A52,?,?,?,?,-2723E8D8DEBC5093,00000001400969DE), ref: 0000000140098A0B
FlsSetValue.KERNEL32(?,?,?,00000001400967B7,?,?,00000000,0000000140096A52,?,?,?,?,-2723E8D8DEBC5093,00000001400969DE), ref: 0000000140098A2A
FlsSetValue.KERNEL32(?,?,?,00000001400967B7,?,?,00000000,0000000140096A52,?,?,?,?,-2723E8D8DEBC5093,00000001400969DE), ref: 0000000140098A52
FlsSetValue.KERNEL32(?,?,?,00000001400967B7,?,?,00000000,0000000140096A52,?,?,?,?,-2723E8D8DEBC5093,00000001400969DE), ref: 0000000140098A63
FlsSetValue.KERNEL32(?,?,?,00000001400967B7,?,?,00000000,0000000140096A52,?,?,?,?,-2723E8D8DEBC5093,00000001400969DE), ref: 0000000140098A74

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e352fa2ba264ddbbfa8a83f13ad18c47375a7d3919fb80aa5095cfa037bd6b32
Instruction ID: 5562d8217f5fbb2e2b042148076d670c8644ef2b037ad8581d2eb7d4cbc5fe19
Opcode Fuzzy Hash: e352fa2ba264ddbbfa8a83f13ad18c47375a7d3919fb80aa5095cfa037bd6b32
Instruction Fuzzy Hash: 6C118670B1824042FA6A572756527EA12815B4C7F0F485729BF3A577F6DE38C4524702

Function 00007FF7E4E3A0DD Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7E4E3A0F7
FlsSetValue.KERNEL32 ref: 00007FF7E4E3A116
FlsSetValue.KERNEL32 ref: 00007FF7E4E3A13E
FlsSetValue.KERNEL32 ref: 00007FF7E4E3A14F
FlsSetValue.KERNEL32 ref: 00007FF7E4E3A160

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fef79bcd01217ff1732ce6d7f5bbbbb61dca6c16b20e38246b54353a88e43eaf
Instruction ID: 135bf7c654784475f414f90b50b8b4482b0a63263d3d079bdd787230d7cce6e6
Opcode Fuzzy Hash: fef79bcd01217ff1732ce6d7f5bbbbb61dca6c16b20e38246b54353a88e43eaf
Instruction Fuzzy Hash: 53113D58F0C20341FA5A7B276991379D2525F44FA0EC8573AD8AE57AD6DE3CA8418222

Function 0000000140098880 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 0000000140098891
FlsSetValue.KERNEL32 ref: 00000001400988B0
FlsSetValue.KERNEL32 ref: 00000001400988D8
FlsSetValue.KERNEL32 ref: 00000001400988E9
FlsSetValue.KERNEL32 ref: 00000001400988FA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: aeac32c67af560e7dd41213ee240f8e898738199f89f2047ccf14657de905ef3
Instruction ID: cd125b27746cb6ac91a5f66ffa739dc1054c97539802566e512f256013ea258b
Opcode Fuzzy Hash: aeac32c67af560e7dd41213ee240f8e898738199f89f2047ccf14657de905ef3
Instruction Fuzzy Hash: F21129B060820542FA7BA33758967FA12824B4C7F4F5C5728BF365B3F2DE3898524B52

Function 0000000140048890 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140048900
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140048948
_Getcoll.LIBCPMT ref: 000000014004897C

Strings

bad locale name, xrefs: 0000000140048A81

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1287851536-1405518554
Opcode ID: fab0e095f8c7ed654faf4468b22ec1401334c6b8314a09414ceb4f5f9351b23d
Instruction ID: 05c14c64210617226be52844fee93a87bdf04712ef8590b9b58c4d55bb14e304
Opcode Fuzzy Hash: fab0e095f8c7ed654faf4468b22ec1401334c6b8314a09414ceb4f5f9351b23d
Instruction Fuzzy Hash: FD918C72701B408AFB16DFB6D4503ED3362EB48BC8F444526EF5917AA9DE78C4A5C384

Function 00000001400BD99C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BDC7B

Part of subcall function 00000001400AAD6C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400AAD89

Strings

ccs, xrefs: 00000001400BDBB6
UTF-16LEUNICODE, xrefs: 00000001400BDC19
UTF-8, xrefs: 00000001400BDBFA

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 9e2d0ea007b7d59ffb8b8322be5f141d45b6f7305a3d4721c3becb03152af675
Instruction ID: a7f85e871348f964b5b2985e56f5b2cb913dc045045e7003f2b8ca248ccae572
Opcode Fuzzy Hash: 9e2d0ea007b7d59ffb8b8322be5f141d45b6f7305a3d4721c3becb03152af675
Instruction Fuzzy Hash: FB818C72604A41C5FB678FAB82507E9FBB0E319BC8F568017EB06576F5E339C8419706

Function 00000001400B0F48 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000001400B0FB8
_CallSETranslator.LIBVCRUNTIME ref: 00000001400B1003

Strings

MOC, xrefs: 00000001400B0FCC
RCC, xrefs: 00000001400B0FD4

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: ff7130a31c3838eae5dc4e9040a01fbf81571be333e3600a34bda6294f9903e2
Instruction ID: 5ffffaaada14817aa3187c5423479fd319e85f9884be44b803de71811ffbdc7c
Opcode Fuzzy Hash: ff7130a31c3838eae5dc4e9040a01fbf81571be333e3600a34bda6294f9903e2
Instruction Fuzzy Hash: 4C916B73614B808AE712DFA6E8803DD7BB0F3497C8F54421AEB8957769DB38C1A5CB00

Function 00007FF7E4E35A88 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7E4E35AB3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7E4E35B4A
RtlUnwindEx.KERNEL32 ref: 00007FF7E4E35BA4

Strings

csm, xrefs: 00007FF7E4E35B31

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b8fdca9cded4bbb6aa06f1f5ade378c1037bc301aacae7e2f84c1045c81e75ca
Instruction ID: 4cd7bee9a26cc419e8b81d2986580f1948a8901570d81832d37b3b683d29d3e3
Opcode Fuzzy Hash: b8fdca9cded4bbb6aa06f1f5ade378c1037bc301aacae7e2f84c1045c81e75ca
Instruction Fuzzy Hash: 5C51D33AB196038ADB15EF16E484B7DB391EB44F88F958172DA8A43748DF3CE841C711

Function 00007FF7E4E3891C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7E4E38D4C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7E4E38E34

Strings

csm, xrefs: 00007FF7E4E38E86
csm, xrefs: 00007FF7E4E38D6E

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 67d3760316c7ac8e6f5febe830b8f7d34bf4c5dbdb36519f52684cd6ad08a349
Instruction ID: 9f0466f866ee4ff427f77e06671de2da4f11fe575c64fa0ace73db801e6d04ac
Opcode Fuzzy Hash: 67d3760316c7ac8e6f5febe830b8f7d34bf4c5dbdb36519f52684cd6ad08a349
Instruction Fuzzy Hash: A1618D3AD0828786EB66AF13948437CB6E1BB54F84F944136EADC47A91CF3CE450C792

Function 00007FF7E4E39500 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7E4E3955F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7E4E395AB

Strings

MOC, xrefs: 00007FF7E4E39573
RCC, xrefs: 00007FF7E4E3957B

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 8256bd98bb7a5e1e5654349a1a6cf87bcda44b3a148a411127153f0ac98a1ecd
Instruction ID: 2e7da2e513639e17fbf96c73367f028812467a1694eb269069ac0658dd49409e
Opcode Fuzzy Hash: 8256bd98bb7a5e1e5654349a1a6cf87bcda44b3a148a411127153f0ac98a1ecd
Instruction Fuzzy Hash: D8618236908B8681D721AF26E4807A9B7A0FB85B84F444226EBDC07B99DF7CD190CB11

Function 00000001400B14C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B14F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000001400B15D8

Strings

csm, xrefs: 00000001400B162A
csm, xrefs: 00000001400B1512

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 095a41cf6f88e6130bf65bc0ed5de3fd02173d0230e8279c947ec4f4a2f09324
Instruction ID: 09f6dde7808521b70217c70a336bd6f0befd6cb2b189c9e0ff49262e5f14330a
Opcode Fuzzy Hash: 095a41cf6f88e6130bf65bc0ed5de3fd02173d0230e8279c947ec4f4a2f09324
Instruction Fuzzy Hash: 3E517F72600B80CAEB758F93A4443D877B4E798BD4F984225EB5A47BA9CB34C491CB01

Function 00000001400B0CD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000001400B0D37
_CallSETranslator.LIBVCRUNTIME ref: 00000001400B0D83

Strings

MOC, xrefs: 00000001400B0D4B
RCC, xrefs: 00000001400B0D53

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 07992d41df9ad80eb188af37fb9b0e6db73788ea83bdb0dcdeea906dcb818229
Instruction ID: 17eb707fb36a4e926c94bb033cda9fe31027dfba4c2e9a3a8a32eca6d0b63af4
Opcode Fuzzy Hash: 07992d41df9ad80eb188af37fb9b0e6db73788ea83bdb0dcdeea906dcb818229
Instruction Fuzzy Hash: 68617C32608BC486EB72DF56E4403EAB7A0F799BD4F044615FB9907BA9DB78D194CB00

Function 000000014002EF10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 000000014002F0F0
__std_exception_destroy.LIBVCRUNTIME ref: 000000014002F0FD

Strings

, column , xrefs: 000000014002EFC8
at line , xrefs: 000000014002EF9A

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: at line $, column
API String ID: 2453523683-191570568
Opcode ID: ea0931f80faea3a1458766356af7855d0ac9163cdf1165e6ea0833dd366c92db
Instruction ID: 914463d450a43cb4f7ea3de808729a8ac489e12741d6c37c1533c495ea6b9385
Opcode Fuzzy Hash: ea0931f80faea3a1458766356af7855d0ac9163cdf1165e6ea0833dd366c92db
Instruction Fuzzy Hash: 0151A37260478081EA11DB2BE5803AE7761F78DBD4F504225FBA907BEADF78C891C740

Function 000000014002CA60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002CACF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014002CB17
_Getctype.LIBCPMT ref: 000000014002CB55

Strings

bad locale name, xrefs: 000000014002CC0E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: 0fdf44e750821479e315e268955e66de4311686768919f7e860fce24ecb21b9a
Instruction ID: 5692f8161d49c62ceb7944d53b891567dd2b94ab8c399e88a064e650bba4c44d
Opcode Fuzzy Hash: 0fdf44e750821479e315e268955e66de4311686768919f7e860fce24ecb21b9a
Instruction Fuzzy Hash: D8514936711B408AEB16DFB2D4913ED33B5EB48788F444429EF8927AA5DF34CA25D344

Function 0000000140085DA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140085E2B

Strings

?, xrefs: 0000000140085DE0

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Open
String ID: ?
API String ID: 71445658-1684325040
Opcode ID: fac0b721db4333e5878d97004158c7f0cb9c596c5e158db9a56ab25e623e2ca1
Instruction ID: 54d39e097882213c5b733bf086f40d23d8995db644f53b8c5f5849c5aff69d53
Opcode Fuzzy Hash: fac0b721db4333e5878d97004158c7f0cb9c596c5e158db9a56ab25e623e2ca1
Instruction Fuzzy Hash: 31418072618B8082EB51DB26F4803AEB7A0F7D97D4F105215FB9943AA9DF7CC194CB44

Function 00007FF7E4E34F3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E4E35210: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7E4E35224

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7E4E34F60
__scrt_release_startup_lock.LIBCMT ref: 00007FF7E4E34FCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7E4E35021

Strings

MZx, xrefs: 00007FF7E4E35036

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID: MZx
API String ID: 3251591375-2575928145
Opcode ID: 541ff40e58d353be9d847ea1bee9263a9859c2f33cd014f189e106e5bf34516c
Instruction ID: c26e7b45bed8017d571ed8a4885d80ce25704a09cb27f8fc6661146242a51dc6
Opcode Fuzzy Hash: 541ff40e58d353be9d847ea1bee9263a9859c2f33cd014f189e106e5bf34516c
Instruction Fuzzy Hash: A2319E29A0C25342FA16BF27A4A23B9A2919F41B44FC45437E98E473D7DE3DA8048773

Function 00000001400B9AC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400B9ADE
GetProcAddress.KERNEL32 ref: 00000001400B9AEE

Strings

GetTempPath2W, xrefs: 00000001400B9AE4
kernel32.dll, xrefs: 00000001400B9AD7

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32.dll
API String ID: 1646373207-1846531799
Opcode ID: aba5ed2ee6ba4ce48385ce636e4a4acb6d4aac54e4449c193f436a8d268e96e8
Instruction ID: 7945943dde90ce79e9ea268502fb856af871c4c7814340627f58557ecb3581ff
Opcode Fuzzy Hash: aba5ed2ee6ba4ce48385ce636e4a4acb6d4aac54e4449c193f436a8d268e96e8
Instruction Fuzzy Hash: 48E01AB1710A4592EE069B12F9883AD6361FF8CBC1F889029EA0E07338DE3CC446C710

Function 0000000140074080 Relevance: 6.5, APIs: 4, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140073930: CreateToolhelp32Snapshot.KERNEL32 ref: 0000000140073986
Part of subcall function 0000000140073930: Process32FirstW.KERNEL32 ref: 00000001400739CA
Part of subcall function 0000000140073930: Process32NextW.KERNEL32 ref: 00000001400739DF
Part of subcall function 0000000140073930: OpenProcess.KERNEL32 ref: 0000000140073A1B
Part of subcall function 0000000140073930: OpenProcessToken.ADVAPI32 ref: 0000000140073A42
Part of subcall function 0000000140073930: CloseHandle.KERNEL32 ref: 0000000140073BB6
Part of subcall function 0000000140073930: Process32NextW.KERNEL32 ref: 0000000140073BC3
Part of subcall function 0000000140073930: CloseHandle.KERNEL32 ref: 0000000140073C07

ImpersonateLoggedOnUser.ADVAPI32 ref: 00000001400740DD
ImpersonateLoggedOnUser.ADVAPI32 ref: 00000001400745C8
RevertToSelf.ADVAPI32 ref: 00000001400745E6

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleImpersonateLoggedNextOpenProcessUser$CreateFirstRevertSelfSnapshotTokenToolhelp32
String ID:
API String ID: 1562318730-0
Opcode ID: 78111f010a6ea5b5ae6ae8d162778a791ededbfc55de02017354f219b5f97645
Instruction ID: 725f3c8a4bb51d22fdc93160e2ff128e938ee97f23015ef30f5c7d66809f76c4
Opcode Fuzzy Hash: 78111f010a6ea5b5ae6ae8d162778a791ededbfc55de02017354f219b5f97645
Instruction Fuzzy Hash: D0227CB2B14B8086FB02DB6AD4543DD2761E79A7E4F505215FBAD07AEADB78C480D700

Function 000000014009AE38 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000014009AEB7
WriteFile.KERNEL32 ref: 000000014009B17F
WriteFile.KERNEL32 ref: 000000014009B1C5
GetLastError.KERNEL32 ref: 000000014009B27B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0f4573ad5ab6b01d73635eec7536a5d729b1e7ad683b81b449e6e28c999a8dea
Instruction ID: c74fe89f61bfa30f28c8e94184cb44ca258f1dcc1b28fecb56b8b96372769064
Opcode Fuzzy Hash: 0f4573ad5ab6b01d73635eec7536a5d729b1e7ad683b81b449e6e28c999a8dea
Instruction Fuzzy Hash: AAD1E072B14A8489E712CFBAD5403EC37B1F358BE8F544216EF5A97BA9DA38C506C740

Function 000000014009B7F8 Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000000014009B914
GetLastError.KERNEL32 ref: 000000014009B99F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a8be48e25dcd1c4f8a4168961d870eb76e92b48431727c0765876aa17b118fd9
Instruction ID: 430cb94ec275b1b006606032aa0a0ac97a79295e9cf0530a9309411366c7b0e5
Opcode Fuzzy Hash: a8be48e25dcd1c4f8a4168961d870eb76e92b48431727c0765876aa17b118fd9
Instruction Fuzzy Hash: 85919F72710A9085FB629F6796803ED2BA4B74DBE8F544109EF4A67BA5DB38C482C701

Function 00007FF7E4E3E0EA Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00007FF7E4E3E204
GetLastError.KERNEL32 ref: 00007FF7E4E3E28F

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 60a411c71040640233f3d61c6a9d19a4bd584ca0be3b067abe8c2bac933effdd
Instruction ID: 87614b44d38542f14f75cb2792130d7ba5be830d49dae15ef5b7799370aa2660
Opcode Fuzzy Hash: 60a411c71040640233f3d61c6a9d19a4bd584ca0be3b067abe8c2bac933effdd
Instruction Fuzzy Hash: EA91E736E0865385F752EF6A94C03BDABA0BB14F88F95413ADE8E53684DF38D441C722

Function 00007FF7E4E38A64 Relevance: 6.2, APIs: 4, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF7E4E38B87
__AdjustPointer.LIBCMT ref: 00007FF7E4E38BD2
__AdjustPointer.LIBCMT ref: 00007FF7E4E38CA9

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 25fc134e6c63f0dacb96735037029e45b4d702db581d39d025ef25b43ec03c5f
Instruction ID: e96cf7c03c3ff926b32b2f96160c8c1469c34fe3cbf8ddb91e53704026a04f87
Opcode Fuzzy Hash: 25fc134e6c63f0dacb96735037029e45b4d702db581d39d025ef25b43ec03c5f
Instruction Fuzzy Hash: 99718269E0A64381EE66AE2395C077CA2D4FF44F80F894877DA8D07685DE3CE44583A3

Function 0000000140088E10 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000000140088E30
FreeEnvironmentStringsW.KERNEL32 ref: 0000000140088F2B
RtlInitUnicodeString.NTDLL ref: 0000000140088F9E
RtlInitUnicodeString.NTDLL ref: 0000000140088FAB

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: EnvironmentInitStringStringsUnicode$Free
String ID:
API String ID: 2488768755-0
Opcode ID: 03050de4473a7036840b3f814e3b1606e0f3ac0b841f86a6d84b765ac0863df6
Instruction ID: 249d8477ed98fc917396095c4ed7d3802801dfc0ba70534cb905eba45bdc7ad3
Opcode Fuzzy Hash: 03050de4473a7036840b3f814e3b1606e0f3ac0b841f86a6d84b765ac0863df6
Instruction Fuzzy Hash: 25519A72A14B8082EB228F16E44039D7361FB98BD4F549215EF9D03BA6DF78D6E1C704

Function 0000000140041C40 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400BAEAC: std::_Lockit::_Lockit.LIBCPMT ref: 00000001400BAEC9
Part of subcall function 00000001400BAEAC: std::locale::_Setgloballocale.LIBCPMT ref: 00000001400BAEEC

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140041C81
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140041CA6
std::_Facet_Register.LIBCPMT ref: 0000000140041D52
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140041DB4

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
String ID:
API String ID: 3698853521-0
Opcode ID: eed450fc87f7b90693e9453fe6d78228114555bdcea7261450a71dd83f0eb7c1
Instruction ID: 236d6389257f28c7c4492d83038e332ebcfbc23cf179b41e14085838a707cd19
Opcode Fuzzy Hash: eed450fc87f7b90693e9453fe6d78228114555bdcea7261450a71dd83f0eb7c1
Instruction Fuzzy Hash: F8412732224B4081EB56DB56E8843DA73A4F78DBD4F595622BB9E07BB9DF38C442C704

Function 000000014008EFBC Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008F035
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F091
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F0CC
_invalid_parameter_noinfo.LIBCMT ref: 000000014008F0F1

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 86078050b35c3d83f66a5f3c361acaaa1e6b6eb617984a3c991cabd19b075f59
Instruction ID: ffa9c572a7e4a5e066940d6fcd93473eef70c18ca386996d5ac19e9d5ffa0d93
Opcode Fuzzy Hash: 86078050b35c3d83f66a5f3c361acaaa1e6b6eb617984a3c991cabd19b075f59
Instruction Fuzzy Hash: 0A413A77504A848AEB639F36D4103ED7BA0F749FC4F49C052EB88473A7DA398945DB12

Function 00000001400467E0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014004680B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140046830
std::_Facet_Register.LIBCPMT ref: 00000001400468DB
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140046926

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 9372afe047aa4cc0eae63c1b6c1241976da657e1e17b1950321beacb823c7ea0
Instruction ID: a4e2e4869f216a93c3555fe410e8c924b94c3ccb6d48aa5672fd74940a3f9b6e
Opcode Fuzzy Hash: 9372afe047aa4cc0eae63c1b6c1241976da657e1e17b1950321beacb823c7ea0
Instruction Fuzzy Hash: CB414A32214B4081FB16DF67E4403D96760F78DBE8F591626AB8E477B5EE38C482CB15

Function 0000000140079A80 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140079AAB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140079AD0
std::_Facet_Register.LIBCPMT ref: 0000000140079B7B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140079BC6

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: f43f1546969bcc0bc2afbc257653b84f1bc5d930af1f407b475991def0315af4
Instruction ID: 84f0272817a06c5c3477c8b36134a0f56f515ea9523122fac0f48a6a6587710e
Opcode Fuzzy Hash: f43f1546969bcc0bc2afbc257653b84f1bc5d930af1f407b475991def0315af4
Instruction Fuzzy Hash: 03413A32214A4085FB26DF67E9803D96764F78DBE8F581621AB8E47BB5DF3CC4428700

Function 0000000140043DD0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140043DFB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140043E20
std::_Facet_Register.LIBCPMT ref: 0000000140043ECB
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140043F16

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: d3fce6e4a644a7405e72c1ab96fc402567e2800d73aaf2439b09d84a5f1f45ee
Instruction ID: 16fa0f5e4538a510978ef81ad45d7d3382f56bc736d23ff421205b4c4ce0a84b
Opcode Fuzzy Hash: d3fce6e4a644a7405e72c1ab96fc402567e2800d73aaf2439b09d84a5f1f45ee
Instruction Fuzzy Hash: 49415836215A4081FA26DF57E4403D9B7A0F79CBE4F591622BB9E477F9DE38C4828704

Function 00000001400B9CAC Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400B9CF5
GetLastError.KERNEL32 ref: 00000001400B9D03
WideCharToMultiByte.KERNEL32 ref: 00000001400B9D38
GetLastError.KERNEL32 ref: 00000001400B9D46

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 632c629cd5f3082fb104fc700d54a245379ea41028df2d6bfc62e537c178c61a
Instruction ID: 732770dae735fb1ee09a7bed1d2b51e1158dd485e33b6057137ecc77f848afbf
Opcode Fuzzy Hash: 632c629cd5f3082fb104fc700d54a245379ea41028df2d6bfc62e537c178c61a
Instruction Fuzzy Hash: 61215C76614B8587E7218F17E44435EBAB4F79DBC4F244129EB8993B69DB38C8018B00

Function 00000001400BA198 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B9AC8: GetModuleHandleW.KERNEL32 ref: 00000001400B9ADE
Part of subcall function 00000001400B9AC8: GetProcAddress.KERNEL32 ref: 00000001400B9AEE

GetLastError.KERNEL32 ref: 00000001400BA1BC

Part of subcall function 0000000140098174: IsProcessorFeaturePresent.KERNEL32 ref: 000000014009819A

GetFileAttributesW.KERNEL32 ref: 00000001400BA1CB
__std_fs_open_handle.LIBCPMT ref: 00000001400BA1F4
CloseHandle.KERNEL32 ref: 00000001400BA206

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
String ID:
API String ID: 156590933-0
Opcode ID: b1371cc999af6c120738bad54607841319b72b2770334362f7f3709bf50731cc
Instruction ID: 299d0bcef7e4c936e736a2796c6b4b3e96ec945ce56f71dcb84488a010b228e1
Opcode Fuzzy Hash: b1371cc999af6c120738bad54607841319b72b2770334362f7f3709bf50731cc
Instruction Fuzzy Hash: CD118635218A4045EB565FABE4843BA6671E74E7F0F105614FB7747AF5DA3DC4418B00

Function 00007FF7E4E35304 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E4E35330
GetCurrentThreadId.KERNEL32 ref: 00007FF7E4E3533E
GetCurrentProcessId.KERNEL32 ref: 00007FF7E4E3534A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7E4E3535A

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1ef9cfd6a28bfbf257edefedf7c8203de68038772214ee7f848650bd26ef0748
Instruction ID: 5f7e12e76bee5f0e6e3dedb7664e20730f3461ac4a07ab1e8a2c9a0807655ffc
Opcode Fuzzy Hash: 1ef9cfd6a28bfbf257edefedf7c8203de68038772214ee7f848650bd26ef0748
Instruction Fuzzy Hash: E2114F22B14B0589EF009F60F8643B873A4F758B58F841A32DA6D87758EF78D1558350

Function 00000001400AE1C8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000001400AE1F4
GetCurrentThreadId.KERNEL32 ref: 00000001400AE202
GetCurrentProcessId.KERNEL32 ref: 00000001400AE20E
QueryPerformanceCounter.KERNEL32 ref: 00000001400AE21E

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 994afb034ad63c778ea227749b14eccab6c02e75851fdf0a55821c6d844240c7
Instruction ID: 2d033e041bdf3d7227269b0f70d14b42616edc8a7a419766452458ae47f0e022
Opcode Fuzzy Hash: 994afb034ad63c778ea227749b14eccab6c02e75851fdf0a55821c6d844240c7
Instruction Fuzzy Hash: 5011FA36710F008AEB01CFA1E8553A833A4F75DB68F441E25EB6D477A4DF78C1A58350

Function 000000014002EBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

[json.exception., xrefs: 000000014002ED2B

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID:
String ID: [json.exception.
API String ID: 0-791563284
Opcode ID: 5c87c9bb96a017de208679fcf324a245d5c2211a00183e68301472191dddbe2a
Instruction ID: 6b50a091b2802ad2945aeadc0d55fe758afa20c7301277ed6e57d09efbd5c6ee
Opcode Fuzzy Hash: 5c87c9bb96a017de208679fcf324a245d5c2211a00183e68301472191dddbe2a
Instruction Fuzzy Hash: FC71E272F10B9085FB01CB7AE8413DD67A1E799BD4F644226EF5917BAADB78C482C340

Function 00000001400B1700 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B172A

Strings

csm, xrefs: 00000001400B18BE
csm, xrefs: 00000001400B174F

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: d612173bfaa8a2380fe5b48d2d485991192f6fc7e1eabacda55b96e47468999e
Instruction ID: 732827d43b81279fc09f351b0f2266c69a4f1640728df4e45fd91df2211a6454
Opcode Fuzzy Hash: d612173bfaa8a2380fe5b48d2d485991192f6fc7e1eabacda55b96e47468999e
Instruction Fuzzy Hash: 80718176204AC086EB628F66D4507ED7BB0F788BC5F548216FF8857AADCB38C591CB41

Function 00000001400AF15C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400AF187
RtlUnwindEx.KERNEL32 ref: 00000001400AF278

Strings

csm, xrefs: 00000001400AF205

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: Unwind__except_validate_context_record
String ID: csm
API String ID: 2208346422-1018135373
Opcode ID: 66bbef8c19356e990cfb8f89928e01c6fdd1ce5aed4229e3d09978b89fbc63e4
Instruction ID: 89e5e8f779c4e8b204e1a98a4adc9b963e8ad9f1d18d37424198852836f041da
Opcode Fuzzy Hash: 66bbef8c19356e990cfb8f89928e01c6fdd1ce5aed4229e3d09978b89fbc63e4
Instruction Fuzzy Hash: 2051E6363116018AEB55CF96E044BBC33A5F76CBD8F508221FB5A477A8DB79C981DB00

Function 000000014007A000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014007A06F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014007A0B7

Strings

bad locale name, xrefs: 000000014007A18C

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 28d15cfe3afaff4e70186dc69545f2dcaf145971d976bdeeb826c8756c6efb46
Instruction ID: 808e80a19e9a8367672ecaf7a1c34fe7cc6f7304543fb875a4e8aeb018317e5d
Opcode Fuzzy Hash: 28d15cfe3afaff4e70186dc69545f2dcaf145971d976bdeeb826c8756c6efb46
Instruction Fuzzy Hash: F2518C32711A0089FB16EFB2D4913ED33B5EB88B88F484425FF4967AA5DE39C925C344

Function 0000000140049500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014004956F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400495B7

Strings

bad locale name, xrefs: 0000000140049696

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 53b0fcf59b7055776f2f4b1ce98978138a0590209bea8aaf15bd716caedf58d6
Instruction ID: 1c6d693c5901f9d80c69387f4c3a86c5155362670e00a8e852182763da2cabe9
Opcode Fuzzy Hash: 53b0fcf59b7055776f2f4b1ce98978138a0590209bea8aaf15bd716caedf58d6
Instruction Fuzzy Hash: EE514B32302B4089EB16DFB2D4903EC33B5EB58788F454535FB4967AA5DE34C965D348

Function 00000001400A1618 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400A69F8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A6A2B

_get_daylight.LIBCMT ref: 00000001400A1730
_get_daylight.LIBCMT ref: 00000001400A1741

Strings

?, xrefs: 00000001400A16C1

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 22609105de1f0d9301de2f8044ec8bdf8c9c884c101727823ff363954f5f8222
Instruction ID: f30818a0088620f31da01904ea9adbefb6569b303ba16c750db778e40d9abdaf
Opcode Fuzzy Hash: 22609105de1f0d9301de2f8044ec8bdf8c9c884c101727823ff363954f5f8222
Instruction Fuzzy Hash: 9041E33261478046FB669B27E5113EE6AA0E7E8BE4F144325BF9847AF5DB38C4C18F00

Function 00000001400B1DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000001400B1E9A
_CreateFrameInfo.LIBVCRUNTIME ref: 00000001400B1EC3

Strings

csm, xrefs: 00000001400B1FC3

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction ID: 3dac7b5d3b0d881bcd455e3888886abadacebbcbcc28f580a094f6440ece58b6
Opcode Fuzzy Hash: 30dd612b4e4b9212e9166655247be16b5f23695bfc4863c6a6ebc2986465c29c
Instruction Fuzzy Hash: AB510677615B4086E661AF66E4403AE77B4F38DBD0F540225AF890BB66CF38D4A2CB00

Function 00007FF7E4E3EBA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7E4E3ECBF
GetLastError.KERNEL32 ref: 00007FF7E4E3ECE1

Strings

U, xrefs: 00007FF7E4E3EC6B

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4a2143aea001407eb2cc82c9df801d17e9c15ad72bb50a2a20f8f3de8da8662b
Instruction ID: 89ead30a20bd16dcceb0d53b747a976d3c97590e3f83350b03132f3d9b215ecd
Opcode Fuzzy Hash: 4a2143aea001407eb2cc82c9df801d17e9c15ad72bb50a2a20f8f3de8da8662b
Instruction Fuzzy Hash: CA41C72271868685DB21DF2AE4847B9B7A0F798F94F814032EE8D87748EF3CD441C751

Function 000000014009B4D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014009B5E7
GetLastError.KERNEL32 ref: 000000014009B609

Strings

U, xrefs: 000000014009B593

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 7b6b0220355e4baf3ced440fd77bc49a04f673044c496e04ac13764c72edacc7
Instruction ID: e6320d284cb9a528543140e404914897430357409d217e9d910f130c428e9124
Opcode Fuzzy Hash: 7b6b0220355e4baf3ced440fd77bc49a04f673044c496e04ac13764c72edacc7
Instruction Fuzzy Hash: 44419F72214A8082DB219F26E4443EA77A1F798BD4F414121EF4D877A8EB7CC441CB40

Function 00007FF7E4E359E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A30
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7E4E34E57), ref: 00007FF7E4E35A71

Strings

csm, xrefs: 00007FF7E4E35A5E

Memory Dump Source

Source File: 00000001.00000002.1830732038.00007FF7E4E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E4E30000, based on PE: true

Associated: 00000001.00000002.1830706817.00007FF7E4E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E4E43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830763235.00007FF7E5147000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830968491.00007FF7E514D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E514F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1830995182.00007FF7E5152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1831051325.00007FF7E5154000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7e4e30000_Loader.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 967fbbe814c9c1e701ed63cdd0d532d980ddcea8b093fe1b68fbd27a0b08e2d1
Instruction ID: 61329c0a98d5c637fec39467c87a442690352db6dfe335f04bcf1c09a643fd24
Opcode Fuzzy Hash: 967fbbe814c9c1e701ed63cdd0d532d980ddcea8b093fe1b68fbd27a0b08e2d1
Instruction Fuzzy Hash: 9A114936619B8582EB219F15F490269B7E5FB88F84F984232DECC47758DF3CD5518B00

Function 00000001400AF748 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00000001400AF798
RaiseException.KERNEL32 ref: 00000001400AF7D9

Strings

csm, xrefs: 00000001400AF7C6

Memory Dump Source

Source File: 00000001.00000002.1829282890.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Loader.jbxd

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 8fa98aa95e9aae2a90a459b42b1f704c9c51d3f3bc5b4355a873c03fa23ea9e8
Instruction ID: 2cd2fca06ac07b3d24a383fcaf9b1e00f30e6730416406c57118f0930f6fa0f4
Opcode Fuzzy Hash: 8fa98aa95e9aae2a90a459b42b1f704c9c51d3f3bc5b4355a873c03fa23ea9e8
Instruction Fuzzy Hash: 8011D736219B8082EB628F26E44039D77E5FB98BD4F584225EB8D07768DF3CC5918B40

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
Loader.exe

Function 00007FF7E4E39B9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Function 00007FF7E4E34340 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 145
COMMON

Function 00007FF7E4E34F3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
COMMON

Function 00007FF7E4E399F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Function 00007FF7E4E36824 Relevance: 4.5, APIs: 3, Instructions: 14
COMMONLIBRARYCODE

Function 00007FF7E4E3AFC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Function 00007FF7E4E3A8C8 Relevance: 3.2, APIs: 2, Instructions: 194
COMMON

Function 00007FF7E4E34E38 Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Function 00007FF7E4E3B380 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMONLIBRARYCODE

Function 00007FF7E4E3671C Relevance: 1.6, APIs: 1, Instructions: 61
COMMONLIBRARYCODE

Function 00007FF7E4E3D464 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00007FF7E4E326F0 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 00007FF7E4E34630 Relevance: 1.5, APIs: 1, Instructions: 28
processCOMMON

Function 00007FF7E4E34C44 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre