Edit tour

Windows Analysis Report
bot.exe

Overview

General Information

Sample name:	bot.exe
Analysis ID:	1532244
MD5:	3870b1e1ca36deec20214c6ae51f8f16
SHA1:	feefcdc98dae9d1a720f8626af58f136f6468a0b
SHA256:	d10449f12f6bd9f29e59600486bd48a49c0f7263a990ed82b9b2a635f4706fac
Tags:	exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Creates files in alternative data streams (ADS)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Self deletion via cmd or bat file

Sigma detected: Suspicious Ping/Del Command Combination

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bot.exe (PID: 3792 cmdline: "C:\Users\user\Desktop\bot.exe" MD5: 3870B1E1CA36DEEC20214C6AE51F8F16)

bot.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\bot.exe" MD5: 3870B1E1CA36DEEC20214C6AE51F8F16)

cmd.exe (PID: 1920 cmdline: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 2056 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "109.107.181.162", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "15", "self_destruct": true, "extensions": "none", "links": "none", "grabber_max_size": 1048576}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: bot.exe PID: 6768	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: bot.exe PID: 6768	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Ping/Del Command Combination

Source: Process started

Author: Ilya Krestinichev: Data: Command: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\bot.exe", ParentImage: C:\Users\user\Desktop\bot.exe, ParentProcessId: 6768, ParentProcessName: bot.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe", ProcessId: 1920, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:39:13.826218+0200	2049441	1	A Network Trojan was detected	192.168.2.7	49699	109.107.181.162	15666	TCP

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:39:13.826218+0200	2050806	1	A Network Trojan was detected	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.831482+0200	2050806	1	A Network Trojan was detected	192.168.2.7	49699	109.107.181.162	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:39:13.826218+0200	2050807	1	A Network Trojan was detected	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.831482+0200	2050807	1	A Network Trojan was detected	192.168.2.7	49699	109.107.181.162	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\bot.exe:a.dll

Avira: detection malicious, Label: HEUR/AGEN.1354117

Found malware configuration

Source: 2.2.bot.exe.140000000.0.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "109.107.181.162", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "15", "self_destruct": true, "extensions": "none", "links": "none", "grabber_max_size": 1048576}

Multi AV Scanner detection for submitted file

Source: bot.exe	ReversingLabs: Detection: 42%
Source: bot.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\bot.exe:a.dll

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006FB80 CryptUnprotectData,LocalFree,	2_2_000000014006FB80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035CF7 CryptUnprotectData,LocalFree,	2_2_0000000140035CF7
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035E00 CryptUnprotectData,	2_2_0000000140035E00
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006FEA0 CryptProtectData,LocalFree,	2_2_000000014006FEA0

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: bot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,	2_2_00000001400B6740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140034F90 FindFirstFileW,FindNextFileW,	2_2_0000000140034F90
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035061 FindFirstFileW,FindNextFileW,	2_2_0000000140035061

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007EAB0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,GetLogicalDriveStringsW,GetTimeZoneInformation,

2_2_000000014007EAB0

Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then push rdi	0_2_00007FF7F8A1C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7F8A1C460
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then push rdi	2_2_00007FF7F8A1C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 4x nop then sub rsp, 28h	2_2_00007FF7F8A1C460

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.7:49699 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.7:49699 -> 109.107.181.162:15666
Source: Network traffic	Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.7:49699 -> 109.107.181.162:15666

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 109.107.181.162:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.181.162

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007C5E0 recv,recv,closesocket,WSACleanup,

2_2_000000014007C5E0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: bot.exe, 00000002.00000003.1455279514.000001EC26E80000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1455314455.000001EC26E84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: bot.exe, 00000002.00000003.1288855876.000001EC26E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/RegirF~b
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: bot.exe, 00000002.00000003.1289744841.000001EC25264000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: bot.exe	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: bot.exe, 00000002.00000003.1299473293.000001EC27020000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC285FA000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299473293.000001EC27028000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D2A000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27CE5000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: bot.exe, 00000002.00000003.1299473293.000001EC27020000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC285FA000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299473293.000001EC27028000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D2A000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27CE5000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: bot.exe, 00000002.00000003.1301182951.000001EC2702F000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC28601000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: bot.exe, 00000002.00000003.1301182951.000001EC2702F000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC28601000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89146A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,	0_2_00007FF7F89146A4
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913060 GetCurrentProcess,NtQueryInformationProcess,GetTempPathA,strlen,strlen,memcpy,	0_2_00007FF7F8913060
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,	0_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082030 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	2_2_0000000140082030
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D06E8 NtAllocateVirtualMemory,	2_2_00000001400D06E8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400819C5 NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	2_2_00000001400819C5

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89134D0	0_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8913C70	0_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8935140	0_2_00007FF7F8935140
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8916A40	0_2_00007FF7F8916A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892DA84	0_2_00007FF7F892DA84
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8917290	0_2_00007FF7F8917290
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89134D0	0_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F8925B20	0_2_00007FF7F8925B20
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892D367	0_2_00007FF7F892D367
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892C4A0	0_2_00007FF7F892C4A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89364F0	0_2_00007FF7F89364F0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008A06A	2_2_000000014008A06A
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007E0B0	2_2_000000014007E0B0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005F140	2_2_000000014005F140
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400421C0	2_2_00000001400421C0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007F210	2_2_000000014007F210
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008426B	2_2_000000014008426B
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140032334	2_2_0000000140032334
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005A337	2_2_000000014005A337
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400743A0	2_2_00000001400743A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007E3D0	2_2_000000014007E3D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002F650	2_2_000000014002F650
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140086680	2_2_0000000140086680
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003B740	2_2_000000014003B740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003C7E0	2_2_000000014003C7E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007EAB0	2_2_000000014007EAB0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140094B74	2_2_0000000140094B74
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007FBE4	2_2_000000014007FBE4
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009ACF0	2_2_000000014009ACF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140084CF0	2_2_0000000140084CF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014007CDF0	2_2_000000014007CDF0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002EF60	2_2_000000014002EF60
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009DFA0	2_2_000000014009DFA0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006E000	2_2_000000014006E000
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004E000	2_2_000000014004E000
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082030	2_2_0000000140082030
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A7038	2_2_00000001400A7038
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140036050	2_2_0000000140036050
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006B0A0	2_2_000000014006B0A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092094	2_2_0000000140092094
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A100	2_2_000000014006A100
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0138	2_2_00000001400D0138
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0160	2_2_00000001400D0160
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D0158	2_2_00000001400D0158
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014005A337	2_2_000000014005A337
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006180	2_2_0000000140006180
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140028200	2_2_0000000140028200
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009E21C	2_2_000000014009E21C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140055250	2_2_0000000140055250
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009227C	2_2_000000014009227C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B92E0	2_2_00000001400B92E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400532E0	2_2_00000001400532E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A22D8	2_2_00000001400A22D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140096300	2_2_0000000140096300
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140030305	2_2_0000000140030305
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140056340	2_2_0000000140056340
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140026340	2_2_0000000140026340
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140093344	2_2_0000000140093344
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140025350	2_2_0000000140025350
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140082380	2_2_0000000140082380
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008E38C	2_2_000000014008E38C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A400	2_2_000000014006A400
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A5464	2_2_00000001400A5464
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092464	2_2_0000000140092464
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009C498	2_2_000000014009C498
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006E49A	2_2_000000014006E49A
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004C500	2_2_000000014004C500
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140062510	2_2_0000000140062510
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400705A0	2_2_00000001400705A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006610	2_2_0000000140006610
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400596B0	2_2_00000001400596B0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400316D7	2_2_00000001400316D7
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006A730	2_2_000000014006A730
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140066750	2_2_0000000140066750
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400907A0	2_2_00000001400907A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A37AC	2_2_00000001400A37AC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009E7A4	2_2_000000014009E7A4
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008E884	2_2_000000014008E884
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003394B	2_2_000000014003394B
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009B968	2_2_000000014009B968
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400269E0	2_2_00000001400269E0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140078A40	2_2_0000000140078A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006AA50	2_2_000000014006AA50
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092AAC	2_2_0000000140092AAC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A6ACC	2_2_00000001400A6ACC
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140037AD2	2_2_0000000140037AD2
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400A1B68	2_2_00000001400A1B68
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400BBB80	2_2_00000001400BBB80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006DBC0	2_2_000000014006DBC0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014002FC80	2_2_000000014002FC80
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140006D20	2_2_0000000140006D20
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014004AD30	2_2_000000014004AD30
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006AD70	2_2_000000014006AD70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140005DB0	2_2_0000000140005DB0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009BE18	2_2_000000014009BE18
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140092E3C	2_2_0000000140092E3C
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014006CE40	2_2_000000014006CE40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140075E70	2_2_0000000140075E70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014003BE96	2_2_000000014003BE96
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140072EC0	2_2_0000000140072EC0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014009CF18	2_2_000000014009CF18
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8A0C950	2_2_00007FF7F8A0C950
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8916A40	2_2_00007FF7F8916A40
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892DA84	2_2_00007FF7F892DA84
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8925B20	2_2_00007FF7F8925B20
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8913C70	2_2_00007FF7F8913C70
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8935140	2_2_00007FF7F8935140
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89F7220	2_2_00007FF7F89F7220
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F8917290	2_2_00007FF7F8917290
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892D367	2_2_00007FF7F892D367
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89134D0	2_2_00007FF7F89134D0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892C4A0	2_2_00007FF7F892C4A0
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89364F0	2_2_00007FF7F89364F0

Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014002DE50 appears 37 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00007FF7F8A12CD0 appears 32 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00000001400300A0 appears 79 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014008D6C8 appears 59 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 000000014002DDE0 appears 49 times
Source: C:\Users\user\Desktop\bot.exe	Code function: String function: 00007FF7F8A1C0A0 appears 43 times

Source: bot.exe_a.dll.0.dr

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F89146A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose,

0_2_00007FF7F89146A4

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014006CE40 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,

2_2_000000014006CE40

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
Source: C:\Users\user\Desktop\bot.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69636FA13009

Source: bot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bot.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bot.exe	ReversingLabs: Detection: 42%
Source: bot.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: bot.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bot.exe

Static file information: File size 2746880 > 1048576

Source: bot.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10bc00
Source: bot.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f600

Source: bot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: bot.exe	Static PE information: section name: .xdata
Source: bot.exe_a.dll.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892AAF6 push rsp; retf	0_2_00007FF7F892AAF9
Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F892D857 push rax; iretd	0_2_00007FF7F892D858
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892AAF6 push rsp; retf	2_2_00007FF7F892AAF9
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F892D857 push rax; iretd	2_2_00007FF7F892D858

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400741C2 OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

2_2_00000001400741C2

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\Users\user\Desktop\bot.exe

File created: C:\Users\user\Desktop\bot.exe:a.dll

Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\bot.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"
Source: C:\Users\user\Desktop\bot.exe	Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\bot.exe:a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\bot.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-80664

Source: C:\Users\user\Desktop\bot.exe

API coverage: 8.2 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError,	2_2_00000001400B6740
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140034F90 FindFirstFileW,FindNextFileW,	2_2_0000000140034F90
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_0000000140035061 FindFirstFileW,FindNextFileW,	2_2_0000000140035061

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007EAB0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegCloseKey,GetLogicalDriveStringsW,GetTimeZoneInformation,

2_2_000000014007EAB0

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_0000000140094A30 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

2_2_0000000140094A30

Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1289744841.000001EC25264000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: bot.exe, 00000002.00000002.1456698198.000001EC2524E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: bot.exe, 00000002.00000003.1293216845.000001EC27C43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\bot.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_000000014008D3D8

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400B8A44 GetLastError,IsDebuggerPresent,OutputDebugStringW,

2_2_00000001400B8A44

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8913D77 strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll,

0_2_00007FF7F8913D77

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_00000001400A4D28 GetProcessHeap,

2_2_00000001400A4D28

Source: C:\Users\user\Desktop\bot.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe	Code function: 0_2_00007FF7F89111D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,	0_2_00007FF7F89111D9
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00000001400D02D8 SetUnhandledExceptionFilter,	2_2_00000001400D02D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000000014008D3D8
Source: C:\Users\user\Desktop\bot.exe	Code function: 2_2_00007FF7F89111D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	2_2_00007FF7F89111D9

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\bot.exe	NtQueryInformationProcess: Indirect: 0x7FF7F8913CAD	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	NtClose: Indirect: 0x7FF7F8914830
Source: C:\Users\user\Desktop\bot.exe	NtQueryInformationProcess: Indirect: 0x7FF7F8913098	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bot.exe

Memory written: C:\Users\user\Desktop\bot.exe base: 140000000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\bot.exe

Thread register set: target process: 6768

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_0000000140072EC0 ShellExecuteW,

2_2_0000000140072EC0

Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Users\user\Desktop\bot.exe "C:\Users\user\Desktop\bot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000	Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F8914350 cpuid

0_2_00007FF7F8914350

Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,	2_2_00000001400A409C
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,	2_2_00000001400A416C
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00000001400A4204
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,	2_2_0000000140099354
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,	2_2_00000001400D0390
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoEx,FormatMessageA,	2_2_00000001400B63B0
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,	2_2_00000001400A4450
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00000001400A45A8
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,	2_2_00000001400A4658
Source: C:\Users\user\Desktop\bot.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00000001400A4784
Source: C:\Users\user\Desktop\bot.exe	Code function: GetLocaleInfoW,	2_2_0000000140099898
Source: C:\Users\user\Desktop\bot.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00000001400A3D50

Source: C:\Users\user\Desktop\bot.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\bot.exe

Code function: 0_2_00007FF7F892B4F9 GetSystemTimeAsFileTime,

0_2_00007FF7F892B4F9

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007DCC0 GetUserNameW,

2_2_000000014007DCC0

Source: C:\Users\user\Desktop\bot.exe

Code function: 2_2_000000014007F210 GetTimeZoneInformation,

2_2_000000014007F210

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: bot.exe, 00000002.00000003.1336291282.000001EC2944B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: bot.exe, 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\bot.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\bot.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bot.exe PID: 6768, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 DLL Side-Loading	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 NTFS File Attributes	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bot.exe	42%	ReversingLabs	Win64.Trojan.Generic
bot.exe	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\bot.exe:a.dll	100%	Avira	HEUR/AGEN.1354117
C:\Users\user\Desktop\bot.exe:a.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	bot.exe	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://ns.microsoft.t/RegirF~b	bot.exe, 00000002.00000003.1288855876.000001EC26E71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290619963.000001EC27C15000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291065146.000001EC27C16000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org	bot.exe, 00000002.00000003.1299473293.000001EC27020000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1306737156.000001EC285FA000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299473293.000001EC27028000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1300909810.000001EC27D2A000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27CE5000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1299745214.000001EC27D32000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.microsoft.t/Regi	bot.exe, 00000002.00000003.1455279514.000001EC26E80000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1455314455.000001EC26E84000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	bot.exe, 00000002.00000003.1290619963.000001EC27C2E000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1290945374.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1291311899.000001EC252D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	bot.exe, 00000002.00000003.1300909810.000001EC27D3A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	bot.exe, 00000002.00000003.1311444530.000001EC25280000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1315115313.000001EC27BA3000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1324309551.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp, bot.exe, 00000002.00000003.1311444530.000001EC252B2000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.107.181.162	unknown	Russian Federation		49973	TELEPORT-TV-ASRU	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532244
Start date and time:	2024-10-12 22:38:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bot.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 83 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:39:04	API Interceptor	2x Sleep call for process: bot.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.107.181.162	RUN.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	App_installer32_64x.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	setup_run.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
172.67.74.152	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.74.152
	ATLANTIC STAR - VESSEL DETAILS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	024.xlsx.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205
	024.xlsx.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Order0958490.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win64.PWSX-gen.30688.21076.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	https://www.canva.com/design/DAGTGtfEYnw/CziuYyD8EEWyTr61OD4BbQ/edit?utm_content=DAGTGtfEYnw&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutto	Get hash	malicious	HtmlDropper	Browse	172.67.74.152
	HS034Ewroq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEPORT-TV-ASRU	RUN.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.162
	App_installer32_64x.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.162
	setup_run.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.162
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.162
	wqOq2pxuQB.exe	Get hash	malicious	Stealc, Vidar	Browse	109.107.187.5
	Wv3pZF5jI3.exe	Get hash	malicious	RedLine	Browse	109.107.182.39
	OgcktrbHkI.exe	Get hash	malicious	Tofsee	Browse	109.107.161.150
	clik.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	leadiadequatepro.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.107.181.83
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	na.elf	Get hash	malicious	Mirai	Browse	8.6.157.70
	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	172.67.74.152
	v.1.5.4__x64__.msi	Get hash	malicious	LegionLoader	Browse	172.67.74.152
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	SecuriteInfo.com.FileRepMalware.1304.4177.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Synaptics.exe	Get hash	malicious	XRed	Browse	172.67.74.152
	Quotation-GINC-19-00204.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	Produkttyper.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	P065.00760_0858_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	Agenda de Pagamento outubro 2024.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	curriculo_OUTUBRO_2024_Bmd2xZtsZtjm7sO_curriculo_091024.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.74.152

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\bot.exe:a.dll

Download File

Process:	C:\Users\user\Desktop\bot.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1430016
Entropy (8bit):	7.491054840858222
Encrypted:	false
SSDEEP:	24576:kjSpDfQz9C7baQvDppXIrg7GU1zvw6TBovozmpqr/XoSjdQvYq+jweWgYx:kjS9fQzw7baQrppXsg7G4zvw6FGyvoSU
MD5:	4BEFE8FA4F25CCC8985C3E1F3E76C870
SHA1:	B1B22D237CB469240E12791026E6175926DB6CA8
SHA-256:	EACD6510F27A560F7A7BFB64FC2539C8C72DB257B832008CADA036551BDA7CBD
SHA-512:	9AD445CAE534450388E6F136C5018C0CC6FD8C58ACA57C4451F59E0AE9FBA24993AFE5FA16CF1D5BB69CC22703173592AB6E8CC824153F5F9C0258C5325C9E0B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=.g..........."...)............`........................................@............`... ..............................................................................0..............................@...(...................@................................text...............................`..`.data....[...0...\..................@....rdata...........0...v..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..............................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	275
Entropy (8bit):	4.825671547285939
Encrypted:	false
SSDEEP:	6:PzXULmWxHLTpUrraGbsW3CNcwAFeMmvVOIHJFxMVlmJHaVFtIk3:P+pTpcraGbsTDAFSkIrxMVlmJHaVPN
MD5:	048DC6B94735C4768D20ED5E3F14F565
SHA1:	6B92CCD1E038396F675090384C6E8DFC742614ED
SHA-256:	6D0C347234F09E710D6B842ED14CD27792E71E5B906E9E806E77AFE8FF08E1BE
SHA-512:	88DF2342FFD4D303BEF828A12F7BEB505DC06E0BE6E91FF7FDA74DE31FAA289089557C036293EE3B0EE55A62D62CC804953C0D89591E662A0B513525AA40093E
Malicious:	false
Reputation:	low
Preview:	..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=6ms TTL=51....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 6ms, Maximum = 6ms, Average = 6ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.175418534241925
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	bot.exe
File size:	2'746'880 bytes
MD5:	3870b1e1ca36deec20214c6ae51f8f16
SHA1:	feefcdc98dae9d1a720f8626af58f136f6468a0b
SHA256:	d10449f12f6bd9f29e59600486bd48a49c0f7263a990ed82b9b2a635f4706fac
SHA512:	840087c0a876bf027dba23d1050534bee2ad31e58b9343290b40c470d28cbde7158c785f200cadf6e5d69539183814b20f343e3130f974b8ce88af8d8ec338cc
SSDEEP:	49152:7ZPf0tL9d77T+WScpPNBqB0+iajS9fQzw7baQrppXsg7G4zvw6FGyvoS5QJ+jweu:AVScpPN3l7baQ3sg7G4zvwevoS5QYweu
TLSH:	85D59D47A36301ACC19ED07C4F97D672BF70B4A902B03825ADA1D733AF24E505EA7B65
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=.g...............)......)................@.............................`.....I....`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670A3DDA [Sat Oct 12 09:14:02 2024 UTC]
TLS Callbacks:	0x4001a380, 0x1, 0x4001a350, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0163d3ec9900198371a13a64f76fc361

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00274A35h]
mov dword ptr [eax], 00000001h
call 00007F9A98F05D1Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00274A15h]
mov dword ptr [eax], 00000000h
call 00007F9A98F05CFFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F9A98F2C20Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F9A98F06029h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
push esi
push ebx
dec eax
sub esp, 28h
call 00007F9A98F2C2B2h
dec eax
arpl ax, bx
cdq
dec eax
imul ebx, ebx, 51EB851Fh
dec eax
sar ebx, 25h
sub ebx, edx
imul edx, ebx, 64h
sub eax, edx
mov ebx, eax
test eax, eax
jle 00007F9A98F06088h
xor esi, esi
nop dword ptr [eax+00000000h]
call 00007F9A98F2C288h
dec eax
arpl ax, dx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a0000	0x1180	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x281000	0xaf80	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a4000	0x1684	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x274860	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a0450	0x410	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10bb70	0x10bc00	61622e4740e5d28874e06d8b9c534322	False	0.35506207691409897	data	6.22838234953122	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x10d000	0x3080	0x3200	9dd76daa6bcbbd52a7e1f42691b82f36	False	0.0225	data	0.27715409108042194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x111000	0x16f4a0	0x16f600	57e815b2946af59fca620f285f7f3998	False	0.5944198707043212	data	7.450602281863168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x281000	0xaf80	0xb000	e5a1483ef7d2debd266ba4f8a96810ca	False	0.5372869318181818	data	6.036620350568149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x28c000	0x12324	0x12400	98a30c7b03b41b55b5760cfb36f29449	False	0.1908042594178082	data	5.069165535169385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x29f000	0xcb0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2a0000	0x1180	0x1200	639e2c53a8b3a75c1ff57ec93e18be3b	False	0.314453125	data	4.234187742404477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2a2000	0x60	0x200	c763ed33786bdf672a771e19d0ae8b3a	False	0.06640625	data	0.3124937745953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2a3000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2a4000	0x1684	0x1800	4f4f97b146c1904b770a19b01a0caf58	False	0.37890625	data	5.3554449882646145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CreateFileW, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, FormatMessageA, GetCurrentProcess, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadId, InitializeConditionVariable, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LocalFree, MultiByteToWideChar, Process32First, Process32Next, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableCS, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualProtect, VirtualQuery, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteFile

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _fmode, _fstat64, _get_osfhandle, _initterm, _lseeki64, _onexit, _strlwr, _time64, _wfopen, abort, calloc, exit, fclose, fflush, fgetpos, fopen, fprintf, fputc, fputs, fread, free, fsetpos, fwrite, getc, getenv, getwc, iswctype, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, putc, putwc, rand, realloc, setlocale, setvbuf, signal, srand, strchr, strcmp, strcoll, strcpy_s, strerror, strftime, strlen, strncmp, strstr, strtoul, strxfrm, towlower, towupper, ungetc, ungetwc, vfprintf, wcscoll, wcsftime, wcslen, wcstombs, wcsxfrm, _write, _read, _fileno, _fdopen

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T22:39:13.826218+0200	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.826218+0200	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.826218+0200	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.831482+0200	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.7	49699	109.107.181.162	15666	TCP
2024-10-12T22:39:13.831482+0200	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.7	49699	109.107.181.162	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 22:39:06.371028900 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:06.375983953 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:06.376086950 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:07.008949995 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:07.008974075 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:07.009047985 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:07.020597935 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:07.020611048 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:07.515991926 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:07.516094923 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.488236904 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.488281012 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.489248991 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.489321947 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.491499901 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.539408922 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.603363037 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.603435040 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.603457928 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.603514910 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.603524923 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.603595972 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:08.603634119 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.603647947 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.653820992 CEST	49700	443	192.168.2.7	172.67.74.152
Oct 12, 2024 22:39:08.653848886 CEST	443	49700	172.67.74.152	192.168.2.7
Oct 12, 2024 22:39:13.826217890 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.831237078 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.831250906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.831264973 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.831275940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.831296921 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.831481934 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.835129976 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.835141897 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.835154057 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.835165024 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.835175037 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.835213900 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.835278034 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.836334944 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836374998 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836429119 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.836430073 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836442947 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836455107 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836467028 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836504936 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.836555958 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.836594105 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836659908 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.836678028 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.836764097 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.840085983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.840163946 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.840183973 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.840217113 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.840254068 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.840296984 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.840296984 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.840367079 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.841269970 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841351986 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.841363907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841391087 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841466904 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.841470003 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841483116 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841567039 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.841692924 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841768026 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.841835976 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841847897 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.841923952 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845067024 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845144987 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845161915 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845174074 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845192909 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845204115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845232010 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845249891 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845251083 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845262051 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845274925 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845285892 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845288038 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845320940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845329046 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845366001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845374107 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.845377922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845388889 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.845438957 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846127033 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846139908 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846153021 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846163988 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846221924 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846236944 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846249104 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846314907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846328020 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846339941 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846399069 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846410990 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846417904 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846457005 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846467972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846493006 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846510887 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846538067 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846540928 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846574068 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846599102 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846601963 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846656084 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846668005 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846672058 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846678972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846698999 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846709967 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846723080 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846734047 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846757889 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846770048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846818924 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846821070 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846831083 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846843004 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846860886 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846873045 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846884012 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846905947 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846916914 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846918106 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846926928 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846940041 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846951008 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846965075 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.846971035 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.846982956 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.847006083 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.847069979 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850155115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850207090 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850224018 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850272894 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850318909 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850337982 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850380898 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850450993 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850512028 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850594997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850605965 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850619078 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850656986 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850668907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850681067 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850706100 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850739002 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850786924 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850791931 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850802898 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850815058 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850867987 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850904942 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850925922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850936890 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850948095 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850969076 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.850987911 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.850999117 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851005077 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851072073 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851073980 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851083994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851129055 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851140022 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851175070 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851206064 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851218939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851229906 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851264000 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851275921 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851294041 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851294994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851336002 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851346970 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851356983 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851357937 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851371050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851382017 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851421118 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851433039 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851444006 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851454020 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851468086 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851480961 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851502895 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851511002 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851515055 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851537943 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851548910 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851557016 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851560116 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851573944 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851584911 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851596117 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851608038 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851614952 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851643085 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851650953 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851654053 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851665974 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851676941 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851687908 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851687908 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851699114 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851715088 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851720095 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851731062 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851758957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851761103 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851768970 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851788998 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851810932 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851862907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851862907 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851875067 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851886988 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851897955 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851917982 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851934910 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851968050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851978064 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.851979017 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.851990938 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852010965 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852021933 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852081060 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852108002 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852118969 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852129936 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852140903 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852145910 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852166891 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852179050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852185011 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852199078 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852210999 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852233887 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852241039 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852278948 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852287054 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852298021 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852318048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852329969 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852339029 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852339983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852372885 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852390051 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852401972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852412939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852423906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852425098 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852433920 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852447033 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852458954 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852468967 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852479935 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852488041 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852490902 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852510929 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852521896 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852533102 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852543116 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852544069 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852566957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852608919 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852643967 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.852801085 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852814913 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.852888107 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855079889 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855104923 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855151892 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855190039 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855258942 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855271101 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855282068 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855295897 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855307102 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855318069 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855351925 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855391979 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855405092 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855417967 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855474949 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855495930 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855555058 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855745077 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855756044 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855770111 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855781078 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855803013 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855817080 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855828047 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855830908 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855848074 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855859995 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855870962 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855900049 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855907917 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855920076 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855932951 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855938911 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.855942965 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.855988979 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856025934 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856038094 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856049061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856060028 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856070042 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856081009 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856092930 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856103897 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856113911 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856126070 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856137037 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856148005 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856158972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856164932 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856170893 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856182098 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856193066 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856204033 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856225014 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856235027 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856235981 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856247902 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856261015 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856271982 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856280088 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856345892 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856348038 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856417894 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856475115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856540918 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856555939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856570959 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856595993 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856625080 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856637001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856642008 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856647015 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856699944 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856719971 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856720924 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856733084 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856767893 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856843948 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856856108 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856875896 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856887102 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856937885 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856942892 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.856949091 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856961012 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.856971979 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857021093 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857033014 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857044935 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857067108 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857078075 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857088089 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857100964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857124090 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857127905 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857139111 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857158899 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857170105 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857204914 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857233047 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857299089 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857359886 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857363939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857376099 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857389927 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857446909 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857445955 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857458115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857518911 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857521057 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857532978 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857543945 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857554913 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857566118 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857585907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857593060 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857597113 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857606888 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857619047 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857630014 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857650042 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857661009 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857671022 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857671976 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857697964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857718945 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857729912 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857733965 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857742071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857754946 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857765913 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857785940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857798100 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857800961 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857809067 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857820034 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857831955 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857842922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857862949 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857873917 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857880116 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857886076 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857897043 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857908964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857919931 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857932091 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857940912 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857953072 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857963085 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.857964993 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857975960 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.857988119 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858005047 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858007908 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858020067 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858031988 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858042955 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858045101 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858053923 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858066082 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858078957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858078957 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858091116 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858103037 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858123064 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858130932 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858144999 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858156919 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858169079 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858181953 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858217955 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858225107 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858237028 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858263016 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858285904 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858298063 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858308077 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858309984 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858323097 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858335018 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858345032 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858376026 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858387947 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858396053 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858397961 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858428001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858439922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858445883 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858469963 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858480930 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858481884 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858494997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858505964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858565092 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858567953 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858576059 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858645916 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858705044 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858784914 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858799934 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858812094 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858823061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858875036 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858886003 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858896971 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858899117 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858925104 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858936071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858948946 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858958960 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.858983994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.858995914 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859006882 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859026909 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859080076 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859122992 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859133959 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859143972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859154940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859165907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859203100 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859210968 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859222889 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859234095 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859242916 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859245062 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859258890 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859270096 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859281063 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859292030 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859302998 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859309912 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859323978 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859334946 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859345913 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859357119 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859359980 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859440088 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859863997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859875917 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859916925 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859929085 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859929085 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.859940052 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859954119 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859966993 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859978914 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.859981060 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.860013962 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.860055923 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.903301954 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.904057980 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904268980 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904386997 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904531956 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904644966 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904772043 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.904881001 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905025959 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905128956 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905246973 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905350924 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905466080 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.905524015 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.922350883 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.924278021 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.924431086 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.924520969 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.924629927 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.924669027 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.929270983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.929502010 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.929631948 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.929698944 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:13.971194983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:13.971330881 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.019279957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.019341946 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.022242069 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.022469044 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.022604942 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.022699118 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.022809029 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.022902012 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.023022890 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.023127079 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.023231983 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.023292065 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.027462006 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.027692080 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.027822018 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.027909040 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.071355104 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.071589947 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.084589958 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.084965944 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.085103989 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.085196972 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.085295916 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.090221882 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.090473890 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.090622902 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.090702057 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.131181955 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.131375074 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159441948 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.159595013 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.159621954 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159714937 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159782887 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159851074 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159904957 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.159971952 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.160029888 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.160087109 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.160104036 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.164608002 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.164747953 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.207190037 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.207247972 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.223803997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.223959923 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224037886 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224102974 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224172115 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224220037 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.224236012 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224294901 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224347115 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224404097 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224456072 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224524975 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224580050 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224658012 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.224674940 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.228934050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.229094028 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.229188919 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.229206085 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.275196075 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.275840998 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.276073933 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.276185989 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.276331902 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.276407003 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.284490108 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.284686089 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285038948 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285186052 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285300016 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285425901 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285525084 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285651922 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285746098 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285866022 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.285964012 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.286108017 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.286214113 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.286338091 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.286408901 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.289731026 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289799929 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.289818048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289830923 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289841890 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289855957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289868116 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289890051 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289895058 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.289901018 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289911985 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289923906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289935112 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289937973 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.289957047 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289968967 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289979935 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.289988995 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290003061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290015936 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290026903 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290028095 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290038109 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290054083 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290060043 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290071964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290082932 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290093899 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290105104 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290112972 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290116072 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290138960 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290150881 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290153027 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290163040 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290174961 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290184975 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290194988 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290210009 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290225983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290237904 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290250063 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290251017 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290275097 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290287018 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290298939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290306091 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290309906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290322065 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290343046 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290347099 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290359974 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290371895 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290383101 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290390968 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290431976 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290465117 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290618896 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290632010 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290643930 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290657043 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290679932 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290682077 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290693998 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290707111 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290716887 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290716887 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290772915 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290843010 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290855885 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290867090 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290878057 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290889025 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290899992 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290910959 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290913105 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290921926 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290932894 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290944099 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290955067 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290966034 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290973902 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.290987015 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.290998936 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291011095 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291022062 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291033983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291033983 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291044950 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291055918 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291079044 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291090012 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291100979 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291102886 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291111946 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291125059 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291136026 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291146040 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291151047 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291167974 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291181087 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291192055 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291193008 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291203022 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291224957 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291224957 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291237116 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291249990 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291269064 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291270971 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291282892 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291294098 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291306019 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291315079 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291327000 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291338921 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291349888 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291354895 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291364908 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291389942 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291410923 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291423082 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291434050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291441917 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291450024 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291461945 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291470051 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291485071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291498899 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291516066 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291527987 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291527987 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291539907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291553974 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291558027 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291583061 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291588068 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291600943 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291610956 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291618109 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291640997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291651964 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291657925 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291662931 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291682959 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291695118 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291727066 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291735888 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291749001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291759968 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291774035 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291781902 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291802883 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291804075 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291815996 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291827917 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291838884 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291877985 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.291902065 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291913986 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291925907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291937113 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291948080 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291969061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.291975975 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292020082 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292021990 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292048931 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292061090 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292073011 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292084932 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292113066 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292119026 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292130947 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292141914 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292166948 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292170048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292182922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292195082 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292208910 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292215109 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292227983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292238951 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292248964 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292262077 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292275906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292287111 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292288065 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292300940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292315006 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292320967 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292342901 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292351961 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292355061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292373896 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292382956 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292431116 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292473078 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292485952 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292496920 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292507887 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292526960 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292538881 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292541027 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292572975 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292581081 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292593002 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.292604923 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.292820930 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.339117050 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.340179920 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340393066 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340483904 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340600014 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340739012 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340888023 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.340986967 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341109037 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341208935 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341324091 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341430902 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341562986 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341664076 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341787100 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.341886044 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.342004061 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.342101097 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.342252016 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.342312098 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345323086 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345347881 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345360994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345372915 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345489025 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345498085 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345511913 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345523119 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345536947 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345547915 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345560074 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345581055 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345630884 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345642090 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345643997 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345647097 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345706940 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345727921 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345741034 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345752001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345762968 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345772982 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345783949 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345803976 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345808029 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345814943 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345828056 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345839977 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345850945 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345854998 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345870972 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345890999 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345916033 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345921040 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345933914 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345949888 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345963001 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.345980883 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345993042 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.345998049 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346028090 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346040010 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346081018 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346098900 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346100092 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346115112 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346132994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346143961 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346146107 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346184969 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346190929 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346204042 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346210957 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346214056 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346227884 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346240044 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346266031 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346266985 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346278906 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346290112 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346318007 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346323013 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346329927 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346350908 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346370935 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346384048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346405983 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346422911 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346437931 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346481085 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346503019 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346514940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346534014 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346554041 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346565008 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346565962 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346599102 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346626043 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346642971 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346683979 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346700907 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346721888 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346735954 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346746922 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346782923 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346784115 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346796036 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346818924 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346849918 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346851110 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346863985 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346883059 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346899033 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346911907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346915007 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346923113 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346975088 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.346976042 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.346988916 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347002983 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347013950 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347024918 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347045898 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347045898 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347057104 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347088099 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347101927 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347114086 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347116947 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347147942 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347158909 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347170115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347177982 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347196102 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347208023 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347218990 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347224951 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347232103 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347243071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347254038 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347260952 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347266912 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347279072 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347309113 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347342968 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347348928 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347357035 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347412109 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347414017 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347426891 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347471952 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347480059 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347482920 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347497940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347537994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347543955 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347549915 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347560883 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347600937 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347604036 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347613096 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347623110 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347634077 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347655058 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347666025 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347690105 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347698927 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347709894 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347721100 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347728968 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347742081 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347753048 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347767115 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347770929 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347810984 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347821951 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347821951 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347843885 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347856045 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347867012 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347867966 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347877026 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347891092 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347894907 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347902060 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347913027 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347923994 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347956896 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347961903 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.347969055 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347980022 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.347990990 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348031044 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348047018 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348058939 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348072052 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348083973 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348097086 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348123074 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348134995 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348143101 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348146915 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348159075 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348184109 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348186970 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348213911 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348239899 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348248005 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348262072 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348273039 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348292112 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348304033 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348319054 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348356962 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348437071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348448992 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348459005 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348469973 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348480940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348491907 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348500967 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348501921 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348526001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348537922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348548889 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348558903 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348560095 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348571062 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348592997 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348603010 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348612070 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348613977 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348624945 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348635912 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348648071 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348648071 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348659039 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348670006 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348680973 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348691940 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348695993 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348704100 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348714113 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348737001 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348747969 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348748922 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348761082 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348772049 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348783016 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348793030 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348800898 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348807096 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348819017 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348829985 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348833084 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348840952 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348851919 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348862886 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348875046 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348886013 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348892927 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348897934 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348908901 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348921061 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348932981 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348943949 CEST	15666	49699	109.107.181.162	192.168.2.7
Oct 12, 2024 22:39:14.348943949 CEST	49699	15666	192.168.2.7	109.107.181.162
Oct 12, 2024 22:39:14.348954916 CEST	15666	49699	109.107.181.162	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 22:39:06.995239973 CEST	192.168.2.7	1.1.1.1	0xbdcc	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 22:39:07.002191067 CEST	1.1.1.1	192.168.2.7	0xbdcc	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:39:07.002191067 CEST	1.1.1.1	192.168.2.7	0xbdcc	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:39:07.002191067 CEST	1.1.1.1	192.168.2.7	0xbdcc	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	172.67.74.152	443	6768	C:\Users\user\Desktop\bot.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:39:08 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-10-12 20:39:08 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:39:08 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8d19e5c66ba732d3-EWR
2024-10-12 20:39:08 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	16:39:04
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\bot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bot.exe"
Imagebase:	0x7ff7f8910000
File size:	2'746'880 bytes
MD5 hash:	3870B1E1CA36DEEC20214C6AE51F8F16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:39:05
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\bot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bot.exe"
Imagebase:	0x7ff7f8910000
File size:	2'746'880 bytes
MD5 hash:	3870B1E1CA36DEEC20214C6AE51F8F16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000002.00000002.1456698198.000001EC251E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:39:22
Start date:	12/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\bot.exe"
Imagebase:	0x7ff7f3ae0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:39:22
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:39:23
Start date:	12/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 1.1.1.1 -n 1 -w 3000
Imagebase:	0x7ff669640000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	1717
Total number of Limit Nodes:	23

Executed Functions

Function 00007FF7F8913C70 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F8913C83

Part of subcall function 00007FF7F8913060: GetCurrentProcess.KERNEL32 ref: 00007FF7F8913071
Part of subcall function 00007FF7F8913060: GetTempPathA.KERNEL32 ref: 00007FF7F89130C8
Part of subcall function 00007FF7F8913060: strlen.MSVCRT ref: 00007FF7F89131E7

GetTempPathW.KERNEL32 ref: 00007FF7F8913CEA
wcslen.MSVCRT ref: 00007FF7F8913D0B
wcslen.MSVCRT ref: 00007FF7F8913D29

Part of subcall function 00007FF7F8A05AE0: memcpy.MSVCRT ref: 00007FF7F8A05B18

Strings

LdrLoadDll, xrefs: 00007FF7F8913EE1
basic_string: construction from null is not valid, xrefs: 00007FF7F8914314
basic_string::append, xrefs: 00007FF7F89142F3, 00007FF7F8914320
a.dll, xrefs: 00007FF7F8913D1F
?, xrefs: 00007FF7F8913F6D
1-+!, xrefs: 00007FF7F8913EFB
_xQR, xrefs: 00007FF7F8913FF5
G, xrefs: 00007FF7F8913F0E
Execute, xrefs: 00007FF7F89140AA
:a.dll, xrefs: 00007FF7F8913FD9

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CurrentPathProcessTempwcslen$memcpystrlen
String ID: 1-+!$:a.dll$?$Execute$G$LdrLoadDll$_xQR$a.dll$basic_string: construction from null is not valid$basic_string::append
API String ID: 2900198006-422064679
Opcode ID: b435ad7ec5c172377df6c7db62dc04d68ec628c804fcb6cc879e325285b4db4d
Instruction ID: 07a788541ce645b99223e1137d0fb4af7330bf46723ac7226bbc1abe529de125
Opcode Fuzzy Hash: b435ad7ec5c172377df6c7db62dc04d68ec628c804fcb6cc879e325285b4db4d
Instruction Fuzzy Hash: AAE1A12260DB8685EB20EB15E4403AAE761FB88B90FC44135DAAE07BD8DF3CD545D794

Function 00007FF7F8913D77 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 215
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF7F8913E21
LoadLibraryA.KERNEL32 ref: 00007FF7F8913ED1
GetProcAddress.KERNEL32 ref: 00007FF7F8913EEB
GetProcAddress.KERNEL32 ref: 00007FF7F8913F44
GetProcAddress.KERNEL32 ref: 00007FF7F8913F94
wcslen.MSVCRT ref: 00007FF7F8913FE3
LdrLoadDll.NTDLL ref: 00007FF7F89140A4
GetProcAddress.KERNEL32 ref: 00007FF7F89140C3
VirtualProtect.KERNEL32 ref: 00007FF7F89140E0
LdrUnloadDll.NTDLL ref: 00007FF7F89140EF

Strings

LdrLoadDll, xrefs: 00007FF7F8913EE1
1-+!_xQR, xrefs: 00007FF7F891406F
?, xrefs: 00007FF7F8913F6D
1-+!, xrefs: 00007FF7F8913EFB
_xQR, xrefs: 00007FF7F8913FF5
G, xrefs: 00007FF7F8913F0E
Execute, xrefs: 00007FF7F89140AA
:a.dll, xrefs: 00007FF7F8913FD9

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: AddressProc$Load$LibraryProtectUnloadVirtualstrlenwcslen
String ID: 1-+!$1-+!_xQR$:a.dll$?$Execute$G$LdrLoadDll$_xQR
API String ID: 3642747353-1020948967
Opcode ID: ac7cbebfa299ef058e6635967f354b8f2964a2265605eb576fd2bb126a06853c
Instruction ID: b3a545e7e7eacfdd544f2090dc7e5e99e14a58ad58302358f82b9f23e5d420f1
Opcode Fuzzy Hash: ac7cbebfa299ef058e6635967f354b8f2964a2265605eb576fd2bb126a06853c
Instruction Fuzzy Hash: CDA1902260DFC285EB20DB15E4503AAF7A1FB88B90F848136CA9E07B98DF3CD505D790

Function 00007FF7F89134D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F8A1AB80: malloc.MSVCRT ref: 00007FF7F8A1AB97

memcpy.MSVCRT ref: 00007FF7F8913516

Strings

basic_string::append, xrefs: 00007FF7F8913C06, 00007FF7F8913C44, 00007FF7F8913C55

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: mallocmemcpy
String ID: basic_string::append
API String ID: 4276657696-3811946249
Opcode ID: f2a24654ebdb0de499fa3cb3071d86c97609a1b1a7bc6cc9d4f2037ee26fafcc
Instruction ID: a8b9668829baf18e0b9093b9c3426eef31d9fb4db624fcb19885daba8a0921d0
Opcode Fuzzy Hash: f2a24654ebdb0de499fa3cb3071d86c97609a1b1a7bc6cc9d4f2037ee26fafcc
Instruction Fuzzy Hash: 82D1902260DAC585EB60DB15E8047AEF361FB85BA0F808235DAAD47BD8DF3CD444E794

Function 00007FF7F8913060 Relevance: 7.7, APIs: 5, Instructions: 231
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F8913071
GetTempPathA.KERNEL32 ref: 00007FF7F89130C8
strlen.MSVCRT ref: 00007FF7F89131E7
strlen.MSVCRT ref: 00007FF7F89132A9
memcpy.MSVCRT ref: 00007FF7F89132EE

Part of subcall function 00007FF7F894EE70: memchr.MSVCRT ref: 00007FF7F894EEB1

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen$CurrentPathProcessTempmemchrmemcpy
String ID:
API String ID: 1237187527-0
Opcode ID: b8ce6924fedb661b87884fb1d263ab3edc801dc2d5a500a0fb930ce7753d2c66
Instruction ID: b8472579dce7dcd6562ff9dc5ff575dfd490795d76b082d3347bd39e262ecb3b
Opcode Fuzzy Hash: b8ce6924fedb661b87884fb1d263ab3edc801dc2d5a500a0fb930ce7753d2c66
Instruction Fuzzy Hash: 87A1732660CF8185EB50DB19E44036EE7A1FB85BA0F944235EAAD03BD8DF7CD005EB54

Function 00007FF7F89111D9 Relevance: 7.6, APIs: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62107a3d02b81b5234c88d95762d057ed00c24eaffb834b4604cbe2bde97a6a7
Instruction ID: 911e168ad3c189f9a1701a13446ed1dc46d1237289c8e0a781f14389e198ab24
Opcode Fuzzy Hash: 62107a3d02b81b5234c88d95762d057ed00c24eaffb834b4604cbe2bde97a6a7
Instruction Fuzzy Hash: 9C41BE21A0DA4699FB51FF15E890279E3A4BF04B92FC41438C92D473E1DF2CE401B3A8

Function 00007FF7F89146A4 Relevance: 4.6, APIs: 3, Instructions: 128
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F892BB40: RtlCaptureContext.KERNEL32 ref: 00007FF7F892BBBE
Part of subcall function 00007FF7F892BB40: RtlUnwindEx.KERNEL32 ref: 00007FF7F892BBDC
Part of subcall function 00007FF7F892BB40: abort.MSVCRT ref: 00007FF7F892BBE2

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7F8914735
Process32First.KERNEL32 ref: 00007FF7F891475A

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CaptureContextCreateFirstProcess32SnapshotToolhelp32Unwindabort
String ID:
API String ID: 1927501140-0
Opcode ID: d0db7728f9c99ea370fcf01e04ea703f72949bf83f037fa8fe1b684acdd07e92
Instruction ID: 993c13baeed53fd45165622c411de91e1393468ee510d68d09cad93b5bc61b35
Opcode Fuzzy Hash: d0db7728f9c99ea370fcf01e04ea703f72949bf83f037fa8fe1b684acdd07e92
Instruction Fuzzy Hash: 5B41C76270DA8685EB14EB11E4002BAE362FB897A1FC44131EE6E07BC5DF7CD4019794

Function 00007FF7F8913539 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF7F891356D
WriteFile.KERNEL32 ref: 00007FF7F891359D
CloseHandle.KERNEL32 ref: 00007FF7F89135AE
CloseHandle.KERNEL32 ref: 00007FF7F89138C0

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: 394c0e051cec6e34f4efdc98b69a1e23df70269413b6b1c3fb0bf7fe79d9565c
Instruction ID: d059ac98f9ae1592d352f16411e5253d76a7f9787d978b63fb97e528020f161a
Opcode Fuzzy Hash: 394c0e051cec6e34f4efdc98b69a1e23df70269413b6b1c3fb0bf7fe79d9565c
Instruction Fuzzy Hash: EF118F2270994642E710AB15F41477BE261BB84BB9F800231DD7E0BBD4DF3CE44AA798

Function 00007FF7F8911294 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7F8911312
strlen.MSVCRT ref: 00007FF7F8911334
malloc.MSVCRT ref: 00007FF7F8911340
memcpy.MSVCRT ref: 00007FF7F8911358

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 543d9a2a041976af41462432e31a9754b6760f675d962eca3c3379e79177352a
Instruction ID: ac28afac479f051f264a0276a816e34b64ec33999e8e880b60aad02f679dd221
Opcode Fuzzy Hash: 543d9a2a041976af41462432e31a9754b6760f675d962eca3c3379e79177352a
Instruction Fuzzy Hash: A431B025E0DA565AF761EF15E4903B4E391AF41B92FC45038CE2D0B3D1DE2DA405E7A8

Function 00007FF7F8911289 Relevance: 5.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7F8911312
strlen.MSVCRT ref: 00007FF7F8911334
malloc.MSVCRT ref: 00007FF7F8911340
memcpy.MSVCRT ref: 00007FF7F8911358

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 56020effcdf1f183f441924a68ad24072c27b0678ef036c8d0d284124bb19e98
Instruction ID: 8176e96958ea13edd44ec9e32a4a843880e7fba00ee6f5af97e74e15097b9fb3
Opcode Fuzzy Hash: 56020effcdf1f183f441924a68ad24072c27b0678ef036c8d0d284124bb19e98
Instruction Fuzzy Hash: 1F314D26A0DA069AE712FF15E4803B9E390AF41B96FC45135DE2D0B7D1DE3CA441E7A8

Function 00007FF7F892B688 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNEL32 ref: 00007FF7F892B694

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 93c2952a0c8981b52afb0a14e18351ed005bad92f15dad71d93b2897e3149a8a
Instruction ID: e0d7851fd7d0763df74ef12348043bb4c1156371d6daf0fb72554b99e926c52a
Opcode Fuzzy Hash: 93c2952a0c8981b52afb0a14e18351ed005bad92f15dad71d93b2897e3149a8a
Instruction Fuzzy Hash: 67115B97D0DAC34BF7622BBC4C65139FFA0EB51B207CD9075C354422C2E95D680396AD

Function 00007FF7F8A1AB80 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7F8A1AB97

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 988b4ae5ae706df390a6233965e24e8829ae3f9e1bccf5fff257dc606ecde792
Instruction ID: 20c7bf17ec7fe6631bdc3705d0c59692c91c8454bc1b0dd49aa94fc84bc12f83
Opcode Fuzzy Hash: 988b4ae5ae706df390a6233965e24e8829ae3f9e1bccf5fff257dc606ecde792
Instruction Fuzzy Hash: 1DD09E00B0F74A09FE5977A155527B4C1818F48361F480435DD6E453C2ED1CB84069B5

Non-executed Functions

Function 00007FF7F8925B20 Relevance: 15.7, APIs: 4, Strings: 6, Instructions: 698stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF7F8925B61
strlen.MSVCRT ref: 00007FF7F8925C6E

Strings

_, xrefs: 00007FF7F8925F32
Z, xrefs: 00007FF7F8925BC7
_, xrefs: 00007FF7F8925D21
_GLOBAL_, xrefs: 00007FF7F8925B57
_, xrefs: 00007FF7F8925BBD
Z, xrefs: 00007FF7F8925D2E

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlenstrncmp
String ID: Z$Z$_$_$_$_GLOBAL_
API String ID: 1310274236-662103887
Opcode ID: 67900ba0dafbe8d0e4433077726af768059a8f719d3a5e9100497bef6a6a133d
Instruction ID: 05e3552c2f72c717c88f453085a27dfdd86061ce0aa057958640fb659dd656c1
Opcode Fuzzy Hash: 67900ba0dafbe8d0e4433077726af768059a8f719d3a5e9100497bef6a6a133d
Instruction Fuzzy Hash: 0662D372A086828AF765EF25C8543FDB7A1FB0178AF914035DA3E0BBC5CB399540E794

Function 00007FF7F892D367 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7F892E0B6

Strings

, xrefs: 00007FF7F892DEC0
P, xrefs: 00007FF7F892E454
P, xrefs: 00007FF7F892E9B3

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memset
String ID: $P$P
API String ID: 2221118986-3733749394
Opcode ID: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
Instruction ID: 1897b648ad8e4b90b7c95d77dff712cde9fdbaed3d0ab68b57e032197f0eaa6e
Opcode Fuzzy Hash: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
Instruction Fuzzy Hash: B912E332A0C2868AE760EF24E4407BEF394FB84345F914135DA59477CADF7CE444ABA5

Function 00007FF7F8914350 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891440C
strcmp.MSVCRT ref: 00007FF7F891445C

Strings

?, xrefs: 00007FF7F89143C6
?, xrefs: 00007FF7F8914382
m~RF, xrefs: 00007FF7F891442B
L]O[, xrefs: 00007FF7F891437A
?, xrefs: 00007FF7F8914415

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: ?$?$?$L]O[$m~RF
API String ID: 1004003707-3421602070
Opcode ID: 1d2fd37fcf9e9270826f93c39df50b07c1c31ca18e56336efe699e63f3ad2eb9
Instruction ID: 3f8c47d2c97fa7c38e31633d3a2aea466cf79f74929fe7fa370ffdfa616a0bc7
Opcode Fuzzy Hash: 1d2fd37fcf9e9270826f93c39df50b07c1c31ca18e56336efe699e63f3ad2eb9
Instruction Fuzzy Hash: B631F77290C7858AEB11DF28E4402AAFBA4E799784FC44136EB9D07B85DB7CC541CF94

Function 00007FF7F892DA84 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 359COMMON

Download Yara Rule

Strings

!, xrefs: 00007FF7F892EC5B
, xrefs: 00007FF7F892E59E
P, xrefs: 00007FF7F892E9B3

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: $!$P
API String ID: 0-2344582389
Opcode ID: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
Instruction ID: c5179618e135e483231e3357bf462fa4a19026bb5eb10805db97cbaf2a42fe47
Opcode Fuzzy Hash: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
Instruction Fuzzy Hash: DBF1D03290C78986E774EF10D0843BEF7A1EB84345F818139D66953AC9DF7CE444ABA4

Function 00007FF7F892C4A0 Relevance: 4.8, APIs: 3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e773bbcf05a206fa72d67c052939a87a5037e1002fc13afee4ac7b2a9d1dd5
Instruction ID: 686076f1026dcf1f6e531a4cea8db3924b2927bfca5fb60a028bcda7500a793a
Opcode Fuzzy Hash: b2e773bbcf05a206fa72d67c052939a87a5037e1002fc13afee4ac7b2a9d1dd5
Instruction Fuzzy Hash: 90C1FF72A181428AE764EF15D40067EF791FB94B89F859030EE2A477D5DE3CE800AFD4

Function 00007FF7F8935140 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7F89352B4

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7722b09541f8c3a1042df91a4b64b4147f17cf3696f4ae9f4b099ea08ef108bb
Instruction ID: 74073a9f7c44d94c8593611c629f418a4e4d8d923216dcca03048df8efc53691
Opcode Fuzzy Hash: 7722b09541f8c3a1042df91a4b64b4147f17cf3696f4ae9f4b099ea08ef108bb
Instruction Fuzzy Hash: EFD11562B0C59146EB65DB15C90437DEA9ABB89786FC8C131DA2E073C4DE3CEA01F794

Function 00007FF7F89364F0 Relevance: 2.6, APIs: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8935680: Sleep.KERNEL32(00000000,00000003,00007FF7F8BAF1A0,00007FF7F89357BF), ref: 00007FF7F89356B5

malloc.MSVCRT ref: 00007FF7F893661E
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8936650

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID:
API String ID: 1993596536-0
Opcode ID: 40c92fb735db31c4a03f034ad08b64e87eddef291a1e133e22cfab3f13ba580c
Instruction ID: ab2f9332f057ed4e748426f109b44946d98036f7f7a7db283aa3a984406e6684
Opcode Fuzzy Hash: 40c92fb735db31c4a03f034ad08b64e87eddef291a1e133e22cfab3f13ba580c
Instruction Fuzzy Hash: AF514AB1A1860146F71E9F15F404B7AEAA5EBA0785FC08139DA2A07BD4CE3CD641FBD4

Function 00007FF7F892B4F9 Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F892B50D

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 46c7dbe23d092bf8a6cde5c49624f993adbbbb886253ff5ee6eafb8ff8e2e83b
Instruction ID: dd8da88bbc850a6c263d2b66025dc6f30c93f2a7d63a1bc24738253622f2f6ce
Opcode Fuzzy Hash: 46c7dbe23d092bf8a6cde5c49624f993adbbbb886253ff5ee6eafb8ff8e2e83b
Instruction Fuzzy Hash: C4F02E93B2560983CF18DF78E865174E362DB58BD9B4D9831CE1F8A764EE1CD1518700

Function 00007FF7F8A1C460 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 00007FF7F8A1C472

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/):
API String ID: 0-1835032153
Opcode ID: 22c68a30ff3daa7df784249dc6277a948d227140d038bcbc91f8ea689e4fba7a
Instruction ID: 4f714ca220dcab1a33735e98fc2e9622ac0ef174645bf17edf6dbc74aa5dd53a
Opcode Fuzzy Hash: 22c68a30ff3daa7df784249dc6277a948d227140d038bcbc91f8ea689e4fba7a
Instruction Fuzzy Hash: 71310411B09A4A99EB20FB22D8406A9E321FF55BE0FC01132D96D03BD5DE2CE106D7A8

Function 00007FF7F8916A40 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction ID: 25796f37ef882c12819f7aee2209ffee0a96aeb083efca9f12e4069a3eea0b8e
Opcode Fuzzy Hash: 26e0fa4ba8de209f33d981733c211bfc04209555fe558efc360ad56f06d6f81b
Instruction Fuzzy Hash: 2712C2A2E0DF8248FB52EB00A84177AE6D59B517A2FD58431CA7C067C6DE3CE541E3E4

Function 00007FF7F8917290 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d695400308593cf20877fba39419934d70e09c66bbd3b3c0be29ad461eb275a
Instruction ID: 0707360cffb2719816f8a01e0369b496822fe7a9fd99dbda0ed56463096580c6
Opcode Fuzzy Hash: 7d695400308593cf20877fba39419934d70e09c66bbd3b3c0be29ad461eb275a
Instruction Fuzzy Hash: 3B12C1B2A0DF4359EB55EF159440379E6A2EB44BA6F948034CA2D037CADE3CE891D3D4

Function 00007FF7F8A1C950 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CaptureContextUnwindabortstrlen
String ID:
API String ID: 1885994862-0
Opcode ID: 64e9393206085fcb00df7a018d95655fe9d0974c3a9ce78d6eb726f0e18b7d0f
Instruction ID: 2efe8880e53de097b3515c24b379572565615f358a2819be933a9797dd83c1b6
Opcode Fuzzy Hash: 64e9393206085fcb00df7a018d95655fe9d0974c3a9ce78d6eb726f0e18b7d0f
Instruction Fuzzy Hash: 4C413E60D0EA9744FB61B721A805BB5EA90EF167A4FC40135D8BD063D2DF6CA045ABFC

Function 00007FF7F892C1E0 Relevance: 33.1, APIs: 11, Strings: 11, Instructions: 88
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF7F892C1EF
strcmp.MSVCRT ref: 00007FF7F892C206
strcmp.MSVCRT ref: 00007FF7F892C21D
strcmp.MSVCRT ref: 00007FF7F892C234
strcmp.MSVCRT ref: 00007FF7F892C24B
strcmp.MSVCRT ref: 00007FF7F892C262
strcmp.MSVCRT ref: 00007FF7F892C279
strcmp.MSVCRT ref: 00007FF7F892C290
strcmp.MSVCRT ref: 00007FF7F892C2A7
strcmp.MSVCRT ref: 00007FF7F892C2BA
strcmp.MSVCRT ref: 00007FF7F892C2CD

Strings

lower, xrefs: 00007FF7F892C258
upper, xrefs: 00007FF7F892C2B0
space, xrefs: 00007FF7F892C29D
alpha, xrefs: 00007FF7F892C1FC
graph, xrefs: 00007FF7F892C241
print, xrefs: 00007FF7F892C26F
punct, xrefs: 00007FF7F892C286
alnum, xrefs: 00007FF7F892C1E5
digit, xrefs: 00007FF7F892C22A
cntrl, xrefs: 00007FF7F892C213
xdigit, xrefs: 00007FF7F892C2C3

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: alnum$alpha$cntrl$digit$graph$lower$print$punct$space$upper$xdigit
API String ID: 1004003707-2937198513
Opcode ID: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
Instruction ID: d630e8b8a5ed068fe2466b919d463fa43f5b4a7ddd4eb17893e371e64c285323
Opcode Fuzzy Hash: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
Instruction Fuzzy Hash: 4E310554B0C60755FB10FBA5E901375D289AF44386FC96032D92E862C5EEACF845F2BD

Function 00007FF7F892B8D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32 ref: 00007FF7F892B9A5
abort.MSVCRT ref: 00007FF7F892B9AB
RtlUnwindEx.KERNEL32 ref: 00007FF7F892BAC1

Strings

CCG , xrefs: 00007FF7F892BB26
CCG , xrefs: 00007FF7F892B93E
CCG!, xrefs: 00007FF7F892B8F9
CCG!, xrefs: 00007FF7F892B998
CCG", xrefs: 00007FF7F892B932

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3297834124
Opcode ID: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
Instruction ID: 540d6cdebc4d2227a5f3ee2b297ffca49dd232c8c55bc6e2d51e3c447f94270b
Opcode Fuzzy Hash: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
Instruction Fuzzy Hash: 3D51C436A14B81C2E760DB15E4807A9B3B0F799B88F905236EE8D13798DF39D582D744

Function 00007FF7F892FFD0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F89302B5

Strings

UUUU, xrefs: 00007FF7F89300FE

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID: UUUU
API String ID: 1992160199-1798160573
Opcode ID: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
Instruction ID: f4793f2c495f257da5b7864c2a464372090e1b6c3295c3811906efdd9695a86b
Opcode Fuzzy Hash: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
Instruction Fuzzy Hash: 78128672A0910287EF65DF25C140379F7E5EB44B5AF948235CA1D072C8DA3CE840FBA8

Function 00007FF7F892ADC0 Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F892AE21
TlsGetValue.KERNEL32(?,?,?,00007FF7F892A375), ref: 00007FF7F892AE4A
GetLastError.KERNEL32(?,?,?,00007FF7F892A375), ref: 00007FF7F892AE4F
LeaveCriticalSection.KERNEL32 ref: 00007FF7F892AE77
free.MSVCRT ref: 00007FF7F892AEB7
DeleteCriticalSection.KERNEL32 ref: 00007FF7F892AEDD
InitializeCriticalSection.KERNEL32 ref: 00007FF7F892AF77

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
String ID:
API String ID: 100439675-0
Opcode ID: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
Instruction ID: fb131571f47c51609b0076c1f2c0188fd9107da82e3c9eaf3d251bffde5da1f5
Opcode Fuzzy Hash: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
Instruction Fuzzy Hash: 84414222A0960286FB55FB15E8412B9E3A0AF55B93FC94534CD2D477D4DE3CE842A3AC

Function 00007FF7F8930800 Relevance: 12.4, APIs: 8, Instructions: 355COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F8930AB5

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
Instruction ID: a2a1345993d659fbb331c870d8ec0ac575b024c775c63227f14225fedd439c59
Opcode Fuzzy Hash: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
Instruction Fuzzy Hash: 62E18372A142028AEB64DF25D050739F7F5EB84B5AF648235CB19477C8DA39EC40FBA4

Function 00007FF7F8912F30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7F8912F81
GetProcAddress.KERNEL32 ref: 00007FF7F8912FD0
wcslen.MSVCRT ref: 00007FF7F8913016

Strings

TEMP, xrefs: 00007FF7F8912FD6
basic_string: construction from null is not valid, xrefs: 00007FF7F8913050
G, xrefs: 00007FF7F8912F8F
1-+!, xrefs: 00007FF7F8912FA8

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: AddressLibraryLoadProcwcslen
String ID: 1-+!$G$TEMP$basic_string: construction from null is not valid
API String ID: 1064947497-2238167505
Opcode ID: b0833021c85c12311d7ea6ad174c81375b93a74c7c7ca75d79944687dd432d59
Instruction ID: 8ebefb4a85f5714bfa4505cec3441d1a7c82a33e0d23a369fafe679fe31cc12d
Opcode Fuzzy Hash: b0833021c85c12311d7ea6ad174c81375b93a74c7c7ca75d79944687dd432d59
Instruction Fuzzy Hash: 2D31A121A1DB8682EB11AB54E4006A9F770EB85B94FC04032DA5E17B98DE3CE506D794

Function 00007FF7F892BBF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7F892BC22
RaiseException.KERNEL32 ref: 00007FF7F892BC44
abort.MSVCRT(?,?,?,?,?,?,?,?,00007FF7F8A1B3CB,?,?,?,00007FF7F8A1ADC8), ref: 00007FF7F892BC70
RaiseException.KERNEL32 ref: 00007FF7F892BCB7

Strings

CCG , xrefs: 00007FF7F892BC1D
CCG", xrefs: 00007FF7F892BC3F
CCG", xrefs: 00007FF7F892BCB2

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ExceptionRaise$abort
String ID: CCG $CCG"$CCG"
API String ID: 3325032505-1179968548
Opcode ID: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
Instruction ID: bb56ef22e4fd6caf1f1d2a4b5eef14ff8c85c73fd41edb9a7ede3a28d7ca8557
Opcode Fuzzy Hash: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
Instruction Fuzzy Hash: 7A218333A25F8483E750DF58E4403A97760F7D9788F60A226EA8D477A4DF7DD1928740

Function 00007FF7F8935C10 Relevance: 11.5, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7F8935C87
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8935CBD

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalLeaveSectionfree
String ID:
API String ID: 1679108487-0
Opcode ID: 0ec2b4e6d6c535e2a887363803070b15498508364dcae1917e8e010573d5d365
Instruction ID: 82d722cf9b07768a2024a7dd950549965ba249197585ab6aa2a2f0d9a975c3c6
Opcode Fuzzy Hash: 0ec2b4e6d6c535e2a887363803070b15498508364dcae1917e8e010573d5d365
Instruction Fuzzy Hash: C5918F31A09A0295EB25FB15ED402B9E2A9EF08786FC44435D93D0B7D4DF3CA551B3E8

Function 00007FF7F8912600 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7F89126EA
strcpy_s.MSVCRT ref: 00007FF7F891272E
strcpy_s.MSVCRT ref: 00007FF7F8912741
strcpy_s.MSVCRT ref: 00007FF7F891274F
_strlwr.MSVCRT ref: 00007FF7F8912755
_strlwr.MSVCRT ref: 00007FF7F891275E
strstr.MSVCRT ref: 00007FF7F891276A

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcpy_s$_strlwr$ByteCharMultiWidestrstr
String ID:
API String ID: 606828236-0
Opcode ID: 740dde69bc923aa62291048bd7d2af24dee97c0faba599a4844422326155c18e
Instruction ID: 802666c5d3b543065605e9a6a0f1080d61c5770bc6773cba74e61a401e49e6a5
Opcode Fuzzy Hash: 740dde69bc923aa62291048bd7d2af24dee97c0faba599a4844422326155c18e
Instruction Fuzzy Hash: 2A419D62608BC186EB21DF16E9407AAE765FB89BE4F804131EE9D03B98CF7CD142D744

Function 00007FF7F892A5D8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7F892A64B
VirtualProtect.KERNEL32 ref: 00007FF7F892A6AE
GetLastError.KERNEL32 ref: 00007FF7F892A6B8

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF7F892A6BE
Address %p has no image-section, xrefs: 00007FF7F892A6F5
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7F892A6E1

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: 7e5edb8918cca671259d210b3ecaa9bda19f23f623a60bfb8c9acd9308f120bb
Instruction ID: d221b25226055790b60ace2b210eceaa9ca8d0f0c836eb2c213bd2cbdc704eae
Opcode Fuzzy Hash: 7e5edb8918cca671259d210b3ecaa9bda19f23f623a60bfb8c9acd9308f120bb
Instruction Fuzzy Hash: E1419263A08A4686DB11EF14E8419A9F7A0FB44B95FC54131DE2D073D4EF3CE446D7A8

Function 00007FF7F892F340 Relevance: 9.4, APIs: 6, Instructions: 414COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F892F4C2
fputc.MSVCRT ref: 00007FF7F892F53A
fputc.MSVCRT ref: 00007FF7F892F592

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
Instruction ID: 087396777fddf544d557c86b4105d6914bf3a38b15bccde1966b47f273d2587d
Opcode Fuzzy Hash: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
Instruction Fuzzy Hash: 05F1FB72E1854246EB30EF25D104B39E691BB14B6AF968234CD3E577C4CA3CF941E798

Function 00007FF7F8936EA0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF7F8936ECB
___lc_codepage_func.MSVCRT ref: 00007FF7F8936ED3
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF7F8936F23
MultiByteToWideChar.KERNEL32 ref: 00007FF7F8936F55

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
Instruction ID: 750697808981ad839852152427f6272cd56d1dd58698dfcb1b5f66211db65dad
Opcode Fuzzy Hash: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
Instruction Fuzzy Hash: 5931292360920249F762AB25E8003B9E5986B417B9F844236EEB9477C0DE3DD181F394

Function 00007FF7F8911E18 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

rand.MSVCRT ref: 00007FF7F8911E18
rand.MSVCRT ref: 00007FF7F8911E35
rand.MSVCRT ref: 00007FF7F8911E5A

Strings

and , xrefs: 00007FF7F8911E97
Performing arithmetic operations on: , xrefs: 00007FF7F8911E73
+-*/, xrefs: 00007FF7F8911E7C

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: rand
String ID: and $+-*/$Performing arithmetic operations on:
API String ID: 415692148-3864222635
Opcode ID: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
Instruction ID: 415e6b116f241f5f88595c01908793563dc929e75aa7bfcb23537a692a14c8b7
Opcode Fuzzy Hash: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
Instruction Fuzzy Hash: 45210512F0E91608EB14FB25984527DD7925F86B91FC89131DD2E073DADD3CE900A3E8

Function 00007FF7F8914480 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7F8914605

Strings

=, xrefs: 00007FF7F891459E
=, xrefs: 00007FF7F89144EC
HEN>, xrefs: 00007FF7F891456F
;, xrefs: 00007FF7F891451E

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: HandleModule
String ID: ;$=$=$HEN>
API String ID: 4139908857-2188461147
Opcode ID: de21482289b350c4a1ef8e9bc7a21981703884f7dfa1a2066d3a504667ed42bb
Instruction ID: 301b1f9359e91ce8b3320cf02f05b108577195b672c7e25093d0aa523f467341
Opcode Fuzzy Hash: de21482289b350c4a1ef8e9bc7a21981703884f7dfa1a2066d3a504667ed42bb
Instruction Fuzzy Hash: 4F41A032A0CB8486EB11DB18F0403A9F7A0F789798FC10526DB9D03B98DB7CD245CB85

Function 00007FF7F8A00A00 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF7F8A00B49, 00007FF7F8A00BE2, 00007FF7F8A00C72, 00007FF7F8A00D02, 00007FF7F8A00D92

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: 20fa1f9c38397dc2b23d1681f4029f1745706513a81d31012c60e506a3e6e86a
Instruction ID: 12c9ae66d67149bfdd8051b79b6cb57a056c196892071224c59e8f68f479f1aa
Opcode Fuzzy Hash: 20fa1f9c38397dc2b23d1681f4029f1745706513a81d31012c60e506a3e6e86a
Instruction Fuzzy Hash: 5CA1E662B1B68584EF20AF35D8404B9E250EB45BE4FD88631DA3D873D5EF2CE491D3A4

Function 00007FF7F892F9C0 Relevance: 7.8, APIs: 5, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
Instruction ID: cb9176e7b0d8cbbce7846a40d26a7c63dbdef526f5682213a1436689ec15cb4d
Opcode Fuzzy Hash: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
Instruction Fuzzy Hash: EEC19E73E0965286E771EF24C414739E7A1EB44B59F9A8231CA2D573C4CB3CE841E7A8

Function 00007FF7F89FE690 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7F89FE730
memcpy.MSVCRT ref: 00007FF7F89FE764

Strings

basic_string::_M_create, xrefs: 00007FF7F89FE84A
Result of , xrefs: 00007FF7F89FE692

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpy
String ID: Result of $basic_string::_M_create
API String ID: 3510742995-1160149181
Opcode ID: b576b05e5929d0f36fddaa43a352fc9423e68f72584ed5aec93aa7cb1d61b280
Instruction ID: ac791e1cf078792d60bb52dce7c19ff17a95d80b79e8f71366188c0cc80b8f8b
Opcode Fuzzy Hash: b576b05e5929d0f36fddaa43a352fc9423e68f72584ed5aec93aa7cb1d61b280
Instruction Fuzzy Hash: C341F726B0A68658EB19FB15C10027EE652EB80BD9FD44932CD3D0B7C5DE3CE441E3A4

Function 00007FF7F892A7AB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 209memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00007FF7F892A8F3

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7F892AA8A
Unknown pseudo relocation protocol version %d., xrefs: 00007FF7F892AA96
Unknown pseudo relocation bit size %d., xrefs: 00007FF7F892AA74

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 8fbf73ca66cf12792ec4443d84e4f446cfa418b5437152a325ab49fbedd29060
Instruction ID: 2b8a117392022db7cd5f5c59187ae43c89a1543341d361d1c15ebd5ec3e1e1c5
Opcode Fuzzy Hash: 8fbf73ca66cf12792ec4443d84e4f446cfa418b5437152a325ab49fbedd29060
Instruction Fuzzy Hash: 4271E637F1951246EB20E7159542279E3E1BF507A5FD68231CA3D17BD4DE2CE803A2E8

Function 00007FF7F892AB00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF7F892AB15

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
Instruction ID: d1b809eaf88e669cd78256e06df646b3a8565bfade615204f53f7ef3c1bbcfdf
Opcode Fuzzy Hash: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
Instruction Fuzzy Hash: F3215E62E091024AFB68F3658552378E1C29FC9752F9A4936C93E863D1DD1CA8C1B2BD

Function 00007FF7F892A070 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F892A0F5
memcpy.MSVCRT ref: 00007FF7F892A10E
free.MSVCRT ref: 00007FF7F892A119

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
Instruction ID: 98b0cfb007da36e9366edec59cca7487855aa3ff58e14f6ad55d50b287a57745
Opcode Fuzzy Hash: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
Instruction Fuzzy Hash: 03318723B4964245FB66FB11AA01379D2D16F40BF1F998230DD7D06AC6DE2C9441A394

Function 00007FF7F891A8F8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F891AA84

Strings

ty, xrefs: 00007FF7F891A9EE
y, xrefs: 00007FF7F892482C
t, xrefs: 00007FF7F892480A

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen
String ID: t$ty$y
API String ID: 39653677-1920740250
Opcode ID: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
Instruction ID: 706f5a5b20ead613ab90d2efe95ae198d905162d13e4c0f52f158d7fe8cb1ab0
Opcode Fuzzy Hash: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
Instruction Fuzzy Hash: E4E14D72508BC2C6E7568F34C0143E87AA1EB29F4CF4C8135CB990B799DBBE94959371

Function 00007FF7F891CC9C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891CD0C
strcmp.MSVCRT ref: 00007FF7F891CD49

Strings

(, xrefs: 00007FF7F8923FB5

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: (
API String ID: 1004003707-3887548279
Opcode ID: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
Instruction ID: 913cf6682a6164efc5c8d10d6afd3de962fe0d980127d17dbc539e7d4653c7ef
Opcode Fuzzy Hash: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
Instruction Fuzzy Hash: EEA19F72608B8685E755EF25C4043E9A761EB55F89F884032CE6E0B7D6CF7CD884A3A4

Function 00007FF7F891BC30 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F8920293

Strings

a, xrefs: 00007FF7F8924E9D
a, xrefs: 00007FF7F8924EA2
rm, xrefs: 00007FF7F8924EB6

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen
String ID: a$a$rm
API String ID: 39653677-3573517395
Opcode ID: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
Instruction ID: 20d7fb173abb93bb8bfee91f78e59622210591e3ffc0689f699272df8fe97d56
Opcode Fuzzy Hash: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
Instruction Fuzzy Hash: 66B182729087C2C5E7569F28C0083E8BA91EB25F4CF5C8135CB980F799DBBE9446A375

Function 00007FF7F8A05D20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7F8A05DE6
memcpy.MSVCRT ref: 00007FF7F8A05E1E
memcpy.MSVCRT ref: 00007FF7F8A05E70

Strings

basic_string::_M_create, xrefs: 00007FF7F8A05EC7

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: a8466455f48f34cbcacbad28185616ab40d0001ae848e4642dd8ce78300a4c7c
Instruction ID: 6623dbd95aff52036982ce1ed6c39c966369831b808eeae116866afba11c2ce1
Opcode Fuzzy Hash: a8466455f48f34cbcacbad28185616ab40d0001ae848e4642dd8ce78300a4c7c
Instruction Fuzzy Hash: 9F61D162A1AA4591EB15EB25C8056B9E391EF01BD4FC48732DA3D237D4EF3CE442D394

Function 00007FF7F892FE10 Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF7F892FF44

Part of subcall function 00007FF7F8936D60: ___lc_codepage_func.MSVCRT ref: 00007FF7F8936D7F

fputc.MSVCRT ref: 00007FF7F892FEB8

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ___lc_codepage_funcfputclocaleconv
String ID:
API String ID: 1339002523-0
Opcode ID: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
Instruction ID: 2ba3fce3cb5276d3f6b4b8b3b5d6116cbae242c65a3949932d232f0f704e3df6
Opcode Fuzzy Hash: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
Instruction Fuzzy Hash: A1518F73A0551189E731EF24D1413A9F7E1EB04F5AF964231EB2C477C9CA38E841E7A8

Function 00007FF7F89F9BF0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7F89F9C7C
memcpy.MSVCRT ref: 00007FF7F89F9C99

Strings

basic_string::_M_replace, xrefs: 00007FF7F89F9D2D
basic_ios::clear, xrefs: 00007FF7F89F9BF4

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpy
String ID: basic_ios::clear$basic_string::_M_replace
API String ID: 3510742995-1781676995
Opcode ID: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
Instruction ID: 4a78b22e6cf2517163ddace2dceee145f0d13750bd60b794e7974e4fdcea7ad2
Opcode Fuzzy Hash: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
Instruction Fuzzy Hash: 7631FB21B0968541EB29EB25D9087B9E790AB51FE5FD40231FD3D07BD9CD2CE141E398

Function 00007FF7F891C01B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891C086

Strings

new , xrefs: 00007FF7F89241C2
: , xrefs: 00007FF7F891C0C9
, xrefs: 00007FF7F892422B

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
Instruction ID: 799eed4d2b69920052d52dafc62ff594feda3c6434eff3240e701b2fec77225d
Opcode Fuzzy Hash: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
Instruction Fuzzy Hash: C6418D72B4874685EB55EF12A8003F9E750AB91B95FC44035CF2A0B7C6DE7CD885A3A4

Function 00007FF7F89CB7B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F89CB7D8
memcpy.MSVCRT ref: 00007FF7F89CB807

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF7F89CB875
basic_string::_M_replace, xrefs: 00007FF7F89CB7B2, 00007FF7F89CB890

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string::_M_replace$basic_string::_S_construct null not valid
API String ID: 3412268980-2381965344
Opcode ID: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
Instruction ID: d02f394c1e59bdfeadb6d10c94ffddc1a1719d34c331bafbbbe120ed6c68bfe7
Opcode Fuzzy Hash: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
Instruction Fuzzy Hash: 8521D261A0AA4684EB01EB1AE8801ACE7A4FF05BC5FC44435D96D073D1DE3CD452E3E4

Function 00007FF7F8912590 Relevance: 6.0, APIs: 4, Instructions: 34stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 00007FF7F89125BD
strcpy_s.MSVCRT ref: 00007FF7F89125CA
_strlwr.MSVCRT ref: 00007FF7F89125D6
_strlwr.MSVCRT ref: 00007FF7F89125DB

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: _strlwrstrcpy_s
String ID:
API String ID: 3746470816-0
Opcode ID: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
Instruction ID: 33b1064d7e07ca5b26be113e005714b8fb4827fcfa79fe878232263a0b2cb2b9
Opcode Fuzzy Hash: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
Instruction Fuzzy Hash: 55F08C6175469695FE15AB23BD003B997199F86FD1F8C40329E4D03794CD2CE287D318

Function 00007FF7F892A420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Unknown error, xrefs: 00007FF7F892A50C

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
Instruction ID: 1b0d3c9ed8438f9cabf8a368f88430db76e06ef369d1c253e872936d7b9aaa6b
Opcode Fuzzy Hash: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
Instruction Fuzzy Hash: 4F01E122908E8886D312DF1CD8011FAF374FF9A79AFA55325EB8C262A0DF29D543D704

Function 00007FF7F892A4C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Argument domain error (DOMAIN), xrefs: 00007FF7F892A4C0

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
Instruction ID: c4c35b01cb99ad71911799c7663614a48a4786fbc8e5b34674e77f7c24bc2828
Opcode Fuzzy Hash: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
Instruction Fuzzy Hash: 4BF04F12908E8486D302EF1CA8000ABF364FF9E78AF955326EB9D261A5DF28D543A754

Function 00007FF7F892A4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF7F892A4D0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
Instruction ID: 5d9b03a397299cc51c3839f630b31e28801551b2fe13df0c8be79eb4401dcfda
Opcode Fuzzy Hash: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
Instruction Fuzzy Hash: 0EF04F12908E8886D312DF1CA8000ABF364FF9D789F955326EB9D261A5DF28E543A754

Function 00007FF7F892A500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Total loss of significance (TLOSS), xrefs: 00007FF7F892A500

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
Instruction ID: 3b4f65eca98dcf06b901c9519ebba4fa6b304d74491e43d36ecb74cd9bc08617
Opcode Fuzzy Hash: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
Instruction Fuzzy Hash: 6CF0AF12808E8482D302DF1CA8000ABF364FF8D78AF955326EB9C261A0DF28D543A354

Function 00007FF7F892A4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Overflow range error (OVERFLOW), xrefs: 00007FF7F892A4E0

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
Instruction ID: a416310d6fe37ccd1aed3898c7c7419be063d765bfb736f99f962a5b571fa658
Opcode Fuzzy Hash: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
Instruction Fuzzy Hash: 8DF04F12908E8482D302EF1CA8000ABF364FF9E789F955326EB9D261A5DF28D543A754

Function 00007FF7F892A4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF7F892A4F0

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
Instruction ID: 38300aff0f0001391649d058bd61e1db1a66a00003435e4926e25b247e91e5f5
Opcode Fuzzy Hash: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
Instruction Fuzzy Hash: F9F04F12908E8486D312DF1CA8000ABF364FF9D789FA55326EB9D261A5DF28D543A754

Function 00007FF7F892A458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Argument singularity (SIGN), xrefs: 00007FF7F892A458

Memory Dump Source

Source File: 00000000.00000002.1264148326.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000000.00000002.1264119563.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265462644.00007FF7F8A1D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265601901.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265832094.00007FF7F8BB0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265856284.00007FF7F8BB1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1265880982.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
Instruction ID: df924d3e8a61780f3f1634cb62cdd8e480527d4ab598960b4c65f43e39012e61
Opcode Fuzzy Hash: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
Instruction Fuzzy Hash: 0DF06D12908E8886D302DF1CE8000ABF364FF8E78AF955326EF8C2A165DF28D543A754

Analysis Process: bot.exePID: 6768, Parent PID: 3792COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0.1%
Signature Coverage:	1.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	219

Executed Functions

Function 0000000140037AD2 Relevance: 24.3, APIs: 2, Strings: 10, Instructions: 3321COMMON

Download Yara Rule

Strings

files, xrefs: 0000000140039E05
users, xrefs: 0000000140038442
directory_iterator::directory_iterator, xrefs: 000000014003A0F4, 000000014003ABA3
status, xrefs: 0000000140038F47
filename, xrefs: 0000000140037D26, 00000001400380AE, 0000000140038942, 0000000140039B09, 000000014003A6C9
key, xrefs: 000000014003950D, 00000001400396ED
config, xrefs: 0000000140037EBD
cannot use push_back() with , xrefs: 000000014003B6B4
exists, xrefs: 000000014003A087, 000000014003A0A2, 000000014003AB87
content, xrefs: 0000000140037D7F, 0000000140038107, 0000000140038A24, 0000000140039C82, 000000014003A86F

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: cannot use push_back() with $config$content$directory_iterator::directory_iterator$exists$filename$files$key$status$users
API String ID: 0-1424636042
Opcode ID: dc2138c00743425744b120cede5de00988e557f4458b21d1f45413fef7e810c7
Instruction ID: 18e9537abf8c399adecc8ee300f97c09961d25cacb313f0cface33e0c59278d9
Opcode Fuzzy Hash: dc2138c00743425744b120cede5de00988e557f4458b21d1f45413fef7e810c7
Instruction Fuzzy Hash: 5F737E72611BC489DB328F26D8803DE73A1F799798F405216EB9D4BBA9EF74C684C340

Function 000000014007FBE4 Relevance: 22.6, APIs: 3, Strings: 9, Instructions: 1583COMMON

Download Yara Rule

APIs

Part of subcall function 000000014007E0B0: EnumDisplayDevicesW.USER32 ref: 000000014007E1C7
Part of subcall function 000000014007E0B0: EnumDisplayDevicesW.USER32 ref: 000000014007E26B

Part of subcall function 000000014007DE00: RegGetValueA.ADVAPI32 ref: 000000014007E039

Part of subcall function 000000014007DCC0: GetUserNameW.ADVAPI32 ref: 000000014007DD05

Part of subcall function 000000014007DD60: GetComputerNameW.KERNEL32 ref: 000000014007DDA5

GlobalMemoryStatusEx.KERNEL32 ref: 000000014008032C
wcsftime.LIBCMT ref: 0000000140080B22
GetModuleFileNameA.KERNEL32 ref: 0000000140080CB6

Strings

cpu, xrefs: 00000001400801C8
user_name, xrefs: 000000014007FFDF
system, xrefs: 000000014007FF94, 0000000140080083, 0000000140080179, 0000000140080273, 00000001400803BB, 00000001400804B5, 00000001400805A8, 000000014008072F, 0000000140080920, 0000000140080BA1, 0000000140080D64, 0000000140080F7E, 000000014008111D, 00000001400812C7, 000000014008138D
ram, xrefs: 000000014008040B
%d-%m-%Y, %H:%M:%S, xrefs: 0000000140080B0F
timezone, xrefs: 0000000140080FC4
gpu, xrefs: 00000001400800D2
time, xrefs: 0000000140080BF1
computer_name, xrefs: 0000000140080504

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Name$DevicesDisplayEnum$ComputerFileGlobalMemoryModuleStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 2481273502-1182675529
Opcode ID: 9d375af3352c166cece0dd38c404bbfdf69b8dc900355972cfed305075cccbb4
Instruction ID: 5fa35f0932b4f7a06d77f64b28838163074d6387588a43a5e313af0f4ac1ac9d
Opcode Fuzzy Hash: 9d375af3352c166cece0dd38c404bbfdf69b8dc900355972cfed305075cccbb4
Instruction Fuzzy Hash: DAF26E73614BC485DB22CB65E8903DE77A1F799798F409616FB8D17BA9EB38C290C700

Function 000000014003B740 Relevance: 19.9, APIs: 8, Strings: 3, Instructions: 653
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000000014003B82C
GetProcAddress.KERNEL32 ref: 000000014003B937
GetProcAddress.KERNEL32 ref: 000000014003B9F9
GetProcAddress.KERNEL32 ref: 000000014003BA73
GetProcAddress.KERNEL32 ref: 000000014003BAF5
GetProcAddress.KERNEL32 ref: 000000014003BB6F
GetProcAddress.KERNEL32 ref: 000000014003BBF3
FreeLibrary.KERNEL32 ref: 000000014003C721

Strings

system, xrefs: 000000014003C52D
cannot use push_back() with , xrefs: 000000014003C76F
vault, xrefs: 000000014003C583

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2449869053-1741236777
Opcode ID: c17289ebbdb77ccaa0c0a3119b37ef02d03229ed1cf887cad3a8d2ace1939303
Instruction ID: 83fd89eefa33efb33c82b2055fe19ba1a31d5f048fce8dc0dcd73234cb012c13
Opcode Fuzzy Hash: c17289ebbdb77ccaa0c0a3119b37ef02d03229ed1cf887cad3a8d2ace1939303
Instruction Fuzzy Hash: 72721736215BC48AD7628F26E8803DE77B4F789788F504216EB8C5BB69EF75C694C700

Function 0000000140032334 Relevance: 19.0, APIs: 4, Strings: 6, Instructions: 1517registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00000001400323B7

Strings

directory_iterator::directory_iterator, xrefs: 0000000140032C9D, 00000001400345BC
filename, xrefs: 00000001400327C0, 000000014003361A
status, xrefs: 0000000140032CB9, 000000014003457E, 000000014003458E
exists, xrefs: 000000014003455E, 00000001400345F5
content, xrefs: 0000000140032954, 0000000140033723
h, xrefs: 00000001400330A3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Close
String ID: content$directory_iterator::directory_iterator$exists$filename$status$h
API String ID: 3535843008-678820482
Opcode ID: cc0dd20fa7b6627eb239f033f68a82b47d6822d85e55bc6bf3641088630b89da
Instruction ID: 77a7a5cfae23bf6c3af20a62c5909d9feaa762cba23750775791ffaa08a2e511
Opcode Fuzzy Hash: cc0dd20fa7b6627eb239f033f68a82b47d6822d85e55bc6bf3641088630b89da
Instruction Fuzzy Hash: 87F26D72611BC48AEB229F76D8803DE3361F799798F505216FB9D1BAA9DF74C684C300

Function 000000014007EAB0 Relevance: 18.5, APIs: 8, Strings: 2, Instructions: 1003
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007EB3B
RegQueryValueExA.ADVAPI32 ref: 000000014007EB7A
RegCloseKey.ADVAPI32 ref: 000000014007EC15
RegOpenKeyExA.ADVAPI32 ref: 000000014007ECD9
RegEnumKeyExA.ADVAPI32 ref: 000000014007ED1E
RegCloseKey.ADVAPI32 ref: 000000014007EF14
GetLogicalDriveStringsW.KERNEL32 ref: 000000014007EFD1

Strings

[UTC, xrefs: 000000014007F513
?, xrefs: 000000014007EAF0

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseOpen$DriveEnumLogicalQueryStringsValue
String ID: ?$[UTC
API String ID: 3686543267-936800669
Opcode ID: 098affa45c8a04880d033aab24644659da2216aae8af766174cad4408c213bfd
Instruction ID: 6ae9542b8b5485f3e29d61cbae42e1af68e643ed015ddeb41ac003b7496031bc
Opcode Fuzzy Hash: 098affa45c8a04880d033aab24644659da2216aae8af766174cad4408c213bfd
Instruction Fuzzy Hash: CDA29E72A14B8485EB218B6AE8403DE77A1F79D7E8F105315FBAC17BA9DB78C190C740

Function 000000014005A337 Relevance: 18.2, APIs: 1, Strings: 8, Instructions: 2418COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003FCD0: Concurrency::cancel_current_task.LIBCPMT ref: 000000014003FDD8

Concurrency::cancel_current_task.LIBCPMT ref: 000000014005D530

Strings

directory_iterator::directory_iterator, xrefs: 000000014005D332
status, xrefs: 000000014005D342, 000000014005D387, 000000014005D460, 000000014005D517
filename, xrefs: 000000014005ACE6, 000000014005B714, 000000014005C19A, 000000014005CC74
recursive_directory_iterator::recursive_directory_iterator, xrefs: 000000014005D416, 000000014005D450, 000000014005D5B8
cannot use push_back() with , xrefs: 000000014005D3AC, 000000014005D485, 000000014005D548
exists, xrefs: 000000014005D31B, 000000014005D36B, 000000014005D433, 000000014005D4F5, 000000014005D5D5
content, xrefs: 000000014005ADEF, 000000014005B7E9, 000000014005C27E, 000000014005CD49
recursive_directory_iterator::operator++, xrefs: 000000014005D3FF, 000000014005D4CC, 000000014005D5A1

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot use push_back() with $content$directory_iterator::directory_iterator$exists$filename$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 118556049-4250644884
Opcode ID: a0ab57ce91fc34b01f04605b245bb6d5d3d8e74c40c52116daffb1c39d35bc40
Instruction ID: d16ee5ffaeb2dbe894ce73aae2b3034a494ea4411d70db2ab878c56782b9ea76
Opcode Fuzzy Hash: a0ab57ce91fc34b01f04605b245bb6d5d3d8e74c40c52116daffb1c39d35bc40
Instruction Fuzzy Hash: 92434B72219BC581DA72DB16E4803EEB3A5F7C9790F505216EBDD43AA9EF78C584CB00

Function 000000014007CDF0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 379
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000000014007D017

Part of subcall function 00000001400A9B70: AcquireSRWLockExclusive.KERNEL32 ref: 00000001400A9B80

InternetOpenUrlA.WININET ref: 000000014007D088
HttpQueryInfoW.WININET ref: 000000014007D0E0
HttpQueryInfoW.WININET ref: 000000014007D170
InternetQueryDataAvailable.WININET ref: 000000014007D1B4
InternetReadFile.WININET ref: 000000014007D279
InternetQueryDataAvailable.WININET ref: 000000014007D344
InternetCloseHandle.WININET ref: 000000014007D3EE
Concurrency::cancel_current_task.LIBCPMT ref: 000000014007D42F

Strings

0Q>%&&, xrefs: 000000014007CECF

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen$AcquireCloseConcurrency::cancel_current_taskExclusiveFileHandleLockRead
String ID: 0Q>%&&
API String ID: 3609429561-3488671784
Opcode ID: 57ca7581aa671b4f5e8d6bcb6210d21ab16385bc4098e479ac351e805d702d63
Instruction ID: 545cd8f60b377f538693443bd994a67682f78e99984eccf18132968f8f5fa667
Opcode Fuzzy Hash: 57ca7581aa671b4f5e8d6bcb6210d21ab16385bc4098e479ac351e805d702d63
Instruction Fuzzy Hash: 56024B32A14B9486EB11CB6AE84039E77B5F799B94F104216FF8C57BA9DF78C191CB00

Function 000000014003394B Relevance: 17.1, APIs: 3, Strings: 6, Instructions: 1392COMMON

Download Yara Rule

Strings

directory_iterator::directory_iterator, xrefs: 00000001400345BC
filename, xrefs: 000000014003361A, 0000000140033BA8, 00000001400340D9
status, xrefs: 000000014003457E, 000000014003458E
exists, xrefs: 00000001400345F5
content, xrefs: 0000000140033723, 0000000140033D76, 00000001400342A0
h, xrefs: 00000001400330A3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: content$directory_iterator::directory_iterator$exists$filename$status$h
API String ID: 0-678820482
Opcode ID: 4dbf787f04ffdc9a553db59e873c5c0f7948b00ad0ab945dab612b0a7c66004b
Instruction ID: 4124051653eff67417787a6a86236b4e01367722c0d587ccb465e62d052a51d1
Opcode Fuzzy Hash: 4dbf787f04ffdc9a553db59e873c5c0f7948b00ad0ab945dab612b0a7c66004b
Instruction Fuzzy Hash: 45E26D72614BC08AEB22CF66D8803DE7361F799798F505216FB9D1BAA9DF74C684C700

Function 000000014003BE96 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 823
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

system, xrefs: 000000014003C52D
cannot use push_back() with , xrefs: 000000014003C76F
vault, xrefs: 000000014003C583
[PID: , xrefs: 000000014003C8AE

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: [PID: $cannot use push_back() with $system$vault
API String ID: 0-1782543976
Opcode ID: f6fa2c79db0bcb8a7aa3bc5663c7aeffeea752612ceec85adbd48b77817f9d39
Instruction ID: 8d21aa00e3122c2f7577f2a8e94939fef6a51ac2dc8c3e78b7ecc72b44e17cb0
Opcode Fuzzy Hash: f6fa2c79db0bcb8a7aa3bc5663c7aeffeea752612ceec85adbd48b77817f9d39
Instruction Fuzzy Hash: EF827D72214BC489EB228F66E8843DE77A1F7997D8F504216EB9D47BA9DF74C290C700

Function 000000014009DFA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 000000014009DFE5

Part of subcall function 000000014009D650: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D664

Part of subcall function 0000000140098C40: HeapFree.KERNEL32 ref: 0000000140098C56
Part of subcall function 0000000140098C40: GetLastError.KERNEL32 ref: 0000000140098C60

Part of subcall function 00000001400A69C0: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A690B

_get_daylight.LIBCMT ref: 000000014009DFD4

Part of subcall function 000000014009D6B0: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D6C4

_get_daylight.LIBCMT ref: 000000014009E24A
_get_daylight.LIBCMT ref: 000000014009E25B
_get_daylight.LIBCMT ref: 000000014009E26C
GetTimeZoneInformation.KERNEL32 ref: 000000014009E293

Strings

Eastern Standard Time, xrefs: 000000014009E339
Eastern Summer Time, xrefs: 000000014009E351

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 355007559-239921721
Opcode ID: aa014edeb69cc707dbe1fdedf59e9d84c93df63f4c645f415b7a1372462a1764
Instruction ID: 57a15796427d9fcb09a0dbe4420b896af4f059e924f9dcb49e1fee42cb9384cd
Opcode Fuzzy Hash: aa014edeb69cc707dbe1fdedf59e9d84c93df63f4c645f415b7a1372462a1764
Instruction Fuzzy Hash: 6AD1A13660069086EB26EF27D9913EA77A1F79CBD4F448126FF49477A5EB38C881C740

Function 000000014009ACF0 Relevance: 10.8, APIs: 7, Instructions: 286
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009B122

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2c34ed3d1f05fca27aeb33c1d0d269749b59793b54f55bbed04439bbd25c7d75
Instruction ID: a61a03662d1ceb98f773c1fd4dd386c3faedb153c1a554d0ed1fc3a7b0e16e44
Opcode Fuzzy Hash: 2c34ed3d1f05fca27aeb33c1d0d269749b59793b54f55bbed04439bbd25c7d75
Instruction Fuzzy Hash: 0AC1ED722046889AEB639B63D4503EE77A0F78ABD4F454115FB5A073F2DB78C894C740

Function 000000014009E21C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 000000014009E24A

Part of subcall function 000000014009D6B0: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D6C4

_get_daylight.LIBCMT ref: 000000014009E25B

Part of subcall function 000000014009D650: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D664

_get_daylight.LIBCMT ref: 000000014009E26C

Part of subcall function 000000014009D680: _invalid_parameter_noinfo.LIBCMT ref: 000000014009D694

Part of subcall function 0000000140098C40: HeapFree.KERNEL32 ref: 0000000140098C56
Part of subcall function 0000000140098C40: GetLastError.KERNEL32 ref: 0000000140098C60

GetTimeZoneInformation.KERNEL32 ref: 000000014009E293

Strings

Eastern Standard Time, xrefs: 000000014009E339
Eastern Summer Time, xrefs: 000000014009E351

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 52ebdda6a61ace6c58af2ee2a504a68ffcffbc9243b59fbb2e40316781066d43
Instruction ID: 54eaaf3237c51ac38e9593f75949bc1a28ba80c68989b2b5926f1269b82db785
Opcode Fuzzy Hash: 52ebdda6a61ace6c58af2ee2a504a68ffcffbc9243b59fbb2e40316781066d43
Instruction Fuzzy Hash: B5514D3261068086E762EF23E9917DA77A0F79CBC4F445126BB4D87BB6DB38C941C740

Function 0000000140094B74 Relevance: 9.2, APIs: 6, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140094B96
_get_daylight.LIBCMT ref: 0000000140094BF6
_get_daylight.LIBCMT ref: 0000000140094C07
_get_daylight.LIBCMT ref: 0000000140094C18
_isindst.LIBCMT ref: 0000000140094C69
_isindst.LIBCMT ref: 0000000140094CBC

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: d8834ba0fadb21926f441da85af72fbef74f0a0767195e07e6a9005270cfca22
Instruction ID: 2d313a3bef1ff223710c477627217efc1d0ec0aaf43e53581fef1b9ed64fdd2b
Opcode Fuzzy Hash: d8834ba0fadb21926f441da85af72fbef74f0a0767195e07e6a9005270cfca22
Instruction Fuzzy Hash: 1681B2B2B012458BEB598F36C9417E837A5F758BCCF04912AFB098B7A9FB38D5518740

Function 0000000140086680 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086834
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086842
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086AC5
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140086AD3

Strings

value, xrefs: 000000014008675A, 00000001400869F3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: c68d4a6b828674ebd30e640b10a4e041e06dd3b62625e36ac4d0aca646820baf
Instruction ID: b99257adfc3fe72b1b6041d942e319ffdfc58320064849e92109cd12b73f12f2
Opcode Fuzzy Hash: c68d4a6b828674ebd30e640b10a4e041e06dd3b62625e36ac4d0aca646820baf
Instruction Fuzzy Hash: 39027973624B8085EB128B76D4803ED6B61F7997E4F505712FBAE47AEADB38C185C700

Function 00000001400741C2 Relevance: 9.1, APIs: 6, Instructions: 122
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 0000000140074222
ExitProcess.KERNEL32 ref: 0000000140074232
CreateMutexA.KERNEL32 ref: 0000000140074251
ExitProcess.KERNEL32 ref: 0000000140074277
ReleaseMutex.KERNEL32 ref: 00000001400742FB
CloseHandle.KERNEL32 ref: 0000000140074304

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Mutex$ExitProcess$CloseCreateHandleOpenRelease
String ID:
API String ID: 3764530316-0
Opcode ID: ed203bbe7a3b5f6ba2814e7f41985e9ae73f5d3da5b4dcf2851137f9266e8f8f
Instruction ID: 22f11d1c354d1f7b174d31a50776cdd913a8e9e41f50437a5bf1d421a946a578
Opcode Fuzzy Hash: ed203bbe7a3b5f6ba2814e7f41985e9ae73f5d3da5b4dcf2851137f9266e8f8f
Instruction Fuzzy Hash: 6F41587261468082FB23BBB7A4163EE6351AB8D7D0F504616FB9D476F7DF3C80818621

Function 000000014003C7E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 297
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003C82A
Process32FirstW.KERNEL32 ref: 000000014003C86C
CloseHandle.KERNEL32 ref: 000000014003CCDA

Strings

[PID: , xrefs: 000000014003C8AE

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID: [PID:
API String ID: 1083639309-2210602247
Opcode ID: 8e2cc78d821f52278c3d3f1ca5f64536b894f3c531228aa5bba621e5ccd6e007
Instruction ID: 5d3bc7e6dfecebdfb81ce67ed5f6956fd0d8b397b6bf51178baf79f45416ccdd
Opcode Fuzzy Hash: 8e2cc78d821f52278c3d3f1ca5f64536b894f3c531228aa5bba621e5ccd6e007
Instruction Fuzzy Hash: 55D19E72614BC485E722DB26E8803DE77A5F7897A8F405215FB9D07BA9DF38C295C700

Function 0000000140034F90 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 407fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 000000014003506F

Strings

filename, xrefs: 000000014003564A
exists, xrefs: 0000000140035C6A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFindFirst
String ID: exists$filename
API String ID: 1974802433-1885285383
Opcode ID: b8a0beca4176b1ee219cd2fb5d5a895bd2e7e79a50a2ccbee70c93dad6e26dbf
Instruction ID: 44838852c42065e5f39bae23742f8b27a66f9a59eab9cab727125e9ab6ef78b1
Opcode Fuzzy Hash: b8a0beca4176b1ee219cd2fb5d5a895bd2e7e79a50a2ccbee70c93dad6e26dbf
Instruction Fuzzy Hash: 98126B72608BC091EB22DB26E4843DEB3A1F788784F405216EBCD57AB9DF78C585CB40

Function 000000014007C5E0 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000014007C7BC
recv.WS2_32 ref: 000000014007CC9C
closesocket.WS2_32 ref: 000000014007CCAE
WSACleanup.WS2_32 ref: 000000014007CCB4

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: recv$Cleanupclosesocket
String ID:
API String ID: 146070474-0
Opcode ID: 1cb9a2f55eb7a1731417e4445776eee7ddd9fd51caeb430b5848111ad9bfac1a
Instruction ID: eafd79885a64c3900f7ebaffd470ce8fdc6633dcc422e553d72d048b7a611f0d
Opcode Fuzzy Hash: 1cb9a2f55eb7a1731417e4445776eee7ddd9fd51caeb430b5848111ad9bfac1a
Instruction Fuzzy Hash: 79125D73628BC481EA229B16E4557DE6761F79D7E0F504216EBAD07AEADF7CC480CB00

Function 000000014007E0B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 000000014007E1C7
EnumDisplayDevicesW.USER32 ref: 000000014007E26B

Strings

Unknown, xrefs: 000000014007E8D6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: DevicesDisplayEnum
String ID: Unknown
API String ID: 2211661463-1654365787
Opcode ID: fca632369ee69681a2b32a3e4548dee5403355752fe9dcd08d04aaff99b74c49
Instruction ID: bbb997068cb540256a656c2fc009d0acae0144981094f0501ccaeb435a96cdff
Opcode Fuzzy Hash: fca632369ee69681a2b32a3e4548dee5403355752fe9dcd08d04aaff99b74c49
Instruction Fuzzy Hash: A981BD32614B8086E721CB26E84479EB7A4F38D798F505216FF9C17BA9DF38C681CB00

Function 00000001400B6740 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

FindClose.KERNEL32 ref: 00000001400B6761
FindFirstFileExW.KERNEL32 ref: 00000001400B6783

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9a0e95ab69f8159a906354e2783f7c5830f257cc63b6185482a565a61eb130ed
Instruction ID: ce36eaeac4e670e3d58041e5e880f5e8d22444fe50a2deaf3fc620de6baa86f2
Opcode Fuzzy Hash: 9a0e95ab69f8159a906354e2783f7c5830f257cc63b6185482a565a61eb130ed
Instruction Fuzzy Hash: 88F03136608E4081E7618F62F54435E67A0EB49BF4F144720EBB907AF4CF3CC4958600

Function 000000014007F210 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 425timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 000000014007F540

Strings

[UTC, xrefs: 000000014007F513

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: 98e11476b0c777ae562bd46a586073a33b1208f1135127aa081ad98916ef7e09
Instruction ID: 01def31b258f83afca55b74f31771e95d4d90b360f52a8c7f21c37d1040f0d04
Opcode Fuzzy Hash: 98e11476b0c777ae562bd46a586073a33b1208f1135127aa081ad98916ef7e09
Instruction Fuzzy Hash: 3A124C73A14BC489E7218B29E8413EAB7A1F79D798F505305EBDC17B6ADB78C290C740

Function 00000001400743A0 Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140074403
ShellExecuteW.SHELL32 ref: 0000000140074A4A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ExecuteFileModuleNameShell
String ID:
API String ID: 1703432166-0
Opcode ID: 4bc819742f627918a76852a3de37d21f1e432943ccd738e95eaca3daa3bad49d
Instruction ID: 2bd182f3932b21625a389bd3f9c8cb9026c7739f8b6ceac0e40a61b3b544c7b5
Opcode Fuzzy Hash: 4bc819742f627918a76852a3de37d21f1e432943ccd738e95eaca3daa3bad49d
Instruction Fuzzy Hash: E1122872625F848AEB418F6AE88179EB3A4F788798F505215FFDD57B68EB38C150C700

Function 0000000140035CF7 Relevance: 3.2, APIs: 2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3f375bfc3c15aaca6738b9ead632c23e42df0f19b1571c788b47da0df93ac6
Instruction ID: 7e0b79708e65e831526dc6f468222ee565e1f18d83f40497b8b4492f92bd91ad
Opcode Fuzzy Hash: 2c3f375bfc3c15aaca6738b9ead632c23e42df0f19b1571c788b47da0df93ac6
Instruction Fuzzy Hash: 41917072B14B808AEB129F76E4403DD73A1E7997E8F044225FB9D17AE9DB78C190C740

Function 0000000140035061 Relevance: 3.2, APIs: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 000000014003506F
FindNextFileW.KERNEL32 ref: 0000000140035856

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 34178aa8e584c8dd1f1bcb30cc2b0df6c354a42777d37007b9698f39ac034d8d
Instruction ID: c14109958a45854f1f840c120e6bb5df09a5bf32fe794df2d22aa573b8094fa8
Opcode Fuzzy Hash: 34178aa8e584c8dd1f1bcb30cc2b0df6c354a42777d37007b9698f39ac034d8d
Instruction Fuzzy Hash: 43817172614BC481EA22AB16E4443EF7361F7997E4F405212EB9D17AFADF78C581C740

Function 000000014006FB80 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 000000014006FBD8
LocalFree.KERNEL32 ref: 000000014006FC6A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 7c7574550fc39d8b0a33bde6b28a20e688f0cf8f24e77118c322436bf9816072
Instruction ID: 4eca3d6246eddbc7233f6218ad4025bd3c7ad5f366a7b9f67c01a1a686e41648
Opcode Fuzzy Hash: 7c7574550fc39d8b0a33bde6b28a20e688f0cf8f24e77118c322436bf9816072
Instruction Fuzzy Hash: 08414233614B80CAE3218F75E8403ED37A5F76978CF444629AB8C07E9ADB79C6A4D744

Function 000000014007DCC0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 000000014007DD05

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 097d4afbc51c33a52bc174c303950bc4b260611d47ef42a1dd4c679be42102eb
Instruction ID: ee9c7773de5d7cac2e4d2126503ca0947b2a3b4420a82c5690d358c501992b18
Opcode Fuzzy Hash: 097d4afbc51c33a52bc174c303950bc4b260611d47ef42a1dd4c679be42102eb
Instruction Fuzzy Hash: 89E0E572128A8487D6518B56F84039AF2B4FB9C784F404126B68C83A68DB7CC5558B00

Function 0000000140076770 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400764F0: InitializeCriticalSectionEx.KERNEL32 ref: 0000000140076541
Part of subcall function 00000001400764F0: GetLastError.KERNEL32 ref: 000000014007654B

EnterCriticalSection.KERNEL32 ref: 00000001400767B1
GdiplusStartup.GDIPLUS ref: 00000001400767D8
LeaveCriticalSection.KERNEL32 ref: 00000001400767E6
LeaveCriticalSection.KERNEL32 ref: 0000000140076814
GdipGetImageEncodersSize.GDIPLUS ref: 0000000140076822
GdipGetImageEncoders.GDIPLUS ref: 00000001400768B6
GdipCreateBitmapFromScan0.GDIPLUS ref: 0000000140076980
GdipSaveImageToStream.GDIPLUS ref: 000000014007699E
GdipDisposeImage.GDIPLUS ref: 0000000140076A03
GdipDisposeImage.GDIPLUS ref: 0000000140076A17

Strings

&, xrefs: 000000014007697A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: 951e0ae561f49f8ac88204c669b87d90cef17986d283ce837e094d03a9b6b5bc
Instruction ID: 4638b9f1ed191ead81af55374984443a6253b3e001763369ab5e9b0db0011ef1
Opcode Fuzzy Hash: 951e0ae561f49f8ac88204c669b87d90cef17986d283ce837e094d03a9b6b5bc
Instruction Fuzzy Hash: 84914932200B809AEB62DF32E8407D837A4F75DBD8F558215EB5A57BA4DF38C596C740

Function 0000000140077820 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 224
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014007D440: GetUserGeoID.KERNEL32 ref: 000000014007D467
Part of subcall function 000000014007D440: GetGeoInfoA.KERNEL32 ref: 000000014007D481
Part of subcall function 000000014007D440: GetGeoInfoA.KERNEL32 ref: 000000014007D4D1

WSAStartup.WS2_32 ref: 0000000140077999
socket.WS2_32 ref: 00000001400779B6
htons.WS2_32 ref: 00000001400779D7
inet_pton.WS2_32 ref: 0000000140077A04
connect.WS2_32 ref: 0000000140077A1E
closesocket.WS2_32 ref: 0000000140077A34
WSACleanup.WS2_32 ref: 0000000140077A3A

Strings

geo, xrefs: 0000000140077946
system, xrefs: 0000000140077905

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 213021568-2364779556
Opcode ID: 8d373b034231c228b96861fcc9ebfa537825f0b970b577bdf6468f570e4dfbe5
Instruction ID: 8e9467e575cce1f4fcad52bc0cce26140f8a2cb03e3f0a27ea38b4210fb68b06
Opcode Fuzzy Hash: 8d373b034231c228b96861fcc9ebfa537825f0b970b577bdf6468f570e4dfbe5
Instruction Fuzzy Hash: 44B16A72B11B4099FB02DBA6E4903DD3372A748BE8F415216EB5D2B6B9EB38C556C340

Function 00000001400BC218 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400BBDF8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBE39
Part of subcall function 00000001400BBDF8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBEB9
Part of subcall function 00000001400BBDF8: _invalid_parameter_noinfo.LIBCMT ref: 00000001400BBF0D
Part of subcall function 00000001400BBDF8: _get_daylight.LIBCMT ref: 00000001400BBF65

CreateFileW.KERNEL32 ref: 00000001400BC31E
CreateFileW.KERNEL32 ref: 00000001400BC36E
GetLastError.KERNEL32 ref: 00000001400BC39E
GetFileType.KERNEL32 ref: 00000001400BC3B3
GetLastError.KERNEL32 ref: 00000001400BC3BD
CloseHandle.KERNEL32 ref: 00000001400BC3F0
CloseHandle.KERNEL32 ref: 00000001400BC554
CreateFileW.KERNEL32 ref: 00000001400BC589
GetLastError.KERNEL32 ref: 00000001400BC598

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 6834bf7e2c5a4e43a5153222154aa821744e12b776a4e5df19d1db0543b86cff
Instruction ID: 2400ce5abb7f630c19717e6ed24876b630cbd6c53283576e13b355a578458c61
Opcode Fuzzy Hash: 6834bf7e2c5a4e43a5153222154aa821744e12b776a4e5df19d1db0543b86cff
Instruction Fuzzy Hash: 29C17B36720E4486EB11CFAAD4917ED3771E78DBE8F014219EB2A9B7A4DB34C556C340

Function 000000014007D7F3 Relevance: 12.1, APIs: 8, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHCreateMemStream.SHLWAPI ref: 000000014007D822
EnterCriticalSection.KERNEL32 ref: 000000014007D94C
LeaveCriticalSection.KERNEL32 ref: 000000014007D95E
IStream_Size.SHLWAPI ref: 000000014007D995
IStream_Reset.SHLWAPI ref: 000000014007D9A6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CriticalSectionStream_$CreateEnterLeaveResetSizeStream
String ID:
API String ID: 4049616757-0
Opcode ID: 5dc24120e785eb29f64b142cd8c2596717f1cc5752594a7638550c55bf50ca70
Instruction ID: 8f48f79f99b0ddf272cc4a0310095b26a985b38de2d5e8ea0f8d0273f223753d
Opcode Fuzzy Hash: 5dc24120e785eb29f64b142cd8c2596717f1cc5752594a7638550c55bf50ca70
Instruction Fuzzy Hash: 21411672618BC082E771DB22E8507EEB7A1F7D9BC0F409616DAC903A69DF38C185CB00

Function 00000001400765D0 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 0000000140076613
EnterCriticalSection.KERNEL32 ref: 0000000140076625
EnterCriticalSection.KERNEL32 ref: 0000000140076635
GdiplusShutdown.GDIPLUS ref: 0000000140076643
LeaveCriticalSection.KERNEL32 ref: 0000000140076650
LeaveCriticalSection.KERNEL32 ref: 000000014007665A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: c717c1590746bd134c452c2610cdd9752abb3b76a832bbf28ba4074ae47750e1
Instruction ID: 8a8879636937726213d256da63e2acee3874314be20df8b71bbfc014c3c2afad
Opcode Fuzzy Hash: c717c1590746bd134c452c2610cdd9752abb3b76a832bbf28ba4074ae47750e1
Instruction Fuzzy Hash: 4911F532112B5081EB559F26F89439D73A4FB48FA8F684215EB6E076B4DF38C9A7C350

Function 000000014007D6E0 Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014007D721
GetSystemMetrics.USER32 ref: 000000014007D72F
GetSystemMetrics.USER32 ref: 000000014007D73D
GetSystemMetrics.USER32 ref: 000000014007D74B
GetDC.USER32 ref: 000000014007D755
GetDeviceCaps.GDI32 ref: 000000014007D76B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: MetricsSystem$CapsDevice
String ID:
API String ID: 4163108049-0
Opcode ID: e68d7784f5286227ca8d3d002e91ec8bd744f231bf3a64b9d78de067d8b2d0e9
Instruction ID: 862d34932e08b8cdd9bd14d1c48b344ad35bdc1bb36e19364d3b3caeb063e474
Opcode Fuzzy Hash: e68d7784f5286227ca8d3d002e91ec8bd744f231bf3a64b9d78de067d8b2d0e9
Instruction Fuzzy Hash: 4201EC71104B8096F7559B62FC1575E76A0FB8CB81F005128EF4E83764EF7CD4158B50

Function 00000001400740E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400776E0: GetModuleFileNameW.KERNEL32 ref: 000000014007772A

Part of subcall function 0000000140082380: CoInitializeEx.OLE32 ref: 00000001400823EA

ExitProcess.KERNEL32 ref: 0000000140074107
OpenMutexA.KERNEL32 ref: 0000000140074222

Strings

SeDebugPrivilege, xrefs: 000000014007410E
SeImpersonatePrivilege, xrefs: 000000014007411A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ExitFileInitializeModuleMutexNameOpenProcess
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 759366668-3768118664
Opcode ID: d5ff05bd807f303e46bbce3e1e98e071d77aa07019e8c5c2d0fd7816cf6ef984
Instruction ID: 0aa24146d124daaf3e6d47235ffe695d58ac11e237cac350d2ef1b7e6d15a562
Opcode Fuzzy Hash: d5ff05bd807f303e46bbce3e1e98e071d77aa07019e8c5c2d0fd7816cf6ef984
Instruction Fuzzy Hash: 2031E632118A8092EB61DB66E8513AAA3A1F7CD784F505115FBCD57A6AEF3CC645CB00

Function 000000014007D9DA Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

IStream_Read.SHLWAPI ref: 000000014007DA2B
SelectObject.GDI32 ref: 000000014007DA85
DeleteDC.GDI32 ref: 000000014007DA8E
ReleaseDC.USER32 ref: 000000014007DA9B
DeleteObject.GDI32 ref: 000000014007DAA4

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: DeleteObject$ReadReleaseSelectStream_
String ID:
API String ID: 488014220-0
Opcode ID: 57ae21b67ee105af44748b82d6fdee545466df1a1b4b26dc14463a58ecaaeed1
Instruction ID: a62969d775b6c4a6415178e0c1f1a75b196126bb9704c55781b261fc1e9b17e7
Opcode Fuzzy Hash: 57ae21b67ee105af44748b82d6fdee545466df1a1b4b26dc14463a58ecaaeed1
Instruction Fuzzy Hash: 9F313472314AC091EA66EB66F4553DEA320FB9DBC0F808412AB8D4376ADF7CC585C700

Function 000000014007D9CA Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IStream_Read.SHLWAPI ref: 000000014007DA2B
SelectObject.GDI32 ref: 000000014007DA85
DeleteDC.GDI32 ref: 000000014007DA8E
ReleaseDC.USER32 ref: 000000014007DA9B
DeleteObject.GDI32 ref: 000000014007DAA4

Part of subcall function 00000001400765D0: DeleteObject.GDI32 ref: 0000000140076613
Part of subcall function 00000001400765D0: EnterCriticalSection.KERNEL32 ref: 0000000140076625
Part of subcall function 00000001400765D0: EnterCriticalSection.KERNEL32 ref: 0000000140076635
Part of subcall function 00000001400765D0: GdiplusShutdown.GDIPLUS ref: 0000000140076643
Part of subcall function 00000001400765D0: LeaveCriticalSection.KERNEL32 ref: 0000000140076650
Part of subcall function 00000001400765D0: LeaveCriticalSection.KERNEL32 ref: 000000014007665A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CriticalSection$DeleteObject$EnterLeave$GdiplusReadReleaseSelectShutdownStream_
String ID:
API String ID: 1889838399-0
Opcode ID: 8777f0beb4d05f33ff6a15e9213634fb09ae41cd1ad8cc7d761a6b82a5e62fda
Instruction ID: 7ff2694a6e05a237bced5338d83f9a8bece83d988efe143993548f991b2c9041
Opcode Fuzzy Hash: 8777f0beb4d05f33ff6a15e9213634fb09ae41cd1ad8cc7d761a6b82a5e62fda
Instruction Fuzzy Hash: 0421F176314A8091EA66EB22F4553DEA320FB9DBD0F814412EB9E43769DF78C586C701

Function 000000014007DE00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152registryCOMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 000000014007DE90
RegGetValueA.ADVAPI32 ref: 000000014007E039

Strings

ProductName, xrefs: 000000014007E024
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 000000014007E02B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: InformationValueVolume
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 2783453754-1787575317
Opcode ID: 61eb3a4e5de2ae1a25ed943f7144b4b3cfe9f40427e2b9bf0f3144c60447432d
Instruction ID: 88dc9f771203b694cd3d13feb9ad3f139ceefda5c28e6ce7ba6092f95be77687
Opcode Fuzzy Hash: 61eb3a4e5de2ae1a25ed943f7144b4b3cfe9f40427e2b9bf0f3144c60447432d
Instruction Fuzzy Hash: C9718C32A14B8086E722CF65E8403DE73B4F799798F504216EB9C47BA9DF78C195CB40

Function 00000001400355DD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140035856

Strings

filename, xrefs: 000000014003564A
content, xrefs: 000000014003573F

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFindNext
String ID: content$filename
API String ID: 2029273394-474635906
Opcode ID: e001275cd896e19506121bc5a2a6a67948ac1ca69cccdf659754d35a8bc369de
Instruction ID: 2f2d50cd3728b85bf7dd22654c55f107d1b04f598cd325f08c31715323a8fb03
Opcode Fuzzy Hash: e001275cd896e19506121bc5a2a6a67948ac1ca69cccdf659754d35a8bc369de
Instruction Fuzzy Hash: 0261E832219AC490DA72DB12E4903DEB761F7D9780F849226E7CD53AAAEF38C555CB00

Function 000000014007D7A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 000000014007D7B6
BitBlt.GDI32 ref: 000000014007D7EC

Strings

, xrefs: 000000014007D7C1

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-3916222277
Opcode ID: ae470c4c689f869b9ab573fe5ecf667d94663e1bc2e54309d240cb862a971590
Instruction ID: b22fa59723fd1880f90d16039e653bbf5a6977db0982e8f6c44c24a0e5185140
Opcode Fuzzy Hash: ae470c4c689f869b9ab573fe5ecf667d94663e1bc2e54309d240cb862a971590
Instruction Fuzzy Hash: AFE04E72219B908AD7908F16B85470ABAA5F789BC0F205119AB8E93B28DB39C4558F00

Function 000000014007C967 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000014007CC9C
closesocket.WS2_32 ref: 000000014007CCAE
WSACleanup.WS2_32 ref: 000000014007CCB4

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: c5f29a6f82e4cda5efd12a128531453d2ae7e63ca47262aae0ccc1e1a6d6ada8
Instruction ID: eab709b2a91d71219dc338bdc8a0427637c2479730885535d0f181a11fd59591
Opcode Fuzzy Hash: c5f29a6f82e4cda5efd12a128531453d2ae7e63ca47262aae0ccc1e1a6d6ada8
Instruction Fuzzy Hash: 4D917CB3A14BC481EA228B66E4447DE6761E7997E0F504316EBAD17AEADF7CC480C700

Function 000000014007E98B Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014007E9A7
RegQueryValueExA.ADVAPI32 ref: 000000014007E9E6
RegCloseKey.ADVAPI32 ref: 000000014007EA84

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e58749c6b6c2708cbfda7cfb4cc2637eede89c8ea2e7d3504e5119be13154f8c
Instruction ID: 79318ae5e1e9b6a209de70f72b35aa06e6b3a03820578b3efb8ee19dd5229adb
Opcode Fuzzy Hash: e58749c6b6c2708cbfda7cfb4cc2637eede89c8ea2e7d3504e5119be13154f8c
Instruction Fuzzy Hash: C831D172715B8491EA62CB26E4403AEA760FBDD7D4F505212FB8D47AB9EE3CD184CB00

Function 000000014007D440 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 000000014007D467
GetGeoInfoA.KERNEL32 ref: 000000014007D481
GetGeoInfoA.KERNEL32 ref: 000000014007D4D1

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: dabddd6c895e2f52a57a7818505f9d76ff45043fc459ccda3d8ac0e690d592da
Instruction ID: 90fee48f990a536c98e20aba751c2c9c04ba674589e67a0b677829bb88304ab3
Opcode Fuzzy Hash: dabddd6c895e2f52a57a7818505f9d76ff45043fc459ccda3d8ac0e690d592da
Instruction Fuzzy Hash: A211C17261478183E7118F62F42475EB7A1FB84FC8F045225EB8903B69DF7CD4908B84

Function 00000001400A0050 Relevance: 4.5, APIs: 3, Instructions: 15COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00000001400A0061
TerminateProcess.KERNEL32 ref: 00000001400A006C
ExitProcess.KERNEL32 ref: 00000001400A007B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c5e04496f828e61d634400119f310d7078e9af1bf9ca9274a76f0b4b113410d8
Instruction ID: f9243dcb0947786e921359f981b604d51b7b47a816461f64490f77957be4224f
Opcode Fuzzy Hash: c5e04496f828e61d634400119f310d7078e9af1bf9ca9274a76f0b4b113410d8
Instruction Fuzzy Hash: 66D09E3430170846FA5A6B736C957ED22255F5C7C1F04192C6B47073B3CD3D888E8610

Function 0000000140085190 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400852D3

Strings

f[, xrefs: 00000001400853F5

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: f[
API String ID: 118556049-724553921
Opcode ID: e5f5bb6a157773786e9b19aa042917afd84d7026ba84b73920649958b0237af2
Instruction ID: f43eb5f637751f4d7f3230c33235fa76f5fd370338e37ecf82f5159868a21eea
Opcode Fuzzy Hash: e5f5bb6a157773786e9b19aa042917afd84d7026ba84b73920649958b0237af2
Instruction Fuzzy Hash: CAA1D233B04B8486FB229F6AD5003ED73B1BB59BD9F144611EF9927AA5DB34C6918340

Function 000000014003F210 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014003F3FC

Strings

, xrefs: 000000014003F293

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-3916222277
Opcode ID: d1a363919dd19d68adbaa1824478dd39cb0e0911c99aa75ce560a6b8aa69075f
Instruction ID: a981a205836d7b9725245c82c35ce7c20dd13c8e2bec3eb01c485d5cb054b2d7
Opcode Fuzzy Hash: d1a363919dd19d68adbaa1824478dd39cb0e0911c99aa75ce560a6b8aa69075f
Instruction Fuzzy Hash: 52513472304B4496EB168F2AD5943AE37A0F748BD4F984622EF5E47BA0CF78D5A1D300

Function 0000000140045670 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400457CB

Strings

cannot use operator[] with a numeric argument with , xrefs: 0000000140045B99

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot use operator[] with a numeric argument with
API String ID: 118556049-485864652
Opcode ID: 79804f4a44a177bf13a4b8f88762019dc26778b0f8d53fd89d330793441b4ef7
Instruction ID: 5ed39cd970f3da3471a7114cda8519d5d7bf48897c2ee1ddb565b91127a7abb1
Opcode Fuzzy Hash: 79804f4a44a177bf13a4b8f88762019dc26778b0f8d53fd89d330793441b4ef7
Instruction Fuzzy Hash: C731D272319B8085EE12AB27B5443DC6396E708BE5F590635FF6D0BBE6DA38C481C304

Function 000000014008C104 Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C12B

Part of subcall function 000000014008C0C0: _invalid_parameter_noinfo.LIBCMT ref: 000000014008C0D7

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C1D8

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 75dacb89e764ecf40af59fcee7c22e2fbf6e8ba84ae5c27b2747cb5a966399e9
Instruction ID: 8be8243372e4bb7338c400875aec30a5fe64968161bb492a5739d17ce4fc8c58
Opcode Fuzzy Hash: 75dacb89e764ecf40af59fcee7c22e2fbf6e8ba84ae5c27b2747cb5a966399e9
Instruction Fuzzy Hash: 40217C3362064481EE56EB16E895BE93361F79ABD4F944216FB1A473F2EA39C259C300

Function 0000000140074FD0 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0000000140075021
RegCloseKey.ADVAPI32 ref: 0000000140075033

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 7ec879cfecc611e1203277112fd56f06e17ca4e10c092f3590478b68c26c49ef
Instruction ID: ec14ba0587e031e24ade476592ff76ecaadcb2d768a7e792e5b1a87d2e94dd26
Opcode Fuzzy Hash: 7ec879cfecc611e1203277112fd56f06e17ca4e10c092f3590478b68c26c49ef
Instruction Fuzzy Hash: 35219F72711A8046FA51AB23E8503DAA360EB9DBD4F585121FB4D43BA9DE7CC481C780

Function 000000014007428C Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003C7E0: CreateToolhelp32Snapshot.KERNEL32 ref: 000000014003C82A
Part of subcall function 000000014003C7E0: Process32FirstW.KERNEL32 ref: 000000014003C86C

Part of subcall function 000000014003ABE0: CredEnumerateA.ADVAPI32 ref: 000000014003AC42

Part of subcall function 000000014007C5E0: recv.WS2_32 ref: 000000014007C7BC

ReleaseMutex.KERNEL32 ref: 00000001400742FB
CloseHandle.KERNEL32 ref: 0000000140074304

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: 1e475a0fd37e72c571760871dcb9f9096f5c0b73a05df945e32f443ddcc6d7f4
Instruction ID: 7b9fc5bf202d6c660958987423c1e07503b58d6b0919fc9b46d6a515e610c1ca
Opcode Fuzzy Hash: 1e475a0fd37e72c571760871dcb9f9096f5c0b73a05df945e32f443ddcc6d7f4
Instruction Fuzzy Hash: 96215871A5468081FB23BBB7A4163EE6351AF8E7D0F445612FB99476F7DF3C80818622

Function 00000001400742BD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014007C5E0: recv.WS2_32 ref: 000000014007C7BC

ReleaseMutex.KERNEL32 ref: 00000001400742FB
CloseHandle.KERNEL32 ref: 0000000140074304

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: 688f010fb93d99a7170d6fa059f594efe689c9c1b67f65fa2a329f1f928e5df2
Instruction ID: 6f94cae61cdad2189cef370b3ba5221df8fa11a5c37ea0c6658456750868d446
Opcode Fuzzy Hash: 688f010fb93d99a7170d6fa059f594efe689c9c1b67f65fa2a329f1f928e5df2
Instruction Fuzzy Hash: 14111871A1468181FB637B77A4063EE5250AB8E7D0F445611FB99476F7DF3CC1818611

Function 000000014009B264 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000000014009B2B0
GetLastError.KERNEL32 ref: 000000014009B2BA

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 74fd80307102959cdb4bb45340283f0b27aee8fd65d2f6709d6669cbca38fe3f
Instruction ID: e816577ed0fe5e9188ac3a7553593d5145fada9baf7cdf4296f147d26e6d8956
Opcode Fuzzy Hash: 74fd80307102959cdb4bb45340283f0b27aee8fd65d2f6709d6669cbca38fe3f
Instruction Fuzzy Hash: EE119E72314B8081EA518B26AA4439EA761E789FF4F544315FFB94B7F9CF78C0558740

Function 000000014003ABE0 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32 ref: 000000014003AC42
CredFree.ADVAPI32 ref: 000000014003B666

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Cred$EnumerateFree
String ID:
API String ID: 3403564193-0
Opcode ID: 68933ec41ec7f767c84b5bba2a9ee996cddad3a9583237b16e79ba386fb61ddd
Instruction ID: d146230a8e0ec21177f2b18e980c1da24b7c74670fa70e30d45436cd69ac1e72
Opcode Fuzzy Hash: 68933ec41ec7f767c84b5bba2a9ee996cddad3a9583237b16e79ba386fb61ddd
Instruction Fuzzy Hash: 3A11FA32251A809AE736DF22EC45BDA7368F74C788F454016EF5D07A24CF39C696CB40

Function 00000001400742E9 Relevance: 3.0, APIs: 2, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 00000001400742FB
CloseHandle.KERNEL32 ref: 0000000140074304

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 96d4f6a17b3e9df86ae38d560ee459ed41c223e123a4abdd348c551b97df98bf
Instruction ID: 4df68b0ff96a1f532fb189d16ae1a04ce7a62c23901e90ecebd86e927d313f56
Opcode Fuzzy Hash: 96d4f6a17b3e9df86ae38d560ee459ed41c223e123a4abdd348c551b97df98bf
Instruction Fuzzy Hash: 6F017172B0068182FB62AB76B4053DD5250AB9D7E0F485311FBAD476F6DF3CC181C610

Function 00000001400773F4 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 000000014007742A
CloseHandle.KERNEL32 ref: 000000014007744B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseHandleInformationToken
String ID:
API String ID: 3954737543-0
Opcode ID: c3f0b768841955a9a3d9e25d8efd8a2e2e52dcd02db8f9ea780a401ca5bec332
Instruction ID: 74872fa6a3f98f0711c3ec8ca7f9c4563ae7453ee37c46518121393bc82f552f
Opcode Fuzzy Hash: c3f0b768841955a9a3d9e25d8efd8a2e2e52dcd02db8f9ea780a401ca5bec332
Instruction Fuzzy Hash: 8CF0EC71715A4086EA519B16F84079AA760F78DBC0F885122BB9E97BB8DF3CC441CB40

Function 00000001400A9BE8 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400A9C18

Part of subcall function 00000001400AAB1C: std::bad_alloc::bad_alloc.LIBCMT ref: 00000001400AAB25

Concurrency::cancel_current_task.LIBCPMT ref: 00000001400A9C1E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
Instruction ID: 04523a235a29f71bc6c7b1a626fb6df20e7af0258fe547a34f32961bfb1e0df3
Opcode Fuzzy Hash: 6ffe177f5157f79d277372c6ea1b39799971d2e5a1b5546f7eb344a9914ef09c
Instruction Fuzzy Hash: 14E0177072150945FE2B22F318163E400801F6D3F0E2C1B207B750B2F3BE3488D58A20

Function 0000000140098C40 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140098C56
GetLastError.KERNEL32 ref: 0000000140098C60

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1eb1d4d919d340514f52b5ee7c14653ab2b68de4ee8aa6cf9f2209b3c6d7e0a2
Instruction ID: b52fa26c04212aab859c5ae896bd543063644a9c8dd7e940ebd072c94055b3ed
Opcode Fuzzy Hash: 1eb1d4d919d340514f52b5ee7c14653ab2b68de4ee8aa6cf9f2209b3c6d7e0a2
Instruction Fuzzy Hash: D8E02BB4B0220142FF1B63F3A8983FD12815F9C7C0F040420BF0983372EE3888814714

Function 000000014008AF60 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014008B1B0

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 87a6127ac30b23622a38d36947904b79f4457d1bf17aa16409fec1a630396561
Instruction ID: da5433d3288cf5a0a526c1d61247c75615e0e3a88a26d8c87c4e36aa5818ab75
Opcode Fuzzy Hash: 87a6127ac30b23622a38d36947904b79f4457d1bf17aa16409fec1a630396561
Instruction Fuzzy Hash: 23619A73301A9084EA269F1BD1583AE27A1F749FD8F548611EF6D0B7E5DE39CA86D300

Function 00000001400352A2 Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140035856

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 5b05c260e62101b68e43d7db914f54a747e8c0ec7b32a054b920aaf09dea4265
Instruction ID: e649bfc8535035589324032d23b6a7e11e4b803acda3a1057fe361eba0c7eb52
Opcode Fuzzy Hash: 5b05c260e62101b68e43d7db914f54a747e8c0ec7b32a054b920aaf09dea4265
Instruction Fuzzy Hash: DB716F72714BC080EA26EB66E4883DE6361E799BE5F504216EB9D07AF9DF78C481C740

Function 00000001400457E0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000140045975

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 816848171f501418f89c1fc00c7346ea8877edef7841e76b7dc2ad7f2b5f6794
Instruction ID: 88a164151cc8353faf59e75a2abb20e029c8a58e390f0121c60b982c8f58206e
Opcode Fuzzy Hash: 816848171f501418f89c1fc00c7346ea8877edef7841e76b7dc2ad7f2b5f6794
Instruction Fuzzy Hash: 5041BE72315B8481EA12AF53A5443DD6366F70DBE5F580626EFAD0B7A6DF38C8518304

Function 000000014003547E Relevance: 1.6, APIs: 1, Instructions: 121fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140035856

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 25dec867869f5d8b4563aea71eca131ee73c39c25ea8bd32bbf7eec9477723c7
Instruction ID: ff858e403f5257532e0e445b19357b2154aaa18ba36673eb4bea4b4fa6f79fd6
Opcode Fuzzy Hash: 25dec867869f5d8b4563aea71eca131ee73c39c25ea8bd32bbf7eec9477723c7
Instruction Fuzzy Hash: 92416172314AC080EB66EB26E4583DE6361E798BD9F540216EB9D07AB9DF79C8C1C740

Function 000000014009913C Relevance: 1.6, APIs: 1, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140099164

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3bf68b98c4e4d5055eca90d70818410e9c6b64531da33e3d6cbcec56e46eb5a9
Instruction ID: e8858ff0fec7026d46d52c93e3e982fb4afd14998ecd62c25ef9218b9df49fb2
Opcode Fuzzy Hash: 3bf68b98c4e4d5055eca90d70818410e9c6b64531da33e3d6cbcec56e46eb5a9
Instruction Fuzzy Hash: 5141B83220060497EA769F6FE5803EA77A0E79ABD0F140205FB9A877F1CB38D442C750

Function 0000000140044FE9 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cf54d8b55000f68581a76b622efabc5ffabb5784a99202e54d6246ecb7575a
Instruction ID: b9f7c3d18e9fc718e9f68750a2dc55bbda92819f1f2dc940bfb1a0fb0abbe0fe
Opcode Fuzzy Hash: 90cf54d8b55000f68581a76b622efabc5ffabb5784a99202e54d6246ecb7575a
Instruction Fuzzy Hash: CF31BE72315B4095EE26AB53E5003EDA362E74CBD1F594632FB5D0BBE6EA38C091C348

Function 000000014003FCD0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000014003FDD8

Part of subcall function 000000014002B510: __std_exception_copy.LIBVCRUNTIME ref: 000000014002B558

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 317858897-0
Opcode ID: d94b9a2a69c268f486b851b87e23473635957be695ff32d0151c61d1f870f8fb
Instruction ID: 97e6037b4797a068ef0178edcbe608246ecf14e62a64900bd4ebe1e7e1eb7f9f
Opcode Fuzzy Hash: d94b9a2a69c268f486b851b87e23473635957be695ff32d0151c61d1f870f8fb
Instruction Fuzzy Hash: 2321D232711B4441EE1BAB56A5043FA2391EB58BE4F244721EB7C07BE2EB78C9D29300

Function 000000014009ABD4 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014009ACCB

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c89b410e1389cb82359957a1d11d0eb726d726846ac3ab4cc0b188c027a385d4
Instruction ID: 8c05ef98f207ced81cdebc3070fd8dbcc834d1fcd774f14c22416a124c273843
Opcode Fuzzy Hash: c89b410e1389cb82359957a1d11d0eb726d726846ac3ab4cc0b188c027a385d4
Instruction Fuzzy Hash: E3318DB221060086E753AF57C8413ED7A61A79DFE5F924209FB290B3F2DB78C485C765

Function 000000014009FF81 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014009FFAF

Part of subcall function 00000001400A00B4: GetModuleHandleExW.KERNEL32 ref: 00000001400A00D9
Part of subcall function 00000001400A00B4: GetProcAddress.KERNEL32 ref: 00000001400A00EF
Part of subcall function 00000001400A00B4: FreeLibrary.KERNEL32 ref: 00000001400A0116

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 6f470f8dda504ea2c6696702d6c6df831c5a7e6bb14415fde04cade51a1e4a45
Instruction ID: f99bd018723e0a5e74f5149f53b0b551624bc39cb2b7f44deffbf3c3ea7ec64b
Opcode Fuzzy Hash: 6f470f8dda504ea2c6696702d6c6df831c5a7e6bb14415fde04cade51a1e4a45
Instruction Fuzzy Hash: 97219A32A00B848AEB268F69C4503EC37B0F709798F24462AE72847AE5DB34C584CB40

Function 00000001400B9758 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400B96B5

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f7592383a6c98d4fba61f7e3dde42e88bd2e4ab2cac1154d67cb9460cc1e3cec
Instruction ID: fc355d5895d30ffd1540380ba59b71e238b03132919f1238a9496d9e0c5d9a9e
Opcode Fuzzy Hash: f7592383a6c98d4fba61f7e3dde42e88bd2e4ab2cac1154d67cb9460cc1e3cec
Instruction Fuzzy Hash: B1118132214A4081EA62AF9394113EEA3B1BB9DBC0F544021FF8897BA7EB7DC5414B44

Function 00000001400BBABC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BBADF

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0aa9ebfc6785f24b4eccfcde9967f66bba0269257cf9e3546546d224156ecbb2
Instruction ID: 13e69ae66ec78af3e9e7ce95c97f7042131b8b179f5c5ad25fbf63c8b5fe202d
Opcode Fuzzy Hash: 0aa9ebfc6785f24b4eccfcde9967f66bba0269257cf9e3546546d224156ecbb2
Instruction Fuzzy Hash: 1E219332614A4087DB629F5AE4807A977B0F788BD4F644324FB5A876F9DB79C940CB00

Function 00000001400789B0 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00000001400789F8

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6b025b54e0dcc84b3c2947f32e0b7f6b98a3280ab38bb9e29cf354069e188991
Instruction ID: 72c448f64851b44ef0d47f291fbcb967c8de0864198b92fcea4cfbeab45c03dd
Opcode Fuzzy Hash: 6b025b54e0dcc84b3c2947f32e0b7f6b98a3280ab38bb9e29cf354069e188991
Instruction Fuzzy Hash: 97016D32715A8481EB618F1BB94075AA7A0F78CFD4F585135EF9D43B58EA38C8518740

Function 0000000140035813 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 0000000140035856

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 48936a933d113bbb92917aa3fa45ad3eacbb0eca927ca955dd0d4c339e2a851b
Instruction ID: 46c86765a48e0a4325b0ce012d2570db63820add8cc189426e9b10953f9b7d6b
Opcode Fuzzy Hash: 48936a933d113bbb92917aa3fa45ad3eacbb0eca927ca955dd0d4c339e2a851b
Instruction Fuzzy Hash: DB01FF36208A8085EA72DB56F85439B7364F78CBD5F904122DF8D53B69DE39C886CB00

Function 000000014008C804 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008C823

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
Instruction ID: 850c00b336af4423b93af6fe604bf7543ad1d172a4ae1adb93c9bb4fdbaa00ec
Opcode Fuzzy Hash: 986c70b0d44c87641fd7a2bafc8596790e971a1da67f8b9ca5557413f7120d21
Instruction Fuzzy Hash: D2E0D83262564585EF266B7AE1817ED7260BB4C7F0F148322B734036E6DF3485644611

Function 00000001400B82F4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00000001400B82FD

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ebdd672c62679ada28959d0ce90671b441c0e42cbdf7fd0cd8041d2b6a409d03
Instruction ID: c1f8abdfa3c11aa9de56e1ee108be8b74f057e80f86e55c58f9080c7b4b0d2de
Opcode Fuzzy Hash: ebdd672c62679ada28959d0ce90671b441c0e42cbdf7fd0cd8041d2b6a409d03
Instruction Fuzzy Hash: 4EB09276A148C0C3C652EB08F84274A7331FB98B08FD00014E38D43624CE2DCA2A8E10

Function 000000014009B5E0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000000014009B61E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2a123d78f4d769f4acf099b182ff40896aa8a4043ec30c81b9c6a49c6a9f5ef5
Instruction ID: d17b2792fcd96ab1b0cd15c98c0f9a64d373f884e408e1771f1ce4653c2ec12c
Opcode Fuzzy Hash: 2a123d78f4d769f4acf099b182ff40896aa8a4043ec30c81b9c6a49c6a9f5ef5
Instruction Fuzzy Hash: 9AF01C3470160045FE5766B36A917F921809BDCBF1F494724BF3A872E1DA3CD4828610

Function 000000014008367E Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000000140083698

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 171124b5f2ab3818db07a67a82fa4cbd7873982a8377bdffdc18fb1eaf286f32
Instruction ID: 25c2ae09cf3b6add8cf4f3f494b0dac0374b649d0839acd98eae18855a5efc49
Opcode Fuzzy Hash: 171124b5f2ab3818db07a67a82fa4cbd7873982a8377bdffdc18fb1eaf286f32
Instruction Fuzzy Hash: C4E08676700910C5E612D723E4157AD6394F78CFE0F8A9032BF4D43764DE38C9428B40

Non-executed Functions

Function 00007FF7F8913C70 Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 376libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F8913C83

Part of subcall function 00007FF7F8913060: GetCurrentProcess.KERNEL32 ref: 00007FF7F8913071
Part of subcall function 00007FF7F8913060: GetTempPathA.KERNEL32 ref: 00007FF7F89130C8
Part of subcall function 00007FF7F8913060: strlen.MSVCRT ref: 00007FF7F89131E7

GetTempPathW.KERNEL32 ref: 00007FF7F8913CEA
wcslen.MSVCRT ref: 00007FF7F8913D0B
wcslen.MSVCRT ref: 00007FF7F8913D29

Part of subcall function 00007FF7F8A05AE0: memcpy.MSVCRT ref: 00007FF7F8A05B18

strlen.MSVCRT ref: 00007FF7F8913E21
LoadLibraryA.KERNEL32 ref: 00007FF7F8913ED1
GetProcAddress.KERNEL32 ref: 00007FF7F8913EEB
GetProcAddress.KERNEL32 ref: 00007FF7F8913F44
GetProcAddress.KERNEL32 ref: 00007FF7F8913F94
wcslen.MSVCRT ref: 00007FF7F8913FE3
GetProcAddress.KERNEL32 ref: 00007FF7F89140C3
VirtualProtect.KERNEL32 ref: 00007FF7F89140E0

Strings

LdrLoadDll, xrefs: 00007FF7F8913EE1
basic_string: construction from null is not valid, xrefs: 00007FF7F8914314
?, xrefs: 00007FF7F8913F6D
&*, xrefs: 00007FF7F8913ED7
basic_string::append, xrefs: 00007FF7F89142F3, 00007FF7F8914320
_xQR, xrefs: 00007FF7F8913FF5
a.dll, xrefs: 00007FF7F8913D1F
Execute, xrefs: 00007FF7F89140AA
:a.dll, xrefs: 00007FF7F8913FD9
1-+!_xQR, xrefs: 00007FF7F891406F

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: AddressProc$wcslen$CurrentPathProcessTempstrlen$LibraryLoadProtectVirtualmemcpy
String ID: &*$1-+!_xQR$:a.dll$?$Execute$LdrLoadDll$_xQR$a.dll$basic_string: construction from null is not valid$basic_string::append
API String ID: 61348399-1617610566
Opcode ID: 51c0a02d63bd9bdf2016c2d86cded10179b683d98fef58156d81671ca565a833
Instruction ID: b9940081c9c20639c0dd62f0b5a129a4944a5830d780a28c626667d94e147d85
Opcode Fuzzy Hash: 51c0a02d63bd9bdf2016c2d86cded10179b683d98fef58156d81671ca565a833
Instruction Fuzzy Hash: CFF1B06260DB8685EB20EB15E4403AAF361FB88B90FC44136DAAE07BD8DF3CD545D794

Function 000000014006CE40 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 329memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000000014006CEF3
CoInitializeSecurity.OLE32 ref: 000000014006CFA8
CoCreateInstance.OLE32 ref: 000000014006D056
CoSetProxyBlanket.OLE32 ref: 000000014006D0A4
SysAllocStringByteLen.OLEAUT32 ref: 000000014006D0D1
SysFreeString.OLEAUT32 ref: 000000014006D0E1
SysAllocStringByteLen.OLEAUT32 ref: 000000014006D101
SysFreeString.OLEAUT32 ref: 000000014006D112
SysStringByteLen.OLEAUT32 ref: 000000014006D171
SysFreeString.OLEAUT32 ref: 000000014006D1F0
SysFreeString.OLEAUT32 ref: 000000014006D1FA

Strings

@, xrefs: 000000014006D078

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: String$Free$Byte$AllocInitialize$BlanketCreateInstanceProxySecurity
String ID: @
API String ID: 2330523681-2766056989
Opcode ID: 1d478104f55c7b006d47e052fea2f947d3b522c4ed9422ebf2c87dd507e26293
Instruction ID: 13c4367a43189977c099a5a69ece56d153c1723905f586f1ec0b8e4762b49491
Opcode Fuzzy Hash: 1d478104f55c7b006d47e052fea2f947d3b522c4ed9422ebf2c87dd507e26293
Instruction Fuzzy Hash: 5CE19C32B14B808AF7128B7AE8143ED7362F78DBD8F105616EF5D57AA9DB38C1858344

Function 0000000140072EC0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 434COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A9B70: AcquireSRWLockExclusive.KERNEL32 ref: 00000001400A9B80

ShellExecuteW.SHELL32 ref: 00000001400733C7

Strings

ios_base::eofbit set, xrefs: 00000001400735CE
open, xrefs: 0000000140073340
.exe, xrefs: 0000000140072F95
.exe, xrefs: 0000000140072F6C
runas, xrefs: 0000000140073349
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;', xrefs: 0000000140072FDC
ios_base::badbit set, xrefs: 00000001400735BC
ios_base::failbit set, xrefs: 00000001400735C7

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AcquireExclusiveExecuteLockShell
String ID: .exe$.exe$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
API String ID: 1402300192-2441601502
Opcode ID: 1b99f628628dd67c428087690097429bc331ca29790503331c7bd98e4d147edb
Instruction ID: 642fec826a1e3fd6779540e5d4449cad4a9ba132e9692004461db3030459b409
Opcode Fuzzy Hash: 1b99f628628dd67c428087690097429bc331ca29790503331c7bd98e4d147edb
Instruction Fuzzy Hash: 7B229C72610B8089EB01DF6AE8843DD77A1F7887A8F505226FB9D07AB9DF78C585C740

Function 00007FF7F892D367 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7F892E0B6

Strings

P, xrefs: 00007FF7F892E9B3
P, xrefs: 00007FF7F892E454
, xrefs: 00007FF7F892DEC0

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memset
String ID: $P$P
API String ID: 2221118986-3733749394
Opcode ID: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
Instruction ID: 1897b648ad8e4b90b7c95d77dff712cde9fdbaed3d0ab68b57e032197f0eaa6e
Opcode Fuzzy Hash: 6c4975efa101d25bce8fb2713dfa8b24bac3f22bc36ad2dce6f035114948cbbe
Instruction Fuzzy Hash: B912E332A0C2868AE760EF24E4407BEF394FB84345F914135DA59477CADF7CE444ABA5

Function 00000001400819C5 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 311nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000001400819E7
NtQuerySystemInformation.NTDLL ref: 0000000140081A12
GetCurrentProcess.KERNEL32 ref: 0000000140081ADB
NtQueryObject.NTDLL ref: 0000000140081B28
GetFinalPathNameByHandleA.KERNEL32 ref: 0000000140081C22
CloseHandle.KERNEL32 ref: 0000000140081D36
CloseHandle.KERNEL32 ref: 0000000140081DBE

Strings

File, xrefs: 0000000140081B5C

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: HandleQuery$CloseInformationSystem$CurrentFinalNameObjectPathProcess
String ID: File
API String ID: 617584216-749574446
Opcode ID: 42d9fc94595e79f5ac32f4e092be85b83e99424789b1bb33c4abce0304e0a1f6
Instruction ID: b37cfe2615e03cacd60327910fb70d6e916f7ee7200f6fe390350feb51e704f5
Opcode Fuzzy Hash: 42d9fc94595e79f5ac32f4e092be85b83e99424789b1bb33c4abce0304e0a1f6
Instruction Fuzzy Hash: A7C19073711A809AFB01DBA6D4543EC2361FB89BD8F408621EF5D2BBA9DB34C685D344

Function 00007FF7F89134D0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 406fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8A1AB80: malloc.MSVCRT ref: 00007FF7F8A1AB97

memcpy.MSVCRT ref: 00007FF7F8913516
CreateFileW.KERNEL32 ref: 00007FF7F891356D
WriteFile.KERNEL32 ref: 00007FF7F891359D
CloseHandle.KERNEL32 ref: 00007FF7F89135AE
wcslen.MSVCRT ref: 00007FF7F8913686
CloseHandle.KERNEL32 ref: 00007FF7F89138C0

Strings

basic_string::append, xrefs: 00007FF7F8913C06, 00007FF7F8913C44, 00007FF7F8913C55

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CloseFileHandle$CreateWritemallocmemcpywcslen
String ID: basic_string::append
API String ID: 3391094610-3811946249
Opcode ID: 3bb7ded17062e4b397386a719e14fc132e9bd4a9d4ca7b8669ef49969fe5b065
Instruction ID: 13fafe0c85fc577e2bcc353d531bdd77e51124a132622993ba8042f3659da477
Opcode Fuzzy Hash: 3bb7ded17062e4b397386a719e14fc132e9bd4a9d4ca7b8669ef49969fe5b065
Instruction Fuzzy Hash: FC028F6260DB8585EB20EB15E4047AAF361FB84BA1F808235DAAD47BD8DF3CD444E794

Function 00000001400A3D50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

TranslateName.LIBCMT ref: 00000001400A3DBD
TranslateName.LIBCMT ref: 00000001400A3DF8
GetACP.KERNEL32 ref: 00000001400A3E3D
IsValidCodePage.KERNEL32 ref: 00000001400A3E65

Strings

utf8, xrefs: 00000001400A3F49

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue
String ID: utf8
API String ID: 1791977518-905460609
Opcode ID: 5d2d2426c5a5194a24175210fd8136765016d2f1f96d66db4b316bbcbea0d38c
Instruction ID: 5cfce204ad3e52d521be1c37c867fcafba9ba4ef485f8ee24296846217238e8d
Opcode Fuzzy Hash: 5d2d2426c5a5194a24175210fd8136765016d2f1f96d66db4b316bbcbea0d38c
Instruction Fuzzy Hash: 01918C3260078087EB669F23E4417ED63A5E7ACBC0F448221FB59477E6DB39C992CB01

Function 00000001400A4784 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009590D

GetUserDefaultLCID.KERNEL32 ref: 00000001400A48F4

Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009593A
Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009594B
Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009595C

EnumSystemLocalesW.KERNEL32 ref: 00000001400A48DB
ProcessCodePage.LIBCMT ref: 00000001400A491E
IsValidCodePage.KERNEL32 ref: 00000001400A4930
IsValidLocale.KERNEL32 ref: 00000001400A4946
GetLocaleInfoW.KERNEL32 ref: 00000001400A49A2
GetLocaleInfoW.KERNEL32 ref: 00000001400A49BE

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: dc923a5d096c57da2041771729e7932b82461942625d63c848e344da9d183a2f
Instruction ID: 16d93509c95003d09cb5a81faf5c145d79ac997122476c855c64cffa21997edd
Opcode Fuzzy Hash: dc923a5d096c57da2041771729e7932b82461942625d63c848e344da9d183a2f
Instruction Fuzzy Hash: 1B719D3A7007408AFB129F62E4517EE33A4BB9CBC4F444225EF5953AA5EB38C495CB50

Function 0000000140062510 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00000001400626C4
__std_exception_destroy.LIBVCRUNTIME ref: 00000001400626D2
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140062955
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140062963

Strings

value, xrefs: 00000001400625EA, 0000000140062883

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: a7f46672d4bf2cac2b26be635648abda59a65d6f39e2258eca14e481c828b07c
Instruction ID: a0ee57199ec3ce90a2ea8f43caeda29c8c906ea7494d2c7ab5bc718b9e9dd556
Opcode Fuzzy Hash: a7f46672d4bf2cac2b26be635648abda59a65d6f39e2258eca14e481c828b07c
Instruction Fuzzy Hash: DF028D32624BC085EB12CB76D8403ED6761E7997E4F605712FB9E17AEADB78C185C700

Function 00007FF7F89111D9 Relevance: 9.1, APIs: 6, Instructions: 130stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F891124B
malloc.MSVCRT ref: 00007FF7F8911312
strlen.MSVCRT ref: 00007FF7F8911334
malloc.MSVCRT ref: 00007FF7F8911340
memcpy.MSVCRT ref: 00007FF7F8911358
_initterm.MSVCRT ref: 00007FF7F891141A

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_inittermmemcpystrlen
String ID:
API String ID: 1260285541-0
Opcode ID: 4903dc9185d39246619b425608e0136eb5eeb636e7dc1dfbaabc0c8552b91fbc
Instruction ID: db3dbe6c21bd728c5c2e8ee5ecdc034446aa02759ee45e70cfd6d27797d55ed9
Opcode Fuzzy Hash: 4903dc9185d39246619b425608e0136eb5eeb636e7dc1dfbaabc0c8552b91fbc
Instruction Fuzzy Hash: 72517D35A0DA4699FB61FF15E890379E3A4AF40B92FC45035DA2D473E1DF2CE401A7A8

Function 000000014008D3D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014008D451
RtlLookupFunctionEntry.KERNEL32 ref: 000000014008D469
RtlVirtualUnwind.KERNEL32 ref: 000000014008D4A4
IsDebuggerPresent.KERNEL32 ref: 000000014008D4DD
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014008D4E7
UnhandledExceptionFilter.KERNEL32 ref: 000000014008D4F2

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 62484be6782a1868f2aab5373510e50ea99112a482b5237f41028b796158fad6
Instruction ID: ec7dd7c93c2cafcbf5452b660a6186fd6c71989d302a7769adecfa476ec907f4
Opcode Fuzzy Hash: 62484be6782a1868f2aab5373510e50ea99112a482b5237f41028b796158fad6
Instruction Fuzzy Hash: 73313F36214F8086EB61DF66E8443EE73A4F789794F540226EB9D43BA9DF38C555CB00

Function 00007FF7F892DA84 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 359COMMON

Download Yara Rule

Strings

!, xrefs: 00007FF7F892EC5B
P, xrefs: 00007FF7F892E9B3
, xrefs: 00007FF7F892E59E

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: $!$P
API String ID: 0-2344582389
Opcode ID: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
Instruction ID: c5179618e135e483231e3357bf462fa4a19026bb5eb10805db97cbaf2a42fe47
Opcode Fuzzy Hash: e65736c1dc54ff8f8e83bf8e017ecec5d9c8dafb1b82336238fa23b941b4cde6
Instruction Fuzzy Hash: DBF1D03290C78986E774EF10D0843BEF7A1EB84345F818139D66953AC9DF7CE444ABA4

Function 00000001400907A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 329COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000000014009080A
memcpy_s.LIBCPMT ref: 0000000140090835

Strings

, xrefs: 0000000140090968

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-3916222277
Opcode ID: 1b748593274e8ddd9ac1e908b2a22b3d8043b10f383cd2471e7c6bd1e5b959b4
Instruction ID: 0c772acccd2561090ae59935be1b1d13ce4e89495d086943b039690d891e3a67
Opcode Fuzzy Hash: 1b748593274e8ddd9ac1e908b2a22b3d8043b10f383cd2471e7c6bd1e5b959b4
Instruction Fuzzy Hash: 84C11B727156C58BEB61CF1AE148B9EB7A1F7887C8F048225EB4A43B94DB3CD845CB40

Function 00000001400B8A44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400B8AA5
IsDebuggerPresent.KERNEL32 ref: 00000001400B8ABD
OutputDebugStringW.KERNEL32 ref: 00000001400B8ACE

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001400B8AC7

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: add000f596c63ba9086890ad2e143c759155224b8522789efc4995f79ab0692a
Instruction ID: b3baff55db2af0ef0d3f7f0b280b4444a411bf90a176b58064316404aa57ab54
Opcode Fuzzy Hash: add000f596c63ba9086890ad2e143c759155224b8522789efc4995f79ab0692a
Instruction Fuzzy Hash: 98115A32210B4097F7569B27EA453EE33A4FB48784F44812ADB4983AB0EF78D0B4C750

Function 0000000140094A30 Relevance: 6.1, APIs: 4, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0000000140094A80
GetSystemInfo.KERNEL32 ref: 0000000140094A97
VirtualAlloc.KERNEL32 ref: 0000000140094B04
VirtualProtect.KERNEL32 ref: 0000000140094B1E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 321b67bc3dce9091cca3af2a8210c2363b0b24afac24e17171b156b639bc856e
Instruction ID: 4258e1afaa6455873025acfe4853d78e6786f50bee1bce51619682f1dd863745
Opcode Fuzzy Hash: 321b67bc3dce9091cca3af2a8210c2363b0b24afac24e17171b156b639bc856e
Instruction Fuzzy Hash: 81312A32310A809EEB21DF36D8517D933A5FB4CB88F444126AB1E8BB68DF78D645C740

Function 0000000140066750 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 375COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000001400669AE

Strings

value, xrefs: 00000001400676D3
parse_error, xrefs: 00000001400667DE

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: __std_exception_copy
String ID: parse_error$value
API String ID: 592178966-1739288027
Opcode ID: d6c618e645c2f69b473e8ef9e6e8577313f80a03dcdce8b86aa8a7906fe9e328
Instruction ID: 421e330f328ad8b9b4ed95ecda8ee77e216b13cc7eff753dffc2ada38604a70e
Opcode Fuzzy Hash: d6c618e645c2f69b473e8ef9e6e8577313f80a03dcdce8b86aa8a7906fe9e328
Instruction Fuzzy Hash: 8CF1AD72B20A8095EB12DB76E8413ED6362F7997D8F505712FB4D57AAAEF74C284C300

Function 00000001400B63B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00000001400B63D6
FormatMessageA.KERNEL32 ref: 00000001400B6409

Strings

!x-sys-default-locale, xrefs: 00000001400B63C9

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 673506cb31d12670dfbde8b650ceb219f5d226973d02233bc6ec21ba9828e093
Instruction ID: 6e8259666aaa04c0050ce825aa23775dbb0e3623261df5dc7e3128c0f8f5c655
Opcode Fuzzy Hash: 673506cb31d12670dfbde8b650ceb219f5d226973d02233bc6ec21ba9828e093
Instruction Fuzzy Hash: 90018072B04B8082E7528F63F8507EEA7A1F7887C4F484025EB4947BA8DB3CC5058B10

Function 00000001400A4204 Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009590D

GetLocaleInfoW.KERNEL32 ref: 00000001400A4270

Part of subcall function 000000014008B9A4: _invalid_parameter_noinfo.LIBCMT ref: 000000014008B9C1

GetLocaleInfoW.KERNEL32 ref: 00000001400A42B9

Part of subcall function 000000014008B9A4: _invalid_parameter_noinfo.LIBCMT ref: 000000014008BA1A

GetLocaleInfoW.KERNEL32 ref: 00000001400A4384

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: fde7b8e7db97b770b6d17fa1d78b977a143d5c9e84fe95fb781c5122d3544716
Instruction ID: eec5268479cdda02b8c78da84042847b0e53e37d1fcb4ab9b2df148b0f025e75
Opcode Fuzzy Hash: fde7b8e7db97b770b6d17fa1d78b977a143d5c9e84fe95fb781c5122d3544716
Instruction Fuzzy Hash: D96190376006418AEB369F16E5413ED73A1F7AC7C0F448225EB9A97AA5DB38D691CB00

Function 0000000140099898 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000000014009990C

Strings

GetLocaleInfoEx, xrefs: 00000001400998B4, 00000001400998C5

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 287f50d5c011b399992cb6bab078c34d72dd0b19453a01a46759c6e23c60aea6
Instruction ID: b8b15d082959550375d872d2b4a574b6c35111f93f95d4160ec2587d11962505
Opcode Fuzzy Hash: 287f50d5c011b399992cb6bab078c34d72dd0b19453a01a46759c6e23c60aea6
Instruction Fuzzy Hash: 33016235704A8086EB459B5BB5447CEA760EB9DBC0F584436BF4917BB6CE38C5428740

Function 000000014006FEA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32 ref: 000000014006FEF8
LocalFree.KERNEL32 ref: 000000014006FF8A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CryptDataFreeLocalProtect
String ID:
API String ID: 2714945720-0
Opcode ID: 9f4b79a0373a1bb07a1f6d57d23aee76defce310f3f699e5fe1e45333d4ada4c
Instruction ID: 67641ed3af448434e7319fa557c5d406fdc98635340749bb2cffd34bed4cf3a5
Opcode Fuzzy Hash: 9f4b79a0373a1bb07a1f6d57d23aee76defce310f3f699e5fe1e45333d4ada4c
Instruction Fuzzy Hash: 57413232614A80CAE3218F75E8403ED37A5F75978CF444629BB8C07E9ADB79C5A48744

Function 00000001400A4450 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

Part of subcall function 00000001400958C8: FlsSetValue.KERNEL32 ref: 000000014009590D

GetLocaleInfoW.KERNEL32 ref: 00000001400A44B8

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: aae51b2a9d21bf7e54f83e578898ef5b46cb428bc91c270732ecb8b3fec0fc21
Instruction ID: 3f2f1034046393169654e7699368e5024081eb92b0caf98da66f0f6c9ea1bd9c
Opcode Fuzzy Hash: aae51b2a9d21bf7e54f83e578898ef5b46cb428bc91c270732ecb8b3fec0fc21
Instruction Fuzzy Hash: 4D318F32B0068187EB25DB27E4413EE73A0F79C7C1F449225FB9983BA6DB38D5918B00

Function 00000001400A409C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

EnumSystemLocalesW.KERNEL32 ref: 00000001400A413A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: d452b71020bd1f022492bc6807cc192c2c9e031585c9895097b6e7427efa948c
Instruction ID: 7ba68ebfd2e082917346c4e20934efbd0178457faff08846a1fb6ebd3dab0b21
Opcode Fuzzy Hash: d452b71020bd1f022492bc6807cc192c2c9e031585c9895097b6e7427efa948c
Instruction Fuzzy Hash: 8711B17BA046448AEB168F16D4807ED7BA1F7E8FE1F448225E765437E0DA74CAD1CB40

Function 00000001400A4658 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

GetLocaleInfoW.KERNEL32 ref: 00000001400A468F

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 45ec05eff0f2b05e6231976ea7c75e6e9d0457c6cb665565b202bab4e64c0672
Instruction ID: b5a02edd516b77fe93742bd04e37730368f1846733e8bb4b774b053a44aa4555
Opcode Fuzzy Hash: 45ec05eff0f2b05e6231976ea7c75e6e9d0457c6cb665565b202bab4e64c0672
Instruction Fuzzy Hash: A1118C3671459083E7665B13E0407EE23A0E79ABE0F004325FB6507EE4CA35C8D18F01

Function 00000001400A416C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400958C8: GetLastError.KERNEL32 ref: 00000001400958D7
Part of subcall function 00000001400958C8: FlsGetValue.KERNEL32 ref: 00000001400958EC
Part of subcall function 00000001400958C8: SetLastError.KERNEL32 ref: 0000000140095977

EnumSystemLocalesW.KERNEL32 ref: 00000001400A41EA

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 8f5d73e62e28e10308f28ad075867fd029a0f79c06fa79334ee1fb58e0dcdad7
Instruction ID: 650d51a00948b0b7b39d5f8c88aa00294e78a8c84a20bb39946b0cffb9075a66
Opcode Fuzzy Hash: 8f5d73e62e28e10308f28ad075867fd029a0f79c06fa79334ee1fb58e0dcdad7
Instruction Fuzzy Hash: 7801F776B0428086EB564F17E840BD976E2E7B8BE4F458322E77447AE4CB7888C5CB00

Function 0000000140035E00 Relevance: 1.5, APIs: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0000000140035E8D

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 3339dcabb2d0400c4960ad268c66596c86b70f7aa198ebff8756a23dc346941b
Instruction ID: 064fec0349e200c8466840e716244caf27892db5d84088c5fc568a6fc748a439
Opcode Fuzzy Hash: 3339dcabb2d0400c4960ad268c66596c86b70f7aa198ebff8756a23dc346941b
Instruction Fuzzy Hash: E211CE73B14B049EE760CFA1E8407DD37B5F358B4CF44052AAE4D92A68DB38C929CB84

Function 0000000140099354 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 00000001400993A3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 4f3cbd580663199aaccb01281376539d086b8c9a154dabf837bfd3fdbd7783f2
Instruction ID: 1be20af52885482918bde62337cf613b9eed61835a97c3d623556c94da20431d
Opcode Fuzzy Hash: 4f3cbd580663199aaccb01281376539d086b8c9a154dabf837bfd3fdbd7783f2
Instruction Fuzzy Hash: 72F01472300B4483E606DB2AE8907D933A5FB9DBC0F548026EB4983375CF3CC6618300

Function 00000001400A4D28 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400A4D2C

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b1a02dc7636490bc937ba8cdd60d563051e8e3f602837cd51ba1a2af37ab86b1
Instruction ID: e369f7cc69527b3f87cf0ecfe746ebd2d4f4dd9a0230a8f2b092041844e38892
Opcode Fuzzy Hash: b1a02dc7636490bc937ba8cdd60d563051e8e3f602837cd51ba1a2af37ab86b1
Instruction Fuzzy Hash: 4EB09234A03A00C2EA8A6B126C8A34823A4BB4CB40F984118820C41330DB3C04E69710

Function 00000001400D0390 Relevance: .1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72eb94979c1d3c4de16d58263bb101b23318c1a473ca492c726c35ff16a582af
Instruction ID: 6d4d319ee6e27bdf4a48e05f0685f56c483b360b5ed913eeb7e58a3f650e6fd4
Opcode Fuzzy Hash: 72eb94979c1d3c4de16d58263bb101b23318c1a473ca492c726c35ff16a582af
Instruction Fuzzy Hash: A73180F750DAC44BF3930A7A5D6A39D3F90AB9AF40F4EC199E788031E3E47619078661

Function 00007FF7F892C1E0 Relevance: 33.1, APIs: 11, Strings: 11, Instructions: 88stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F892C1EF
strcmp.MSVCRT ref: 00007FF7F892C206
strcmp.MSVCRT ref: 00007FF7F892C21D
strcmp.MSVCRT ref: 00007FF7F892C234
strcmp.MSVCRT ref: 00007FF7F892C24B
strcmp.MSVCRT ref: 00007FF7F892C262
strcmp.MSVCRT ref: 00007FF7F892C279
strcmp.MSVCRT ref: 00007FF7F892C290
strcmp.MSVCRT ref: 00007FF7F892C2A7
strcmp.MSVCRT ref: 00007FF7F892C2BA
strcmp.MSVCRT ref: 00007FF7F892C2CD

Strings

graph, xrefs: 00007FF7F892C241
digit, xrefs: 00007FF7F892C22A
xdigit, xrefs: 00007FF7F892C2C3
cntrl, xrefs: 00007FF7F892C213
lower, xrefs: 00007FF7F892C258
alpha, xrefs: 00007FF7F892C1FC
alnum, xrefs: 00007FF7F892C1E5
print, xrefs: 00007FF7F892C26F
upper, xrefs: 00007FF7F892C2B0
punct, xrefs: 00007FF7F892C286
space, xrefs: 00007FF7F892C29D

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: alnum$alpha$cntrl$digit$graph$lower$print$punct$space$upper$xdigit
API String ID: 1004003707-2937198513
Opcode ID: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
Instruction ID: d630e8b8a5ed068fe2466b919d463fa43f5b4a7ddd4eb17893e371e64c285323
Opcode Fuzzy Hash: e67547db2ed2332a7f19e7dca95a45f00ddd27835b6d9e5c57363dc607d87d2e
Instruction Fuzzy Hash: 4E310554B0C60755FB10FBA5E901375D289AF44386FC96032D92E862C5EEACF845F2BD

Function 000000014006CB8C Relevance: 27.2, APIs: 18, Instructions: 156COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32 ref: 000000014006CBCA
Process32NextW.KERNEL32 ref: 000000014006CBDF
OpenProcess.KERNEL32 ref: 000000014006CC1B
OpenProcessToken.ADVAPI32 ref: 000000014006CC42
GetTokenInformation.ADVAPI32 ref: 000000014006CC6E
GetLastError.KERNEL32 ref: 000000014006CC7C
GetTokenInformation.ADVAPI32 ref: 000000014006CCBC
ConvertSidToStringSidA.ADVAPI32 ref: 000000014006CCD3
CloseHandle.KERNEL32 ref: 000000014006CD46
CloseHandle.KERNEL32 ref: 000000014006CD51
CloseHandle.KERNEL32 ref: 000000014006CDB6
Process32NextW.KERNEL32 ref: 000000014006CDC3
CloseHandle.KERNEL32 ref: 000000014006CDE9
CloseHandle.KERNEL32 ref: 000000014006CDF2
CloseHandle.KERNEL32 ref: 000000014006CE07

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertErrorFirstLastString
String ID:
API String ID: 1972576440-0
Opcode ID: 4763660f4a0e69c6ae17adb260ebd9cda0448fc93eb805e0b3ffd62d0d56fe00
Instruction ID: b19eaf01c865331f754e6351f70945f0302f799c241f37814b0bb61a8d112e69
Opcode Fuzzy Hash: 4763660f4a0e69c6ae17adb260ebd9cda0448fc93eb805e0b3ffd62d0d56fe00
Instruction Fuzzy Hash: 59715B36214B8082EB529B67F8407AEA7A5FB8DBD4F504125EF4E57B68DF78C445C700

Function 00007FF7F892B8D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7F892B9A5
abort.MSVCRT ref: 00007FF7F892B9AB
RtlUnwindEx.KERNEL32 ref: 00007FF7F892BAC1

Strings

CCG!, xrefs: 00007FF7F892B8F9
CCG!, xrefs: 00007FF7F892B998
CCG , xrefs: 00007FF7F892B93E
CCG", xrefs: 00007FF7F892B932
CCG , xrefs: 00007FF7F892BB26

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3297834124
Opcode ID: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
Instruction ID: 540d6cdebc4d2227a5f3ee2b297ffca49dd232c8c55bc6e2d51e3c447f94270b
Opcode Fuzzy Hash: e45fc8471f7cc306109c62edf8b254349e2b495fbaec3812b0675ed500c917f7
Instruction Fuzzy Hash: 3D51C436A14B81C2E760DB15E4807A9B3B0F799B88F905236EE8D13798DF39D582D744

Function 00007FF7F892FFD0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 446COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F89302B5

Strings

UUUU, xrefs: 00007FF7F89300FE

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID: UUUU
API String ID: 1992160199-1798160573
Opcode ID: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
Instruction ID: f4793f2c495f257da5b7864c2a464372090e1b6c3295c3811906efdd9695a86b
Opcode Fuzzy Hash: f77c88ed8e2e0546aa95018f39101ab1acda64fb455bfe48ab528bf610eb644e
Instruction Fuzzy Hash: 78128672A0910287EF65DF25C140379F7E5EB44B5AF948235CA1D072C8DA3CE840FBA8

Function 000000014008D888 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008D8B7
_invalid_parameter_noinfo.LIBCMT ref: 000000014008D98D

Strings

0, xrefs: 000000014008DA8B
0, xrefs: 000000014008D9BC
0, xrefs: 000000014008D9CE
0, xrefs: 000000014008DA75

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0$0
API String ID: 3215553584-3558443385
Opcode ID: 820a670e8a4c89272beb14fa381d703c25652b067f448a1dd3f9a95a31db95ef
Instruction ID: d87fa4e986523d27df80953172b62b0dd486bbfc2844426163fd634f79108b30
Opcode Fuzzy Hash: 820a670e8a4c89272beb14fa381d703c25652b067f448a1dd3f9a95a31db95ef
Instruction Fuzzy Hash: 77F1E13320AA958AF7639F2BD4503ED3BA5B359BD0F988203E788477A6D739C655C301

Function 00007FF7F892ADC0 Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F892AE21
TlsGetValue.KERNEL32(?,?,?,00007FF7F892A375), ref: 00007FF7F892AE4A
GetLastError.KERNEL32(?,?,?,00007FF7F892A375), ref: 00007FF7F892AE4F
LeaveCriticalSection.KERNEL32 ref: 00007FF7F892AE77
free.MSVCRT ref: 00007FF7F892AEB7
DeleteCriticalSection.KERNEL32 ref: 00007FF7F892AEDD
InitializeCriticalSection.KERNEL32 ref: 00007FF7F892AF77

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorInitializeLastLeaveValuefree
String ID:
API String ID: 100439675-0
Opcode ID: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
Instruction ID: fb131571f47c51609b0076c1f2c0188fd9107da82e3c9eaf3d251bffde5da1f5
Opcode Fuzzy Hash: 30aa02ae5bca33457ef710422f6a64a41ac8ead17b866e7ea412da05448c15c7
Instruction Fuzzy Hash: 84414222A0960286FB55FB15E8412B9E3A0AF55B93FC94534CD2D477D4DE3CE842A3AC

Function 0000000140072940 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400729BD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140072A05
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140072B81
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140072B94
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140072B9A

Strings

bad locale name, xrefs: 0000000140072B87
true, xrefs: 0000000140072ABC
false, xrefs: 0000000140072A8D

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: ae88cd937f36c9743e4cf492e26538404faf03bacae6fdef2e26eed03261b8a2
Instruction ID: e066986b790d9d11d0d243cedda6a3cc5bafb9ebfb83a164bf58ddc58a77a579
Opcode Fuzzy Hash: ae88cd937f36c9743e4cf492e26538404faf03bacae6fdef2e26eed03261b8a2
Instruction Fuzzy Hash: 35711932711B408AFB16DFA2E4503EC33B5EB98788F044529AF4927BAADF38C555D385

Function 00000001400816E0 Relevance: 13.6, APIs: 9, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140081744
GetProcessId.KERNEL32 ref: 000000014008174D
RmStartSession.RSTRTMGR ref: 000000014008177C
RmRegisterResources.RSTRTMGR ref: 00000001400817A7
RmGetList.RSTRTMGR ref: 00000001400817E0
RmGetList.RSTRTMGR ref: 0000000140081842
RmEndSession.RSTRTMGR ref: 000000014008188B

Part of subcall function 00000001400A9B70: AcquireSRWLockExclusive.KERNEL32 ref: 00000001400A9B80

RmEndSession.RSTRTMGR ref: 00000001400818C3
RmEndSession.RSTRTMGR ref: 00000001400818D8

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Session$ListProcess$AcquireCurrentExclusiveLockRegisterResourcesStart
String ID:
API String ID: 779856957-0
Opcode ID: 8bb7912290508ce8e88e3aaa07301283af1f89745b5405751b14ca5c1f9e5710
Instruction ID: 53b25bd5857afa0adccecd5323b097c20916bf7b3c0f165211610be25f83b61c
Opcode Fuzzy Hash: 8bb7912290508ce8e88e3aaa07301283af1f89745b5405751b14ca5c1f9e5710
Instruction Fuzzy Hash: 1251EA32B04A408AF715DFA6E4547ED73B5FB8C794F804529EB0A63BA8DE34C946CB50

Function 0000000140090D64 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 489COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140090DA8
_invalid_parameter_noinfo.LIBCMT ref: 0000000140091180
_invalid_parameter_noinfo.LIBCMT ref: 000000014009142B

Strings

p, xrefs: 0000000140090E5A
0, xrefs: 00000001400911D0
f, xrefs: 0000000140090ECA
p, xrefs: 0000000140090ED2

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$f$p$p
API String ID: 3215553584-1202675169
Opcode ID: 424b79af020e58dd710012948c1de64fe2c08c3ce7a620c69024c20bdefc1009
Instruction ID: 7a1535432eec6c5026fa7d0a87deccdfacc68b181622ded096d4695016ab780a
Opcode Fuzzy Hash: 424b79af020e58dd710012948c1de64fe2c08c3ce7a620c69024c20bdefc1009
Instruction Fuzzy Hash: 1212D13270824296FB266B17E0547FEB6A2F3C87D4F988116F79647AE4D738C980CB50

Function 00007FF7F892A530 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7F892A64B

Strings

Address %p has no image-section, xrefs: 00007FF7F892A5A2, 00007FF7F892A6F5
Mingw-w64 runtime failure:, xrefs: 00007FF7F892A567
VirtualProtect failed with code 0x%x, xrefs: 00007FF7F892A6BE
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7F892A6E1

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: ba1ad689428b48396fa565d55f37374c51d177facfa230d2a8edbf84c3bf7fa1
Instruction ID: e46cbbd9322aa9d6f74812edda85fb96b6e19e6feb3a714c1eff0ac98e86f97d
Opcode Fuzzy Hash: ba1ad689428b48396fa565d55f37374c51d177facfa230d2a8edbf84c3bf7fa1
Instruction Fuzzy Hash: C851A032A08A4681EB11EF15E841AAAF7A0FB84B95FC54135DE2D073D4DF3CE446E798

Function 00000001400993D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000000014009954F
GetProcAddress.KERNEL32 ref: 000000014009955B

Strings

ext-ms-, xrefs: 00000001400994AC
api-ms-, xrefs: 0000000140099499

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: ae679bdfceee675f1571733c1c63cbbbec3b6b3dc0e35fb4a25fe1e49f4f57a7
Instruction ID: 76867b2f50e267d13f3c23fb1344ffb9304965bf71fdab833d42e5d4e69427de
Opcode Fuzzy Hash: ae679bdfceee675f1571733c1c63cbbbec3b6b3dc0e35fb4a25fe1e49f4f57a7
Instruction Fuzzy Hash: 01418172311A4082FB17DB1BA9147DA6395BB5DBE0F494229BF1D8B7A8EE3CC4468340

Function 00007FF7F8930800 Relevance: 12.4, APIs: 8, Instructions: 355COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F8930AB5

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
Instruction ID: a2a1345993d659fbb331c870d8ec0ac575b024c775c63227f14225fedd439c59
Opcode Fuzzy Hash: f294bb9004327c1bec0d0349a18b948e00fe3e45a64ad46b07d7e6d5aa7348cc
Instruction Fuzzy Hash: 62E18372A142028AEB64DF25D050739F7F5EB84B5AF648235CB19477C8DA39EC40FBA4

Function 0000000140072D70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000140072DDB
InternetOpenUrlA.WININET ref: 0000000140072E10
InternetReadFile.WININET ref: 0000000140072E31
InternetReadFile.WININET ref: 0000000140072E6F
InternetCloseHandle.WININET ref: 0000000140072E7C
InternetCloseHandle.WININET ref: 0000000140072E85

Strings

File Downloader, xrefs: 0000000140072DD4

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Internet$CloseFileHandleOpenRead
String ID: File Downloader
API String ID: 4038090926-3631955488
Opcode ID: 210ff5028c4d6a4313cb91af622c9ef4241b8e7ae994910c4c878489564db72a
Instruction ID: 5fa8a96f82adfbe2566a4b915101b8e54a631cf06f5522793a8622ffc361334d
Opcode Fuzzy Hash: 210ff5028c4d6a4313cb91af622c9ef4241b8e7ae994910c4c878489564db72a
Instruction Fuzzy Hash: 64312632214A8086EB228F26F95079EB7A0FB89BC4F545125FF8943B68DF7CC5958B00

Function 00007FF7F8912F30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7F8912F81
GetProcAddress.KERNEL32 ref: 00007FF7F8912FD0
wcslen.MSVCRT ref: 00007FF7F8913016

Strings

basic_string: construction from null is not valid, xrefs: 00007FF7F8913050
TEMP, xrefs: 00007FF7F8912FD6
1-+!, xrefs: 00007FF7F8912FA8
G, xrefs: 00007FF7F8912F8F

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: AddressLibraryLoadProcwcslen
String ID: 1-+!$G$TEMP$basic_string: construction from null is not valid
API String ID: 1064947497-2238167505
Opcode ID: b0833021c85c12311d7ea6ad174c81375b93a74c7c7ca75d79944687dd432d59
Instruction ID: 8ebefb4a85f5714bfa4505cec3441d1a7c82a33e0d23a369fafe679fe31cc12d
Opcode Fuzzy Hash: b0833021c85c12311d7ea6ad174c81375b93a74c7c7ca75d79944687dd432d59
Instruction Fuzzy Hash: 2D31A121A1DB8682EB11AB54E4006A9F770EB85B94FC04032DA5E17B98DE3CE506D794

Function 00007FF7F892BBF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7F892BC22
RaiseException.KERNEL32 ref: 00007FF7F892BC44
abort.MSVCRT ref: 00007FF7F892BC70
RaiseException.KERNEL32 ref: 00007FF7F892BCB7

Strings

CCG", xrefs: 00007FF7F892BC3F
CCG , xrefs: 00007FF7F892BC1D
CCG", xrefs: 00007FF7F892BCB2

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ExceptionRaise$abort
String ID: CCG $CCG"$CCG"
API String ID: 3325032505-1179968548
Opcode ID: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
Instruction ID: bb56ef22e4fd6caf1f1d2a4b5eef14ff8c85c73fd41edb9a7ede3a28d7ca8557
Opcode Fuzzy Hash: dc1771becb5f7d7a174ac4ee873c316158b39dbcf1eb3e3089c99a13fe7347f6
Instruction Fuzzy Hash: 7A218333A25F8483E750DF58E4403A97760F7D9788F60A226EA8D477A4DF7DD1928740

Function 00007FF7F8935C10 Relevance: 11.5, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF7F8935C87
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8935CBD

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalLeaveSectionfree
String ID:
API String ID: 1679108487-0
Opcode ID: 95fe868276fcc675441e8b6bcbd2e592402446384d147c482bf95a0a74b21bb4
Instruction ID: 82d722cf9b07768a2024a7dd950549965ba249197585ab6aa2a2f0d9a975c3c6
Opcode Fuzzy Hash: 95fe868276fcc675441e8b6bcbd2e592402446384d147c482bf95a0a74b21bb4
Instruction Fuzzy Hash: C5918F31A09A0295EB25FB15ED402B9E2A9EF08786FC44435D93D0B7D4DF3CA551B3E8

Function 00007FF7F8912600 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7F89126EA
strcpy_s.MSVCRT ref: 00007FF7F891272E
strcpy_s.MSVCRT ref: 00007FF7F8912741
strcpy_s.MSVCRT ref: 00007FF7F891274F
_strlwr.MSVCRT ref: 00007FF7F8912755
_strlwr.MSVCRT ref: 00007FF7F891275E
strstr.MSVCRT ref: 00007FF7F891276A

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcpy_s$_strlwr$ByteCharMultiWidestrstr
String ID:
API String ID: 606828236-0
Opcode ID: 740dde69bc923aa62291048bd7d2af24dee97c0faba599a4844422326155c18e
Instruction ID: 802666c5d3b543065605e9a6a0f1080d61c5770bc6773cba74e61a401e49e6a5
Opcode Fuzzy Hash: 740dde69bc923aa62291048bd7d2af24dee97c0faba599a4844422326155c18e
Instruction Fuzzy Hash: 2A419D62608BC186EB21DF16E9407AAE765FB89BE4F804131EE9D03B98CF7CD142D744

Function 00007FF7F8914350 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891440C
strcmp.MSVCRT ref: 00007FF7F891445C

Strings

?, xrefs: 00007FF7F8914415
?, xrefs: 00007FF7F8914382
?, xrefs: 00007FF7F89143C6
L]O[, xrefs: 00007FF7F891437A
m~RF, xrefs: 00007FF7F891442B

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: ?$?$?$L]O[$m~RF
API String ID: 1004003707-3421602070
Opcode ID: 1d2fd37fcf9e9270826f93c39df50b07c1c31ca18e56336efe699e63f3ad2eb9
Instruction ID: 3f8c47d2c97fa7c38e31633d3a2aea466cf79f74929fe7fa370ffdfa616a0bc7
Opcode Fuzzy Hash: 1d2fd37fcf9e9270826f93c39df50b07c1c31ca18e56336efe699e63f3ad2eb9
Instruction Fuzzy Hash: B631F77290C7858AEB11DF28E4402AAFBA4E799784FC44136EB9D07B85DB7CC541CF94

Function 00000001400958C8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001400958D7
FlsGetValue.KERNEL32 ref: 00000001400958EC
FlsSetValue.KERNEL32 ref: 000000014009590D
FlsSetValue.KERNEL32 ref: 000000014009593A
FlsSetValue.KERNEL32 ref: 000000014009594B
FlsSetValue.KERNEL32 ref: 000000014009595C
SetLastError.KERNEL32 ref: 0000000140095977

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 87d6f8d026e6a5ccece3540032cc9aa4090410d0cf0870e7c42c6d11e07430ce
Instruction ID: 94191e183d8c7d64a8a2dbd3827d5593e31011003ecf1becfb5b7b44f012405e
Opcode Fuzzy Hash: 87d6f8d026e6a5ccece3540032cc9aa4090410d0cf0870e7c42c6d11e07430ce
Instruction Fuzzy Hash: 28216A3021964082FA5B7B77A6553ED66829B4DBF1F540729BB660BBF6EE38C4018301

Function 00000001400A77C8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000001400A77F9
GetLastError.KERNEL32 ref: 00000001400A7805
CloseHandle.KERNEL32 ref: 00000001400A781D
CreateFileW.KERNEL32 ref: 00000001400A7848
WriteConsoleW.KERNEL32 ref: 00000001400A7867

Strings

CONOUT$, xrefs: 00000001400A7829

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 6204a89cdd06f09cfc3486d0d96b2f463e47156f2c9ace21a11958914875a066
Instruction ID: b2c7ae89afa13f93ab2f89b082ff298c5d837d5d0260bd35e7c271c2b071468c
Opcode Fuzzy Hash: 6204a89cdd06f09cfc3486d0d96b2f463e47156f2c9ace21a11958914875a066
Instruction Fuzzy Hash: E6116A32710A4086E7528B57F854B9DA2A1FB9CFE4F444224EB6D877A4DF3CC845CB50

Function 00007FF7F892F340 Relevance: 9.4, APIs: 6, Instructions: 414COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00007FF7F892F4C2
fputc.MSVCRT ref: 00007FF7F892F53A
fputc.MSVCRT ref: 00007FF7F892F592

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
Instruction ID: 087396777fddf544d557c86b4105d6914bf3a38b15bccde1966b47f273d2587d
Opcode Fuzzy Hash: 3c91229a8620996d77b275314aee762391fa8306f714f08d228cfd6e98818314
Instruction Fuzzy Hash: 05F1FB72E1854246EB30EF25D104B39E691BB14B6AF968234CD3E577C4CA3CF941E798

Function 00000001400B866C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00000001400B8719
MultiByteToWideChar.KERNEL32 ref: 00000001400B87B5
MultiByteToWideChar.KERNEL32 ref: 00000001400B885E
MultiByteToWideChar.KERNEL32 ref: 00000001400B8888
MultiByteToWideChar.KERNEL32 ref: 00000001400B8930
CompareStringEx.KERNEL32 ref: 00000001400B897D

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 8e7ed421b9ab10fa64d8ac8429b202f25cf3c3f4c1382695c7f8b6ad37d36eca
Instruction ID: 00de4b50e6229e7b19f2ebf843531fdc6470dc3cb5f6c1b8a30933229632cc52
Opcode Fuzzy Hash: 8e7ed421b9ab10fa64d8ac8429b202f25cf3c3f4c1382695c7f8b6ad37d36eca
Instruction Fuzzy Hash: D1A18E72214A808AEF338FA294543ED66A1F748BE8F584622FF59077F5EB38C945C341

Function 00000001400B830C Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400B837C
MultiByteToWideChar.KERNEL32 ref: 00000001400B841A
LCMapStringEx.KERNEL32 ref: 00000001400B8483
LCMapStringEx.KERNEL32 ref: 00000001400B84D5
LCMapStringEx.KERNEL32 ref: 00000001400B857A
WideCharToMultiByte.KERNEL32 ref: 00000001400B85D4

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: aff1d1866dc12ffdbaee311dbe293056c30c40e0640524166ebc9974f98794e1
Instruction ID: 8b8c5f4bf6079c73f73cf44f0fe3ced5764d8e641cf6acd2d34b214dda9e4180
Opcode Fuzzy Hash: aff1d1866dc12ffdbaee311dbe293056c30c40e0640524166ebc9974f98794e1
Instruction Fuzzy Hash: 6D817E72200B8086EB368FA6E84079972E5FB98BE8F544625FF5947BF8DB38C545C700

Function 00007FF7F8936EA0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

___mb_cur_max_func.MSVCRT ref: 00007FF7F8936ECB
___lc_codepage_func.MSVCRT ref: 00007FF7F8936ED3
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF7F8936F23
MultiByteToWideChar.KERNEL32 ref: 00007FF7F8936F55

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: Byte$CharLeadMultiWide___lc_codepage_func___mb_cur_max_func
String ID:
API String ID: 2785433807-0
Opcode ID: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
Instruction ID: 750697808981ad839852152427f6272cd56d1dd58698dfcb1b5f66211db65dad
Opcode Fuzzy Hash: b8ade29cbcad1670599392aa2893148449ef957c3984b89b714999f8b731dc73
Instruction Fuzzy Hash: 5931292360920249F762AB25E8003B9E5986B417B9F844236EEB9477C0DE3DD181F394

Function 00007FF7F8911E18 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

rand.MSVCRT ref: 00007FF7F8911E18
rand.MSVCRT ref: 00007FF7F8911E35
rand.MSVCRT ref: 00007FF7F8911E5A

Strings

Performing arithmetic operations on: , xrefs: 00007FF7F8911E73
+-*/, xrefs: 00007FF7F8911E7C
and , xrefs: 00007FF7F8911E97

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: rand
String ID: and $+-*/$Performing arithmetic operations on:
API String ID: 415692148-3864222635
Opcode ID: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
Instruction ID: 415e6b116f241f5f88595c01908793563dc929e75aa7bfcb23537a692a14c8b7
Opcode Fuzzy Hash: f0d3409b9f0d6e33847339fe865cbda917983b98c22d437aab5b055a0af117dc
Instruction Fuzzy Hash: 45210512F0E91608EB14FB25984527DD7925F86B91FC89131DD2E073DADD3CE900A3E8

Function 0000000140095A40 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140095A4F
FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095A85
FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AB2
FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AC3
FlsSetValue.KERNEL32(?,?,-256325B0FF13704B,0000000140091B75,?,?,?,?,0000000140098C74), ref: 0000000140095AD4
SetLastError.KERNEL32 ref: 0000000140095AEF

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 46da3ed24448742f5e73d5ccb86e50a9ce35f99c3519794e4a68f5c6ccae4417
Instruction ID: 4e56595a93ee8ec0115da1d98981107824e97e2991e46ab42691fcb503f31c77
Opcode Fuzzy Hash: 46da3ed24448742f5e73d5ccb86e50a9ce35f99c3519794e4a68f5c6ccae4417
Instruction Fuzzy Hash: 4E117F3030524042FA5B677756963ED65525F4C7F0F540729BB3647BF6EE38C4418302

Function 00007FF7F8914480 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7F8914605

Strings

=, xrefs: 00007FF7F891459E
=, xrefs: 00007FF7F89144EC
;, xrefs: 00007FF7F891451E
HEN>, xrefs: 00007FF7F891456F

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: HandleModule
String ID: ;$=$=$HEN>
API String ID: 4139908857-2188461147
Opcode ID: de21482289b350c4a1ef8e9bc7a21981703884f7dfa1a2066d3a504667ed42bb
Instruction ID: 301b1f9359e91ce8b3320cf02f05b108577195b672c7e25093d0aa523f467341
Opcode Fuzzy Hash: de21482289b350c4a1ef8e9bc7a21981703884f7dfa1a2066d3a504667ed42bb
Instruction Fuzzy Hash: 4F41A032A0CB8486EB11DB18F0403A9F7A0F789798FC10526DB9D03B98DB7CD245CB85

Function 00000001400A00B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000001400A00D9
GetProcAddress.KERNEL32 ref: 00000001400A00EF
FreeLibrary.KERNEL32 ref: 00000001400A0116

Strings

CorExitProcess, xrefs: 00000001400A00E8
mscoree.dll, xrefs: 00000001400A00D0

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 11d1bc54c7adcb39bb252d565eeaa109e042f256159d3b1e4446ddc4ea841d4a
Instruction ID: 545204f8687e3a2734c2c0d104c94094f9ded36245a91659c09d7b5539e87f50
Opcode Fuzzy Hash: 11d1bc54c7adcb39bb252d565eeaa109e042f256159d3b1e4446ddc4ea841d4a
Instruction Fuzzy Hash: E9F0627131160882EB568B26E8453DD6360EF8D7E1F540319E769472F4CF3CC1868B10

Function 00007FF7F8A00A00 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF7F8A00B49, 00007FF7F8A00BE2, 00007FF7F8A00C72, 00007FF7F8A00D02, 00007FF7F8A00D92

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: basic_string::_M_create
API String ID: 0-3122258987
Opcode ID: 44b85481758d657289992c4c4b478202b050daf0a3589029b5cd0d7c519323b4
Instruction ID: 12c9ae66d67149bfdd8051b79b6cb57a056c196892071224c59e8f68f479f1aa
Opcode Fuzzy Hash: 44b85481758d657289992c4c4b478202b050daf0a3589029b5cd0d7c519323b4
Instruction Fuzzy Hash: 5CA1E662B1B68584EF20AF35D8404B9E250EB45BE4FD88631DA3D873D5EF2CE491D3A4

Function 00007FF7F892F9C0 Relevance: 7.8, APIs: 5, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
Instruction ID: cb9176e7b0d8cbbce7846a40d26a7c63dbdef526f5682213a1436689ec15cb4d
Opcode Fuzzy Hash: 64ea054b2a2157d068e8ab586f5ae1021de10276e6996cd183b54ca99c2502e6
Instruction Fuzzy Hash: EEC19E73E0965286E771EF24C414739E7A1EB44B59F9A8231CA2D573C4CB3CE841E7A8

Function 00007FF7F8913060 Relevance: 7.7, APIs: 5, Instructions: 231stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F8913071
GetTempPathA.KERNEL32 ref: 00007FF7F89130C8
strlen.MSVCRT ref: 00007FF7F89131E7
strlen.MSVCRT ref: 00007FF7F89132A9
memcpy.MSVCRT ref: 00007FF7F89132EE

Part of subcall function 00007FF7F894EE70: memchr.MSVCRT ref: 00007FF7F894EEB1

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen$CurrentPathProcessTempmemchrmemcpy
String ID:
API String ID: 1237187527-0
Opcode ID: f4e7bedf47afd40fecaf14e77b810dd7dad75451e5cfdd79f2a6c94f68c429c1
Instruction ID: b8472579dce7dcd6562ff9dc5ff575dfd490795d76b082d3347bd39e262ecb3b
Opcode Fuzzy Hash: f4e7bedf47afd40fecaf14e77b810dd7dad75451e5cfdd79f2a6c94f68c429c1
Instruction Fuzzy Hash: 87A1732660CF8185EB50DB19E44036EE7A1FB85BA0F944235EAAD03BD8DF7CD005EB54

Function 000000014009CBF8 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014009CC3B
_set_statfp.LIBCMT ref: 000000014009CC59
_set_statfp.LIBCMT ref: 000000014009CC82
_set_statfp.LIBCMT ref: 000000014009CEBB

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f9d29a29cdd2ffd341ecb2d23d59fd5f68f4680a083a3d8e41450f0123bb1665
Instruction ID: 51537d9657ec2fdfa4f10ec80af9299248d2a692f50d6fc6d23c4d355d044b15
Opcode Fuzzy Hash: f9d29a29cdd2ffd341ecb2d23d59fd5f68f4680a083a3d8e41450f0123bb1665
Instruction Fuzzy Hash: C881F4B2A24A8449F7778F3AA450BEABA60FB5D7D8F044315FB5A275F4DB34C5818A00

Function 000000014008DEC4 Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008DF3D
_invalid_parameter_noinfo.LIBCMT ref: 000000014008DF8D
_invalid_parameter_noinfo.LIBCMT ref: 000000014008DFD5
_invalid_parameter_noinfo.LIBCMT ref: 000000014008E00D
_invalid_parameter_noinfo.LIBCMT ref: 000000014008E080

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a03a752f2ac655c7a58730884bc2fcf5dd5ee0725649a45cd42aac9bb0d07a50
Instruction ID: 522d1dfaad3cd7a1789f81a8b2f94e3c0e8e741ccacba2c26c74aefc8858f3ae
Opcode Fuzzy Hash: a03a752f2ac655c7a58730884bc2fcf5dd5ee0725649a45cd42aac9bb0d07a50
Instruction Fuzzy Hash: 8B51A233105B8486E7639F22E4603ED3BD5B759FC4F498412E7C8473A7DA3A8995D702

Function 00007FF7F89FE690 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7F89FE730
memcpy.MSVCRT ref: 00007FF7F89FE764

Strings

Result of , xrefs: 00007FF7F89FE692
basic_string::_M_create, xrefs: 00007FF7F89FE84A

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpy
String ID: Result of $basic_string::_M_create
API String ID: 3510742995-1160149181
Opcode ID: ecf818389d4a64880c138437d3c7078a4c229c0a1f64958101a06294d39f3f93
Instruction ID: ac791e1cf078792d60bb52dce7c19ff17a95d80b79e8f71366188c0cc80b8f8b
Opcode Fuzzy Hash: ecf818389d4a64880c138437d3c7078a4c229c0a1f64958101a06294d39f3f93
Instruction Fuzzy Hash: C341F726B0A68658EB19FB15C10027EE652EB80BD9FD44932CD3D0B7C5DE3CE441E3A4

Function 00000001400A8B70 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001400A8B98
_set_statfp.LIBCMT ref: 00000001400A8BB3
_set_statfp.LIBCMT ref: 00000001400A8BCF
_set_statfp.LIBCMT ref: 00000001400A8C0B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: ec8299edcefb6fa201b4cd1aeee9dcae6e47e61ba1c4a4a6e0c30bc807d4dc5c
Instruction ID: 9eabe2c6862708b434ee5f188970f655e061dec2d8f65aedb1ea2276e73e5cc0
Opcode Fuzzy Hash: ec8299edcefb6fa201b4cd1aeee9dcae6e47e61ba1c4a4a6e0c30bc807d4dc5c
Instruction Fuzzy Hash: 6E11E5B2A60E0105F67A112BED463E925406B7C3F8F890725BF67072F68B38CCC18B24

Function 0000000140095B08 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B27
FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B46
FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B6E
FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B7F
FlsSetValue.KERNEL32(?,?,?,000000014008D367,?,?,00000000,000000014008D602,?,?,?,?,-256325B0FF13704B,000000014008D58E), ref: 0000000140095B90

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a4a4f9ea1fe8b9925d9f5229c3e2104e7f1131be9a45ee9af6dd5d66ba5dd7ca
Instruction ID: 40ffcb6e7276c6b56e20ef340f0400dac99e19fffa2c2d3576c81a9cdb817faf
Opcode Fuzzy Hash: a4a4f9ea1fe8b9925d9f5229c3e2104e7f1131be9a45ee9af6dd5d66ba5dd7ca
Instruction Fuzzy Hash: 5C118F7070924042FA5AAB77A6523E966825F8C7F0F444369BB3957BF6DF7CC4418701

Function 000000014009599C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00000001400959AD
FlsSetValue.KERNEL32 ref: 00000001400959CC
FlsSetValue.KERNEL32 ref: 00000001400959F4
FlsSetValue.KERNEL32 ref: 0000000140095A05
FlsSetValue.KERNEL32 ref: 0000000140095A16

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a4fd602ff4c21bae2ba80a261c589652b48751060fe2931f837fcaf8d560a57e
Instruction ID: c9b1f79b9437871e710b23d89dbf29e12363c3e18903ae63e702a788495a69bc
Opcode Fuzzy Hash: a4fd602ff4c21bae2ba80a261c589652b48751060fe2931f837fcaf8d560a57e
Instruction Fuzzy Hash: 8211297021620142F96BB77B54A63E916824F4D7F1F9817297B365B3F2ED3CD8418312

Function 000000014006D345 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 437COMMON

Download Yara Rule

APIs

RevertToSelf.ADVAPI32 ref: 000000014006D3E0
ImpersonateLoggedOnUser.ADVAPI32 ref: 000000014006D6CB
RevertToSelf.ADVAPI32 ref: 000000014006D6E9

Strings

APPB, xrefs: 000000014006D80A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: RevertSelf$ImpersonateLoggedUser
String ID: APPB
API String ID: 3543747371-1278849820
Opcode ID: 94b66b658ed09ae658190794c44e84a70b32414495d1fe4a4c6f3ab4362dba3d
Instruction ID: 6328d90dfc417aae0a75f28204237d3efcb13e8a4d3ac0bfbb6f9391f15e8308
Opcode Fuzzy Hash: 94b66b658ed09ae658190794c44e84a70b32414495d1fe4a4c6f3ab4362dba3d
Instruction Fuzzy Hash: 58129D72B2069089FB029BBAD8543DD2762E7497E8F605716FB6D17AEADF74C480C340

Function 00000001400300C6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323COMMON

Download Yara Rule

Strings

directory_iterator::directory_iterator, xrefs: 0000000140030E02, 0000000140030E52
status, xrefs: 0000000140030E18, 0000000140030E2E
exists, xrefs: 0000000140030DE6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: directory_iterator::directory_iterator$exists$status
API String ID: 0-3429586796
Opcode ID: 18cfcb973e275f3359bb54c32ff1de0b45e9df6e8b787d3e5737cdb4d7b3e643
Instruction ID: 55f11669b2c6715494dc4fb567f6486542e9ba5ac96f56ea717def1ce1269872
Opcode Fuzzy Hash: 18cfcb973e275f3359bb54c32ff1de0b45e9df6e8b787d3e5737cdb4d7b3e643
Instruction Fuzzy Hash: B9E16132611BC589EB729F26D8503EA3360F79D798F449626EB8D4BB69EF34C641C340

Function 0000000140076CDB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 259fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400816E0: GetCurrentProcess.KERNEL32 ref: 0000000140081744
Part of subcall function 00000001400816E0: GetProcessId.KERNEL32 ref: 000000014008174D
Part of subcall function 00000001400816E0: RmStartSession.RSTRTMGR ref: 000000014008177C
Part of subcall function 00000001400816E0: RmRegisterResources.RSTRTMGR ref: 00000001400817A7
Part of subcall function 00000001400816E0: RmGetList.RSTRTMGR ref: 00000001400817E0
Part of subcall function 00000001400816E0: RmGetList.RSTRTMGR ref: 0000000140081842

GetFileSize.KERNEL32 ref: 0000000140076DE1
SetFilePointer.KERNEL32 ref: 0000000140076E94
ReadFile.KERNEL32 ref: 0000000140076EC3

Strings

ios_base::badbit set, xrefs: 000000014007736F

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: File$ListProcess$CurrentPointerReadRegisterResourcesSessionSizeStart
String ID: ios_base::badbit set
API String ID: 1164181714-3882152299
Opcode ID: b21f64af440073c6051ecf62b95bac71750afb88095a937f8121b0b6e9b59d2d
Instruction ID: e423b73e69e3eb3b89c535b40fbd5329fb55dfd1c877f314d4b2d92c6e73c0c6
Opcode Fuzzy Hash: b21f64af440073c6051ecf62b95bac71750afb88095a937f8121b0b6e9b59d2d
Instruction Fuzzy Hash: A4C1F232710BC489EB21DF25D8807DD37A5F789B88F508226EB4D4BBA9DB74C645C701

Function 000000014002D961 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 251COMMON

Download Yara Rule

Strings

: ", xrefs: 000000014002DA0A
", ", xrefs: 000000014002DA3D

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: ", "$: "
API String ID: 0-747220369
Opcode ID: 502cb8dffc5d950ded9be3649ad98e12effc28c98abc924bf6a92b50259563f1
Instruction ID: b48806bc5931859d9f60c080c4a103d486102d7c23a0804a85736c8dc29304ac
Opcode Fuzzy Hash: 502cb8dffc5d950ded9be3649ad98e12effc28c98abc924bf6a92b50259563f1
Instruction Fuzzy Hash: 99917B72700A4095EB02EF66E0953EC3361E759BC8F508626EF5D57BAADF38C995C380

Function 00007FF7F892A710 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF7F8BAF060,00007FF7F8BAF068,00007FF7F8BAF0B0,?,?,?,?,00000001,00007FF7F8911244), ref: 00007FF7F892A8F3

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7F892AA8A
Unknown pseudo relocation bit size %d., xrefs: 00007FF7F892AA74
Unknown pseudo relocation protocol version %d., xrefs: 00007FF7F892AA96

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: e2176e22cacbc1e56bd42fc89a58474ee1bbcd1f4fcc8751c36bb341390877a3
Instruction ID: a04e7cfcad7544b7128090bf6b5963ba262d89b299cfbf546f33024dd41a0a17
Opcode Fuzzy Hash: e2176e22cacbc1e56bd42fc89a58474ee1bbcd1f4fcc8751c36bb341390877a3
Instruction Fuzzy Hash: 3F91B437E1950246EB20EB159942679E3E1BF54766FD68231CE3D077D4DE3CE802A2E8

Function 00000001400BAB50 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BAE2F

Part of subcall function 00000001400A73AC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A73C9

Strings

UTF-8, xrefs: 00000001400BADAE
ccs, xrefs: 00000001400BAD6A
UTF-16LEUNICODE, xrefs: 00000001400BADCD

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 851a617801b4cfd31061c4c6c380f6ef5142011fd0a99ac6d62129d95d7a0a73
Instruction ID: c25c3288be8e472c6befd42f9ca98e390cbf50fe56392b6ea39b80f7af3d53ba
Opcode Fuzzy Hash: 851a617801b4cfd31061c4c6c380f6ef5142011fd0a99ac6d62129d95d7a0a73
Instruction Fuzzy Hash: F8819DB2600A4086FB778FABC1507F93BB0A31ABC8F658005FB4667AB5D33DC9429711

Function 00000001400461F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140046260
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400462A8
_Getcoll.LIBCPMT ref: 00000001400462DC

Strings

bad locale name, xrefs: 00000001400463E1

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1287851536-1405518554
Opcode ID: a74d05edcc680aa49797f08e4eedccf6035f239cca559bda27cab53509a1a993
Instruction ID: 2dd48ec296852500dd2f0364dd46106788e004d0cc0eadaa75e91df770a0f7fb
Opcode Fuzzy Hash: a74d05edcc680aa49797f08e4eedccf6035f239cca559bda27cab53509a1a993
Instruction Fuzzy Hash: 5C714B32702B408AFB16DFB6D4903DC3376AB48B98F044125EF592BBAADE348555D389

Function 0000000140059AB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 0000000140059C90
__std_exception_destroy.LIBVCRUNTIME ref: 0000000140059C9D

Strings

, column , xrefs: 0000000140059B68
at line , xrefs: 0000000140059B3A

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: __std_exception_destroy
String ID: at line $, column
API String ID: 2453523683-191570568
Opcode ID: 24fe7f42ac002282dae115578377fdd728047d5eb7b3d8577a3df730c4bd1d07
Instruction ID: f5178fb3b268f0b48bb0946d76aaafe813ca48c51b666f22c5d6955aa079505b
Opcode Fuzzy Hash: 24fe7f42ac002282dae115578377fdd728047d5eb7b3d8577a3df730c4bd1d07
Instruction Fuzzy Hash: E851A072B04B8081EA11DB1AF58039EB761F799BD4F104212FBA907BAADF79C591C740

Function 000000014002C670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014002C6DF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000014002C727
_Getctype.LIBCPMT ref: 000000014002C765

Strings

bad locale name, xrefs: 000000014002C81E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: b3b85aaa9564d3eb53080caaeaa34e3804193ba04b17ecad880dd215a6707056
Instruction ID: 974744e1641dd82f39cde997d7380458ab7219ed9018711764406166cb430a43
Opcode Fuzzy Hash: b3b85aaa9564d3eb53080caaeaa34e3804193ba04b17ecad880dd215a6707056
Instruction Fuzzy Hash: A2512A36711B408AEB16DFB2E4907ED33B5FB48788F044429EB4A27AA5DF34C915D384

Function 00007FF7F892AB00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF7F892AB15

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
Instruction ID: d1b809eaf88e669cd78256e06df646b3a8565bfade615204f53f7ef3c1bbcfdf
Opcode Fuzzy Hash: d3dbc5fc667eaa8116ddc9648ae4a223ff8f86823c9b38466b26c19195cb2a75
Instruction Fuzzy Hash: F3215E62E091024AFB68F3658552378E1C29FC9752F9A4936C93E863D1DD1CA8C1B2BD

Function 000000014008194E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400A9B70: AcquireSRWLockExclusive.KERNEL32 ref: 00000001400A9B80

GetModuleHandleA.KERNEL32 ref: 000000014008196A
GetProcAddress.KERNEL32 ref: 000000014008197A

Strings

ntdll.dll, xrefs: 0000000140081963
NtDuplicateObject, xrefs: 0000000140081973

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AcquireAddressExclusiveHandleLockModuleProc
String ID: NtDuplicateObject$ntdll.dll
API String ID: 956071019-829176969
Opcode ID: 0892d24e8280c9ca28f2a4ef2ebc3fefd12f45278bc96ee3cb6f4232baa62d7a
Instruction ID: 29acd23d1b2af4f5491f75f2eb0f5caea469346f4c8e7b10281902b42738524f
Opcode Fuzzy Hash: 0892d24e8280c9ca28f2a4ef2ebc3fefd12f45278bc96ee3cb6f4232baa62d7a
Instruction Fuzzy Hash: 1901E73221190085FA53DBA7FC653E92390BBDDBE5F440626AB1E471B1EF38C5D6C610

Function 00000001400B6450 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400B6466
GetProcAddress.KERNEL32 ref: 00000001400B6476

Strings

kernel32.dll, xrefs: 00000001400B645F
GetTempPath2W, xrefs: 00000001400B646C

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32.dll
API String ID: 1646373207-1846531799
Opcode ID: feccffff2a60b544ffbbbafe503937a9e42bf7f10482beb47b79b4c0f892a682
Instruction ID: b479fef3ac197ef4dce19ec26a24247ec8550dec43ddafd548e24bb2c55acab6
Opcode Fuzzy Hash: feccffff2a60b544ffbbbafe503937a9e42bf7f10482beb47b79b4c0f892a682
Instruction Fuzzy Hash: 9EE01A75704B0582EE469B12F9987AD2361FF8CBC4F589029EB1E07334DE3CD4869B00

Function 00007FF7F892A070 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F892A0F5
memcpy.MSVCRT ref: 00007FF7F892A10E
free.MSVCRT ref: 00007FF7F892A119

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
Instruction ID: 98b0cfb007da36e9366edec59cca7487855aa3ff58e14f6ad55d50b287a57745
Opcode Fuzzy Hash: 616034b4082db6133acc050cdb7f1ef8251caf1ace96c15328d116e499333b8e
Instruction Fuzzy Hash: 03318723B4964245FB66FB11AA01379D2D16F40BF1F998230DD7D06AC6DE2C9441A394

Function 0000000140097F54 Relevance: 6.3, APIs: 4, Instructions: 305fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000000140097FDB
WriteFile.KERNEL32 ref: 00000001400982A2
WriteFile.KERNEL32 ref: 00000001400982EB
GetLastError.KERNEL32 ref: 00000001400983AC

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 7f3eb5a86098c1c517e33af41decd246e6b98b795eba64b701eaa93da67d498f
Instruction ID: a6b027b0e07357715d3c80cbbe1cd0166f8b724c902756b6abe27a254a4597ff
Opcode Fuzzy Hash: 7f3eb5a86098c1c517e33af41decd246e6b98b795eba64b701eaa93da67d498f
Instruction Fuzzy Hash: F1D1AB32714A808AEB22CF7AD4403EC37B5F358BD8F548216EF5997BA9DA34C556CB40

Function 00007FF7F891A8F8 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F891AA84

Strings

y, xrefs: 00007FF7F892482C
ty, xrefs: 00007FF7F891A9EE
t, xrefs: 00007FF7F892480A

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen
String ID: t$ty$y
API String ID: 39653677-1920740250
Opcode ID: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
Instruction ID: 706f5a5b20ead613ab90d2efe95ae198d905162d13e4c0f52f158d7fe8cb1ab0
Opcode Fuzzy Hash: 87489741a1c735bb47c7c7fa151bb2518af881d747d5548b986082c319ae107a
Instruction Fuzzy Hash: E4E14D72508BC2C6E7568F34C0143E87AA1EB29F4CF4C8135CB990B799DBBE94959371

Function 0000000140098930 Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000000140098A53
GetLastError.KERNEL32 ref: 0000000140098ADD

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0064717757fb816ba36e302a15913e1cbdafe464b3098268c38cec24d04983ad
Instruction ID: e0bad62a638c68990d328d5793b8bdc1d639ed9625066bc4d5269d2327d8b571
Opcode Fuzzy Hash: 0064717757fb816ba36e302a15913e1cbdafe464b3098268c38cec24d04983ad
Instruction Fuzzy Hash: D991B1B261065089FB62CF6698807ED2BA0F74CBD8F48511AFF4A67BA5DB34C485CB11

Function 00007FF7F891CC9C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891CD0C
strcmp.MSVCRT ref: 00007FF7F891CD49

Strings

(, xrefs: 00007FF7F8923FB5

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: (
API String ID: 1004003707-3887548279
Opcode ID: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
Instruction ID: 913cf6682a6164efc5c8d10d6afd3de962fe0d980127d17dbc539e7d4653c7ef
Opcode Fuzzy Hash: 44ff3ea0eba828e30fde48cf3e6407d113ef1c86855c37323daa94a633f6d87f
Instruction Fuzzy Hash: EEA19F72608B8685E755EF25C4043E9A761EB55F89F884032CE6E0B7D6CF7CD884A3A4

Function 00007FF7F891BC30 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F8920293

Strings

a, xrefs: 00007FF7F8924EA2
rm, xrefs: 00007FF7F8924EB6
a, xrefs: 00007FF7F8924E9D

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strlen
String ID: a$a$rm
API String ID: 39653677-3573517395
Opcode ID: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
Instruction ID: 20d7fb173abb93bb8bfee91f78e59622210591e3ffc0689f699272df8fe97d56
Opcode Fuzzy Hash: c7bf3fc4039771aa151d5a77072f9711761caae911655a942766ef051505f1bc
Instruction Fuzzy Hash: 66B182729087C2C5E7569F28C0083E8BA91EB25F4CF5C8135CB980F799DBBE9446A375

Function 00007FF7F8A05D20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF7F8A05DE6
memcpy.MSVCRT ref: 00007FF7F8A05E1E
memcpy.MSVCRT ref: 00007FF7F8A05E70

Strings

basic_string::_M_create, xrefs: 00007FF7F8A05EC7

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: 72179817af7f84d4777a76ac889e536a436144b296a5be41eac1759ee4653c10
Instruction ID: 6623dbd95aff52036982ce1ed6c39c966369831b808eeae116866afba11c2ce1
Opcode Fuzzy Hash: 72179817af7f84d4777a76ac889e536a436144b296a5be41eac1759ee4653c10
Instruction Fuzzy Hash: 9F61D162A1AA4591EB15EB25C8056B9E391EF01BD4FC48732DA3D237D4EF3CE442D394

Function 00000001400BBDF8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400BBE39
_invalid_parameter_noinfo.LIBCMT ref: 00000001400BBEB9
_invalid_parameter_noinfo.LIBCMT ref: 00000001400BBF0D
_get_daylight.LIBCMT ref: 00000001400BBF65

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: cbe6a422300ce47d191bfdaffd942f57c8d825da7a2edd8825320d75a71d5f2d
Instruction ID: 4cef64af6a6c9a86ce83d0a7878914f71726a3e20492fbdc572d3d8bd7fdd1ae
Opcode Fuzzy Hash: cbe6a422300ce47d191bfdaffd942f57c8d825da7a2edd8825320d75a71d5f2d
Instruction Fuzzy Hash: D7510332604E0287F76B5EABD9013FD66A0E3487E4F198035BB16472F6D7B9CA40CB42

Function 00007FF7F892FE10 Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 00007FF7F892FF44

Part of subcall function 00007FF7F8936D60: ___lc_codepage_func.MSVCRT ref: 00007FF7F8936D7F

fputc.MSVCRT ref: 00007FF7F892FEB8

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: ___lc_codepage_funcfputclocaleconv
String ID:
API String ID: 1339002523-0
Opcode ID: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
Instruction ID: 2ba3fce3cb5276d3f6b4b8b3b5d6116cbae242c65a3949932d232f0f704e3df6
Opcode Fuzzy Hash: ce1dac330c6f27128e61fe827faa414519fca3154a38c89fa2bd38bea5801416
Instruction Fuzzy Hash: A1518F73A0551189E731EF24D1413A9F7E1EB04F5AF964231EB2C477C9CA38E841E7A8

Function 0000000140081E60 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000000140081E80
FreeEnvironmentStringsW.KERNEL32 ref: 0000000140081F7B
RtlInitUnicodeString.NTDLL ref: 0000000140081FEE
RtlInitUnicodeString.NTDLL ref: 0000000140081FFB

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: EnvironmentInitStringStringsUnicode$Free
String ID:
API String ID: 2488768755-0
Opcode ID: bcdf9e957b836fad2b9a144feaaed0332e88cebafea3e7606a3ee423db221a5a
Instruction ID: 9735953dc97c4c7278c1d0ea2bf846f00a1df3506a1c5c193014c8045fd42382
Opcode Fuzzy Hash: bcdf9e957b836fad2b9a144feaaed0332e88cebafea3e7606a3ee423db221a5a
Instruction Fuzzy Hash: C3518932A18B80C2EB129F16E44039D7761FB98BD4F549215EB9D03BA6DF78D2E1C700

Function 000000014003FFA0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B782C: std::_Lockit::_Lockit.LIBCPMT ref: 00000001400B7849
Part of subcall function 00000001400B782C: std::locale::_Setgloballocale.LIBCPMT ref: 00000001400B786C

std::_Lockit::_Lockit.LIBCPMT ref: 000000014003FFE1
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140040006
std::_Facet_Register.LIBCPMT ref: 00000001400400B2
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140040114

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
String ID:
API String ID: 3698853521-0
Opcode ID: 5df3add741de15268a4c1c893243a82b2349d0c978b64c86d7b80c97edf7e36a
Instruction ID: bc1c7009bf646980d28510eba16aabbeef68747b7b6e5d2c383e6a03373d8cef
Opcode Fuzzy Hash: 5df3add741de15268a4c1c893243a82b2349d0c978b64c86d7b80c97edf7e36a
Instruction Fuzzy Hash: 12414232210B4082EA16DF62E84479A73A4F78CBD0F591622FB9D077B6DF38C852C704

Function 00007FF7F89F9BF0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00007FF7F89F9C7C
memcpy.MSVCRT ref: 00007FF7F89F9C99

Strings

basic_ios::clear, xrefs: 00007FF7F89F9BF4
basic_string::_M_replace, xrefs: 00007FF7F89F9D2D

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpymemmove
String ID: basic_ios::clear$basic_string::_M_replace
API String ID: 167125708-1781676995
Opcode ID: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
Instruction ID: 4a78b22e6cf2517163ddace2dceee145f0d13750bd60b794e7974e4fdcea7ad2
Opcode Fuzzy Hash: 9e4550a019cffcd376447f221df9850e9f31bf033150585d54ede76ce84063a6
Instruction Fuzzy Hash: 7631FB21B0968541EB29EB25D9087B9E790AB51FE5FD40231FD3D07BD9CD2CE141E398

Function 000000014008DD68 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014008DDE1
_invalid_parameter_noinfo.LIBCMT ref: 000000014008DE46
_invalid_parameter_noinfo.LIBCMT ref: 000000014008DE82
_invalid_parameter_noinfo.LIBCMT ref: 000000014008DEB3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0c193d88b50845aa81bb229cfeef5bca62bd87736d0df081c0babc2b4f8602ff
Instruction ID: 0fde3df684555fdb01bbb0567f65396fd5906680ff97a9fc4fbb11267d081220
Opcode Fuzzy Hash: 0c193d88b50845aa81bb229cfeef5bca62bd87736d0df081c0babc2b4f8602ff
Instruction Fuzzy Hash: 2C417F37105B84C9E763AF22E4603ED3FA5B759FD4F488152EB880B3A6DA3A8555C312

Function 00007FF7F891C01B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7F891C086

Strings

: , xrefs: 00007FF7F891C0C9
new , xrefs: 00007FF7F89241C2
, xrefs: 00007FF7F892422B

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: strcmp
String ID: $ : $new
API String ID: 1004003707-2075650739
Opcode ID: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
Instruction ID: 799eed4d2b69920052d52dafc62ff594feda3c6434eff3240e701b2fec77225d
Opcode Fuzzy Hash: 3fc4c2fb453cfd023dde4cb91d12fe7f9a63e258c5c55c3d849b597dfd20e7c1
Instruction Fuzzy Hash: C6418D72B4874685EB55EF12A8003F9E750AB91B95FC44035CF2A0B7C6DE7CD885A3A4

Function 0000000140072620 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014007264B
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140072670
std::_Facet_Register.LIBCPMT ref: 000000014007271B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140072766

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 62bd9740c1c2a61441fbb226ba8157bed7cf0d9f22f07cc03869d12c08925ec8
Instruction ID: be9d38ffdc7b6e85c66b2e680f8457809c6085b235bb2fc594de332f3a9dc2cf
Opcode Fuzzy Hash: 62bd9740c1c2a61441fbb226ba8157bed7cf0d9f22f07cc03869d12c08925ec8
Instruction Fuzzy Hash: 76414736214A8085FA26DF57E8543D967A0F38CBE4F581626AB8E477B6DE3CC542C700

Function 0000000140053690 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001400536BB
std::_Lockit::_Lockit.LIBCPMT ref: 00000001400536E0
std::_Facet_Register.LIBCPMT ref: 000000014005378B
Concurrency::cancel_current_task.LIBCPMT ref: 00000001400537D6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: ee9c97aff65a88c868663459daf74bfe0eb66c434d2bd69df478b3ba643f2863
Instruction ID: 96bec1322d2bd20d32e2a3d0ca8a3050f366ed013bd88369537771368691d56a
Opcode Fuzzy Hash: ee9c97aff65a88c868663459daf74bfe0eb66c434d2bd69df478b3ba643f2863
Instruction Fuzzy Hash: 5B4159B6618A4481FB26DB56E4543D963A0F78DBE4F981622EB8E477B5DA38C4418700

Function 0000000140041CC0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140041CEB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140041D10
std::_Facet_Register.LIBCPMT ref: 0000000140041DBB
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140041E06

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 430a7c7fba3e6cd772f167e092afeeab044c99694aa112083181d399e8b4a4ca
Instruction ID: d98e3f844eaae0dbb3641ed48c0eccbc43257799aee9a4d2446aa5f2d7179b55
Opcode Fuzzy Hash: 430a7c7fba3e6cd772f167e092afeeab044c99694aa112083181d399e8b4a4ca
Instruction Fuzzy Hash: C2416576210A4081FA269F17E8503D967A4F78CBE4F581622EB8E07BB9DE38C442C704

Function 0000000140071DA0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140071DCB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000140071DF0
std::_Facet_Register.LIBCPMT ref: 0000000140071E9B
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140071EE6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: f56fe5ed18232deb18e968c14c5c3fe04522fd7049ad61aa0ad3329ac39ecee9
Instruction ID: 66d9cf291a1fa9e9b9738823fb45094ee63abfac6f40b496fa964a1de3cbb30d
Opcode Fuzzy Hash: f56fe5ed18232deb18e968c14c5c3fe04522fd7049ad61aa0ad3329ac39ecee9
Instruction Fuzzy Hash: F9414436214A4081FA269F6AE8547E963A4F79DBE4F481622FB8D477F5DE38C442C700

Function 00007FF7F89CB7B0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF7F89CB7D8
memcpy.MSVCRT ref: 00007FF7F89CB807

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF7F89CB875
basic_string::_M_replace, xrefs: 00007FF7F89CB7B2, 00007FF7F89CB890

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: memcpystrlen
String ID: basic_string::_M_replace$basic_string::_S_construct null not valid
API String ID: 3412268980-2381965344
Opcode ID: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
Instruction ID: d02f394c1e59bdfeadb6d10c94ffddc1a1719d34c331bafbbbe120ed6c68bfe7
Opcode Fuzzy Hash: 79e987ffc4bcb91b5321d71e7488087a07853e24a2e21d4a92b84586f2bdd09f
Instruction Fuzzy Hash: 8521D261A0AA4684EB01EB1AE8801ACE7A4FF05BC5FC44435D96D073D1DE3CD452E3E4

Function 00007FF7F8935680 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000003,00007FF7F8BAF1A0,00007FF7F89357BF), ref: 00007FF7F89356B5
InitializeCriticalSection.KERNEL32(00000000,00000003,00007FF7F8BAF1A0,00007FF7F89357BF), ref: 00007FF7F89356F8
InitializeCriticalSection.KERNEL32 ref: 00007FF7F89356FE

Strings

*, xrefs: 00007FF7F89356A1

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: *
API String ID: 1960909292-3311777216
Opcode ID: 8cc8789fdc81fa29067ac66dfc528fbecfa4c76c3f5a56aee71b84c1566e406d
Instruction ID: b0879dd9b71b66af820037d84f97d3523df0a0318c5f7587d72a7abbfc90aee3
Opcode Fuzzy Hash: 8cc8789fdc81fa29067ac66dfc528fbecfa4c76c3f5a56aee71b84c1566e406d
Instruction Fuzzy Hash: 5221B322A4C54295F722B715ED501B8E764AF49356FC80432CD2E863E0EE1CE985F3A8

Function 00000001400B6634 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400B667D
GetLastError.KERNEL32 ref: 00000001400B668B
WideCharToMultiByte.KERNEL32 ref: 00000001400B66C0
GetLastError.KERNEL32 ref: 00000001400B66CE

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 200b3f1345e44cfc852f10eac067f1733b4bc9db33fdb8001f79150db3be88e0
Instruction ID: 6b88c86b770a9c586cb1af37b28efd7b706573da5102e3c4f3865fff8226cb73
Opcode Fuzzy Hash: 200b3f1345e44cfc852f10eac067f1733b4bc9db33fdb8001f79150db3be88e0
Instruction Fuzzy Hash: D0212E76614B94C7E3618F22E44435EB7B4F79DBD4F540129EB8957B64DB39C8418B00

Function 00000001400B6B20 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B6450: GetModuleHandleW.KERNEL32 ref: 00000001400B6466
Part of subcall function 00000001400B6450: GetProcAddress.KERNEL32 ref: 00000001400B6476

GetLastError.KERNEL32 ref: 00000001400B6B44

Part of subcall function 0000000140095298: IsProcessorFeaturePresent.KERNEL32 ref: 00000001400952BE

GetFileAttributesW.KERNEL32 ref: 00000001400B6B53
__std_fs_open_handle.LIBCPMT ref: 00000001400B6B7C
CloseHandle.KERNEL32 ref: 00000001400B6B8E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
String ID:
API String ID: 156590933-0
Opcode ID: a30d72a7a7c29de0c40d55f3abdf60503d6325bd51d8adae0c4a333c6577edac
Instruction ID: 818140f3fab44495a555ab8a09c83194e8e23688ba8165b1c45cae0150ad504a
Opcode Fuzzy Hash: a30d72a7a7c29de0c40d55f3abdf60503d6325bd51d8adae0c4a333c6577edac
Instruction Fuzzy Hash: D6115132A14A4045EA565FB7A5847AA6671E7887F0F140614BB77C7AF5DF3CC4818B00

Function 00000001400AAB48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000001400AAB74
GetCurrentThreadId.KERNEL32 ref: 00000001400AAB82
GetCurrentProcessId.KERNEL32 ref: 00000001400AAB8E
QueryPerformanceCounter.KERNEL32 ref: 00000001400AAB9E

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6fe15b0c4e384d37091185729348d816b74690dfa4f443000fe0a912ec8efaa2
Instruction ID: 7d6ebf1f97da6684202fd37eb3c70f695ff936aad7ae610a3630038643fe83ba
Opcode Fuzzy Hash: 6fe15b0c4e384d37091185729348d816b74690dfa4f443000fe0a912ec8efaa2
Instruction Fuzzy Hash: 38111532751B008AEB008B62E8543A833A4F71DBA8F441E25EB6D877A4DF78C1A58350

Function 000000014007D830 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 000000014007D838
DeleteDC.GDI32 ref: 000000014007D841
ReleaseDC.USER32 ref: 000000014007D84C
DeleteObject.GDI32 ref: 000000014007D855

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: DeleteObject$ReleaseSelect
String ID:
API String ID: 668125219-0
Opcode ID: 726effa6fa06c5665faf841155b480fdf2c248cd2f2267ddd895ebd61a60b775
Instruction ID: 3fcc5ce217afc3662e5e244752c0bdbae6d9fdc28930436ae7c590a1549fdcf5
Opcode Fuzzy Hash: 726effa6fa06c5665faf841155b480fdf2c248cd2f2267ddd895ebd61a60b775
Instruction Fuzzy Hash: B6015A32204B8492E682DB22F45839F7768FB99BD0F818556AE4A03724CF78C5C6C750

Function 00007FF7F8912590 Relevance: 6.0, APIs: 4, Instructions: 34stringCOMMON

Download Yara Rule

APIs

strcpy_s.MSVCRT ref: 00007FF7F89125BD
strcpy_s.MSVCRT ref: 00007FF7F89125CA
_strlwr.MSVCRT ref: 00007FF7F89125D6
_strlwr.MSVCRT ref: 00007FF7F89125DB

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: _strlwrstrcpy_s
String ID:
API String ID: 3746470816-0
Opcode ID: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
Instruction ID: 33b1064d7e07ca5b26be113e005714b8fb4827fcfa79fe878232263a0b2cb2b9
Opcode Fuzzy Hash: 39eff12b834902331b533afb545837a96e33ccd5846002bbcdcfc94689f971a5
Instruction Fuzzy Hash: 55F08C6175469695FE15AB23BD003B997199F86FD1F8C40329E4D03794CD2CE287D318

Function 0000000140068B80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000000140068D63
Concurrency::cancel_current_task.LIBCPMT ref: 0000000140068FB7

Strings

out_of_range, xrefs: 0000000140068BF2

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID: out_of_range
API String ID: 317858897-3053435996
Opcode ID: 22ea550406a21c82a9fa3a2d919b739b44e2018d566bd5efc64a60cf35bc2c12
Instruction ID: 206cb6943f1b9cbe300be6c636942754dcd29683bcaed745baca70fb605fe0ef
Opcode Fuzzy Hash: 22ea550406a21c82a9fa3a2d919b739b44e2018d566bd5efc64a60cf35bc2c12
Instruction Fuzzy Hash: 11D1A072711B8489EB11CB66E4403DD7362E759BD8F504B16EFAD17BA9DB38C195C300

Function 000000014002E800 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

[json.exception., xrefs: 000000014002E93B

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID:
String ID: [json.exception.
API String ID: 0-791563284
Opcode ID: 9d10d5961e257bc83ab52ab9107e09406af5a259c6370344c7be281104fa34b5
Instruction ID: 9bfa3acb795d48fbdc46d00a55fcaaa28ed1048c95eca48bab4ec83af28bcc05
Opcode Fuzzy Hash: 9d10d5961e257bc83ab52ab9107e09406af5a259c6370344c7be281104fa34b5
Instruction Fuzzy Hash: F771F172B10B9085FB01CB7AE4413DD37A1E799BD8F54421AEF9917BAADB78C482C340

Function 0000000140072BA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000140072C0F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000140072C57

Strings

bad locale name, xrefs: 0000000140072D2C

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8e48b185d2ad377adad793cb0c2e61843d436bf41b4dc4ce2b229c4423d5b721
Instruction ID: b919e2adb03058459a08787be6f33273e8fd86740414413052806a2770abb456
Opcode Fuzzy Hash: 8e48b185d2ad377adad793cb0c2e61843d436bf41b4dc4ce2b229c4423d5b721
Instruction Fuzzy Hash: A8514C33311A408AEB16DFB2E4907EC33B4FB58B88F044425FB4A67AA5DE38C955D344

Function 0000000140054420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000014005448F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001400544D7

Strings

bad locale name, xrefs: 00000001400545B6

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 80a5ced4145d21076f0491c6eeec770f45411c69c219c7bb2cb606199f338d71
Instruction ID: e6e463b9e1f652434f87afe0abaeb0bd7d36a5076df94eceddc511b98dd6a078
Opcode Fuzzy Hash: 80a5ced4145d21076f0491c6eeec770f45411c69c219c7bb2cb606199f338d71
Instruction Fuzzy Hash: 96513B32312A408AEB16DFB2E4903EC33B4FB58788F044425FB8A67AA6DF34C525D344

Function 000000014009DEBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400A3264: _invalid_parameter_noinfo.LIBCMT ref: 00000001400A3297

_get_daylight.LIBCMT ref: 000000014009DFD4
_get_daylight.LIBCMT ref: 000000014009DFE5

Strings

?, xrefs: 000000014009DF65

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 3743a34bccfcb64129643f9c7a69ec7d1308491d8e92fb9134a31149a0e48a7e
Instruction ID: b0c4c4f40001a5467877201c390160bb1bb914dd2c4e957f28464d23d5666058
Opcode Fuzzy Hash: 3743a34bccfcb64129643f9c7a69ec7d1308491d8e92fb9134a31149a0e48a7e
Instruction Fuzzy Hash: 0E41F83221478046FB669B27E5563FA67A0E798BE4F144226FF5947BF5EB38C881C700

Function 0000000140098600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000000140098717
GetLastError.KERNEL32 ref: 0000000140098739

Strings

U, xrefs: 00000001400986C3

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: ff9670a3bdeea2dc0e04f94de2162aa67abd2fa7127bffc9359cf981a8e8ed7c
Instruction ID: 8e4ab516b8a29dfabae5ee0ef9a54c4ba7fa48e80f278cd7ab75898e171abe9a
Opcode Fuzzy Hash: ff9670a3bdeea2dc0e04f94de2162aa67abd2fa7127bffc9359cf981a8e8ed7c
Instruction Fuzzy Hash: D841B332715A8086DB218F66E8443EAA7A0F79CBC4F904125EF4D877A8EB3CC441CB40

Function 000000014009D258 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 000000014009D2AC
_set_errno_from_matherr.LIBCMT ref: 000000014009D319

Strings

exp, xrefs: 000000014009D287

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: f45fae9e3f71500e5b5a591dcf295bfd7ffd6db6b8f160502000cbe5d4a7ff26
Instruction ID: f5d0c8a78a0e6a8a4dd1fb3f21a071c67b80d90b3824bfa811f874e6c851eba2
Opcode Fuzzy Hash: f45fae9e3f71500e5b5a591dcf295bfd7ffd6db6b8f160502000cbe5d4a7ff26
Instruction Fuzzy Hash: 24212236A10A148EE751CF7AD8813EC33B0FB5C388F401626FB0AA7B5ADA38D5418B40

Function 00000001400AC0C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00000001400AC118
RaiseException.KERNEL32 ref: 00000001400AC159

Strings

csm, xrefs: 00000001400AC146

Memory Dump Source

Source File: 00000002.00000002.1455567295.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_bot.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 2d42cdfcb1ff534642483aeaeae706dda7279a24a451ff2176392dab70bf652b
Instruction ID: 7f42a9847f84888bb00b0fd94d9c5d46f3abea2284a8759a76045259342b16a3
Opcode Fuzzy Hash: 2d42cdfcb1ff534642483aeaeae706dda7279a24a451ff2176392dab70bf652b
Instruction Fuzzy Hash: E411FB32214B8482EB628B16F44079977E5FB99B98F594225EB8D07769DF3CC591CB00

Function 00007FF7F892A420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

Unknown error, xrefs: 00007FF7F892A50C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
Instruction ID: 1b0d3c9ed8438f9cabf8a368f88430db76e06ef369d1c253e872936d7b9aaa6b
Opcode Fuzzy Hash: 194a6ffba7f098d6450882ceade0846a3a5d892eff98fad5ff52d12c8e674ac6
Instruction Fuzzy Hash: 4F01E122908E8886D312DF1CD8011FAF374FF9A79AFA55325EB8C262A0DF29D543D704

Function 00007FF7F892A4C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Argument domain error (DOMAIN), xrefs: 00007FF7F892A4C0

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
Instruction ID: c4c35b01cb99ad71911799c7663614a48a4786fbc8e5b34674e77f7c24bc2828
Opcode Fuzzy Hash: 11d2b9735bd3709252506aa5ba5fa1e351431b4c673cdd365ea37068437d7b3c
Instruction Fuzzy Hash: 4BF04F12908E8486D302EF1CA8000ABF364FF9E78AF955326EB9D261A5DF28D543A754

Function 00007FF7F892A4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Partial loss of significance (PLOSS), xrefs: 00007FF7F892A4D0

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
Instruction ID: 5d9b03a397299cc51c3839f630b31e28801551b2fe13df0c8be79eb4401dcfda
Opcode Fuzzy Hash: ae991bd237688d46af379bc9e2c88ae6c4cf7060aa663ad11618093b77570e75
Instruction Fuzzy Hash: 0EF04F12908E8886D312DF1CA8000ABF364FF9D789F955326EB9D261A5DF28E543A754

Function 00007FF7F892A500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Total loss of significance (TLOSS), xrefs: 00007FF7F892A500

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
Instruction ID: 3b4f65eca98dcf06b901c9519ebba4fa6b304d74491e43d36ecb74cd9bc08617
Opcode Fuzzy Hash: 22cc9ee71a5ffac9a6ca83f9a2c6e26604571fd27d9318c0ebbd99beaa658a45
Instruction Fuzzy Hash: 6CF0AF12808E8482D302DF1CA8000ABF364FF8D78AF955326EB9C261A0DF28D543A354

Function 00007FF7F892A4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Overflow range error (OVERFLOW), xrefs: 00007FF7F892A4E0

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
Instruction ID: a416310d6fe37ccd1aed3898c7c7419be063d765bfb736f99f962a5b571fa658
Opcode Fuzzy Hash: 011e2c0bcc3796c487ded507d96121c6e9820a89f73ee2ebf114777c49236ea0
Instruction Fuzzy Hash: 8DF04F12908E8482D302EF1CA8000ABF364FF9E789F955326EB9D261A5DF28D543A754

Function 00007FF7F892A4F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF7F892A4F0

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
Instruction ID: 38300aff0f0001391649d058bd61e1db1a66a00003435e4926e25b247e91e5f5
Opcode Fuzzy Hash: 62e2639ade3852005c6560a781b013c3a86ab195a2881249103c75c778e9902b
Instruction Fuzzy Hash: F9F04F12908E8486D312DF1CA8000ABF364FF9D789FA55326EB9D261A5DF28D543A754

Function 00007FF7F892A458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F892A4A0

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F892A487
Argument singularity (SIGN), xrefs: 00007FF7F892A458

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
Instruction ID: df924d3e8a61780f3f1634cb62cdd8e480527d4ab598960b4c65f43e39012e61
Opcode Fuzzy Hash: a7c664df915d4e69880d0547989fba806fe34be971c47809b57ea1152bda214e
Instruction Fuzzy Hash: 0DF06D12908E8886D302DF1CE8000ABF364FF8E78AF955326EF8C2A165DF28D543A754

Function 00007FF7F8911294 Relevance: 5.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF7F8911312
strlen.MSVCRT ref: 00007FF7F8911334
malloc.MSVCRT ref: 00007FF7F8911340
memcpy.MSVCRT ref: 00007FF7F8911358

Memory Dump Source

Source File: 00000002.00000002.1458343892.00007FF7F8911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8910000, based on PE: true

Associated: 00000002.00000002.1458306749.00007FF7F8910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458468340.00007FF7F8A1F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458534063.00007FF7F8A21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458709319.00007FF7F8BB0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1458747199.00007FF7F8BB4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f8910000_bot.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 4ee85fb58601ac7611963cd66a25d646a980d7074b0776cdd030191079d3958a
Instruction ID: ac28afac479f051f264a0276a816e34b64ec33999e8e880b60aad02f679dd221
Opcode Fuzzy Hash: 4ee85fb58601ac7611963cd66a25d646a980d7074b0776cdd030191079d3958a
Instruction Fuzzy Hash: A431B025E0DA565AF761EF15E4903B4E391AF41B92FC45038CE2D0B3D1DE2DA405E7A8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\bot.exe:a.dll

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
bot.exe

Function 00007FF7F8913C70 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 344
COMMON

Function 00007FF7F8913D77 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 215
libraryloadermemoryCOMMON

Function 00007FF7F89134D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 298
COMMON

Function 00007FF7F8913060 Relevance: 7.7, APIs: 5, Instructions: 231
stringCOMMON

Function 00007FF7F89111D9 Relevance: 7.6, APIs: 5, Instructions: 91
COMMON

Function 00007FF7F89146A4 Relevance: 4.6, APIs: 3, Instructions: 128
processCOMMON

Function 00007FF7F8913539 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 00007FF7F8911294 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 00007FF7F8911289 Relevance: 5.1, APIs: 4, Instructions: 74
stringCOMMON

Function 00007FF7F892B688 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 00007FF7F8A1AB80 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Function 00007FF7F892C1E0 Relevance: 33.1, APIs: 11, Strings: 11, Instructions: 88
stringCOMMON

Function 00007FF7F892B8D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre