Edit tour

Windows Analysis Report
EpCAySF1G6.exe

Overview

General Information

Sample name:	EpCAySF1G6.exe renamed because original name is a hash value
Original sample name:	6c2f397589156433b18b4c931a684a25.exe
Analysis ID:	1581088
MD5:	6c2f397589156433b18b4c931a684a25
SHA1:	85364fdc36e163b705becb13a551a5625e930d50
SHA256:	5f4c69564c3b8b8e151218444de219dc267207fa868b14622302f10c4726e5c0
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EpCAySF1G6.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\EpCAySF1G6.exe" MD5: 6C2F397589156433B18B4C931A684A25)

cleanup

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T23:02:01.384196+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	8.218.163.62	6666	TCP
2024-12-26T23:03:37.283111+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49815	8.218.163.62	6666	TCP
2024-12-26T23:04:52.638380+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49815	8.218.163.62	6666	TCP
2024-12-26T23:06:04.482553+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50008	8.218.163.62	6666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EpCAySF1G6.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: EpCAySF1G6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C49960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

0_2_02C49960

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 8.218.163.62:6666
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49815 -> 8.218.163.62:6666
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50008 -> 8.218.163.62:6666

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 8.218.163.62:6666

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C43660 select,recv,_errno,_errno,_errno,

0_2_02C43660

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: [esc]

0_2_02C52000

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C52000 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_02C52000

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

0_2_02C52000

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C4EBE0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

0_2_02C4EBE0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C51BF0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_02C51BF0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4E0C7 ExitWindowsEx,	0_2_02C4E0C7
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4E0E8 ExitWindowsEx,	0_2_02C4E0E8
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4E097 ExitProcess,ExitWindowsEx,	0_2_02C4E097

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4EBE0	0_2_02C4EBE0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C43360	0_2_02C43360
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5FF94	0_2_02C5FF94
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C46790	0_2_02C46790
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C474F0	0_2_02C474F0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C48440	0_2_02C48440
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C515C0	0_2_02C515C0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5AA5C	0_2_02C5AA5C
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C60A00	0_2_02C60A00
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C51BF0	0_2_02C51BF0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C43BA0	0_2_02C43BA0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5D328	0_2_02C5D328
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5B0BC	0_2_02C5B0BC
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4B050	0_2_02C4B050
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C42850	0_2_02C42850
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5C870	0_2_02C5C870
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C6C804	0_2_02C6C804
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4C1A0	0_2_02C4C1A0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C45930	0_2_02C45930
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C48EC0	0_2_02C48EC0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5BEDC	0_2_02C5BEDC
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5AE80	0_2_02C5AE80
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C49650	0_2_02C49650
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C63650	0_2_02C63650
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4F790	0_2_02C4F790
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C55F90	0_2_02C55F90
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C60F30	0_2_02C60F30
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C6B4EC	0_2_02C6B4EC
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5F4E8	0_2_02C5F4E8
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C69CA0	0_2_02C69CA0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C49460	0_2_02C49460
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C60414	0_2_02C60414
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C6CD40	0_2_02C6CD40
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C6BD50	0_2_02C6BD50
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C62D00	0_2_02C62D00
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4F520	0_2_02C4F520
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF73D0	0_2_00007FF7F8DF73D0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF3390	0_2_00007FF7F8DF3390
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF6F70	0_2_00007FF7F8DF6F70
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF6860	0_2_00007FF7F8DF6860
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFE1C0	0_2_00007FF7F8DFE1C0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8E06130	0_2_00007FF7F8E06130
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFA30C	0_2_00007FF7F8DFA30C
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFC28C	0_2_00007FF7F8DFC28C
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8E024BC	0_2_00007FF7F8E024BC
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF6C80	0_2_00007FF7F8DF6C80
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8E06C50	0_2_00007FF7F8E06C50
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFAD44	0_2_00007FF7F8DFAD44
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8E058CC	0_2_00007FF7F8E058CC
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8E04898	0_2_00007FF7F8E04898
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF2880	0_2_00007FF7F8DF2880
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF6261	0_2_02AF6261
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B05A61	0_2_02B05A61
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B0FA65	0_2_02B0FA65
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF2321	0_2_02AF2321
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B01091	0_2_02B01091
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B0B9AD	0_2_02B0B9AD
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF8991	0_2_02AF8991
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF9121	0_2_02AF9121
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AFE6B1	0_2_02AFE6B1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B0FEE5	0_2_02B0FEE5
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B016C1	0_2_02B016C1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF2E31	0_2_02AF2E31
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF3671	0_2_02AF3671
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AFEFF1	0_2_02AFEFF1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B127D1	0_2_02B127D1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF6FC1	0_2_02AF6FC1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B104D1	0_2_02B104D1
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF5401	0_2_02AF5401
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AFBC71	0_2_02AFBC71
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B0A52D	0_2_02B0A52D

Source: classification engine

Classification label: mal84.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C492E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_02C492E0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4A900 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_02C4A900
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C48E00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_02C48E00
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C48C80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	0_2_02C48C80

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C48180 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,

0_2_02C48180

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C47400 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_02C47400

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C47A90 CoInitialize,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,

0_2_02C47A90

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Mutant created: \Sessions\1\BaseNamedObjects\2024.12.22

Source: EpCAySF1G6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EpCAySF1G6.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: EpCAySF1G6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: EpCAySF1G6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C48A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_02C48A70

Source: EpCAySF1G6.exe

Static PE information: real checksum: 0x2bb4f should be: 0x20c8f

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C400B7 push rdi; ret	0_2_02C400BD
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C6F949 push rbp; retf	0_2_02C6F974
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B0F787 push cs; retf	0_2_02B0F788
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF8428 push ecx; ret	0_2_02AF8429
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02AF847D push eax; ret	0_2_02AF847E
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02B10449 pushfd ; ret	0_2_02B1044A

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C4E03A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_02C4E03A

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-37354

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-37367

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 401	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 1035	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 3506	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 4401	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-37112

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_0-36590
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-36586

Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 6960	Thread sleep count: 401 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7072	Thread sleep count: 1035 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7072	Thread sleep time: -1035000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7144	Thread sleep count: 3506 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7144	Thread sleep time: -35060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7072	Thread sleep count: 4401 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7072	Thread sleep time: -4401000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C49960 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,

0_2_02C49960

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C489F0 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_02C489F0

Source: EpCAySF1G6.exe, 00000000.00000002.4144818078.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIIH

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	API call chain: ExitProcess graph end node	graph_0-37203
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	API call chain: ExitProcess graph end node	graph_0-36738
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	API call chain: ExitProcess graph end node	graph_0-36735

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C5C1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_02C5C1C4

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C48A70 LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_02C48A70

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C47BF0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_02C47BF0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C515C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	0_2_02C515C0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C5C1C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02C5C1C4
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C54CD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02C54CD0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF8580 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF7F8DF8580
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DF8AD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F8DF8AD0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFA5F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F8DFA5F4
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_00007FF7F8DFCF6C SetUnhandledExceptionFilter,	0_2_00007FF7F8DFCF6C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C48EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_02C48EC0

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C48EC0 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,		0_2_02C48EC0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_2_02C4A410 VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,		0_2_02C4A410

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_02C48EC0

Source: EpCAySF1G6.exe, 00000000.00000002.4145383540.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: EpCAySF1G6.exe, 00000000.00000003.1827736904.0000000004021000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .2.4 0 min571345Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,GetTickCount,_localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	0_2_02C46790
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	0_2_02C66254
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: _getptd,GetLocaleInfoA,	0_2_02C65BD8
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,	0_2_02C673F4
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	0_2_02C66020
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: EnumSystemLocalesA,	0_2_02C661E8
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: EnumSystemLocalesA,	0_2_02C66150
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: GetLocaleInfoW,	0_2_02C65CC0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	0_2_02C5E590
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	0_2_02C65D50

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C515C0 Sleep,SleepEx,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,RegOpenKeyExW,Sleep,SleepEx,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,

0_2_02C515C0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C5FF94 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_02C5FF94

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_2_02C5BA94 HeapCreate,GetVersion,HeapSetInformation,

0_2_02C5BA94

Source: EpCAySF1G6.exe	Binary or memory string: acs.exe
Source: EpCAySF1G6.exe	Binary or memory string: vsserv.exe
Source: EpCAySF1G6.exe	Binary or memory string: avcenter.exe
Source: EpCAySF1G6.exe	Binary or memory string: kxetray.exe
Source: EpCAySF1G6.exe	Binary or memory string: KSafeTray.exe
Source: EpCAySF1G6.exe	Binary or memory string: avp.exe
Source: EpCAySF1G6.exe	Binary or memory string: cfp.exe
Source: EpCAySF1G6.exe	Binary or memory string: 360Safe.exe
Source: EpCAySF1G6.exe	Binary or memory string: rtvscan.exe
Source: EpCAySF1G6.exe	Binary or memory string: 360tray.exe
Source: EpCAySF1G6.exe	Binary or memory string: TMBMSRV.exe
Source: EpCAySF1G6.exe	Binary or memory string: ashDisp.exe
Source: EpCAySF1G6.exe	Binary or memory string: 360Tray.exe
Source: EpCAySF1G6.exe	Binary or memory string: avgwdsvc.exe
Source: EpCAySF1G6.exe	Binary or memory string: AYAgent.aye
Source: EpCAySF1G6.exe	Binary or memory string: RavMonD.exe
Source: EpCAySF1G6.exe	Binary or memory string: QUHLPSVC.EXE
Source: EpCAySF1G6.exe	Binary or memory string: Mcshield.exe
Source: EpCAySF1G6.exe	Binary or memory string: K7TSecurity.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	11 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Modify Registry	121 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	211 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Indicator Removal	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	16 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EpCAySF1G6.exe	68%	ReversingLabs	Win64.Backdoor.Farfli

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.218.163.62	unknown	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581088
Start date and time:	2024-12-26 23:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EpCAySF1G6.exe renamed because original name is a hash value
Original Sample Name:	6c2f397589156433b18b4c931a684a25.exe
Detection:	MAL
Classification:	mal84.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: EpCAySF1G6.exe

Simulations

Behavior and APIs

Time	Type	Description
17:02:38	API Interceptor	5749586x Sleep call for process: EpCAySF1G6.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	xd.ppc.elf	Get hash	malicious	Mirai	Browse	47.245.158.74
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	47.57.184.195
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	8.212.102.187
	splarm7.elf	Get hash	malicious	Unknown	Browse	47.253.191.95
	nabsh4.elf	Get hash	malicious	Unknown	Browse	47.240.78.242
	splppc.elf	Get hash	malicious	Unknown	Browse	47.52.40.232
	arm.elf	Get hash	malicious	Unknown	Browse	8.208.49.9
	splx86.elf	Get hash	malicious	Unknown	Browse	47.241.90.97
	armv4l.elf	Get hash	malicious	Unknown	Browse	8.222.176.99
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	8.213.107.220

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.106036027086711
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EpCAySF1G6.exe
File size:	133'632 bytes
MD5:	6c2f397589156433b18b4c931a684a25
SHA1:	85364fdc36e163b705becb13a551a5625e930d50
SHA256:	5f4c69564c3b8b8e151218444de219dc267207fa868b14622302f10c4726e5c0
SHA512:	206fee1c1b0fdd4aa263a70d21fe0f81df6025085e03234881032ad77317c2ad90ada34bc47d3c6ac917541b7edd5ce618a93c3c3a4ce0dfdc92ba864d9be4ce
SSDEEP:	3072:lO55k/y5dAj+BMTYlgEQnB+Y+pek7+3OrFZeUqe6oW:lO5n5d56TYZQnB+Dpekyyqm
TLSH:	96D37D4733A450F9D4A78279C9A24A06E7B374660735A7CF17A086BA2F137D1BD3A331
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VF.g.F.g.F.g.)...+.g.)...M.g.)...k.g.O...M.g.F.f...g.)...K.g.)...G.g.RichF.g.........................PE..d.....ld.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140009a74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x646C86AC [Tue May 23 09:26:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	fb51ede541a9ad63bf23d302e319d2a0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3970BCB628h
dec eax
add esp, 28h
jmp 00007F3970BC780Bh
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], edi
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 60h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [ebp-40h]
dec eax
lea edx, dword ptr [0000EAE5h]
inc ecx
mov eax, 00000040h
call 00007F3970BC69DFh
dec eax
lea edx, dword ptr [ebp+10h]
dec eax
mov ecx, edi
dec eax
mov dword ptr [ebp-18h], ebx
dec eax
mov dword ptr [ebp-10h], edi
call 00007F3970BCF695h
dec esp
mov ebx, eax
dec eax
mov dword ptr [ebp+10h], eax
dec eax
mov dword ptr [ebp-08h], eax
dec eax
test edi, edi
je 00007F3970BC79ADh
test byte ptr [edi], 00000008h
mov ecx, 01994000h
je 00007F3970BC7997h
mov dword ptr [ebp-20h], ecx
jmp 00007F3970BC799Eh
mov eax, dword ptr [ebp-20h]
dec ebp
test ebx, ebx
cmove eax, ecx
mov dword ptr [ebp-20h], eax
inc esp
mov eax, dword ptr [ebp-28h]
mov edx, dword ptr [ebp-3Ch]
mov ecx, dword ptr [ebp-40h]
dec esp
lea ecx, dword ptr [ebp-20h]
call dword ptr [0000E7AFh]
dec esp
lea ebx, dword ptr [esp+60h]
dec ecx
mov ebx, dword ptr [ebx+18h]
dec ecx
mov edi, dword ptr [ebx+20h]
dec ecx
mov esp, ebx
pop ebp
ret
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00016781h]
call dword ptr [0000E7B3h]
dec eax
mov eax, dword ptr [0001686Ch]

Rich Headers

Programming Language:

[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d028	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0x1578	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0x2f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16606	0x16800	9cde0d8ddbf108908aa730f375bc1766	False	0.5621636284722222	zlib compressed data	6.429037086317127	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x5d3a	0x5e00	b44503f0aa67867070e1b6433af825a5	False	0.3683926196808511	data	4.8111582224132965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x6770	0x2200	4dddad5b9c888efde6aff4d8b6f42a73	False	0.22047334558823528	data	2.6960600551063005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0x1578	0x1600	6b2fcd8de66b48f900df2c9c6b6db832	False	0.4728338068181818	data	5.019696142888745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0x1b4	0x200	5f882a758b6b0045acd02c3e0551be90	False	0.486328125	data	5.112623549532036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0x5be	0x600	3b9d434e2274fd734402fea8d43c6f67	False	0.3587239583333333	data	3.4572271853315204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x27058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	HeapCreate, EnterCriticalSection, DeleteCriticalSection, WaitForSingleObject, SetEvent, Sleep, CreateEventA, GetLastError, CloseHandle, GetCurrentThreadId, SwitchToThread, SetLastError, WideCharToMultiByte, lstrlenW, ResetEvent, CreateEventW, CancelIo, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, GetThreadContext, SetThreadContext, LeaveCriticalSection, GetExitCodeProcess, CreateProcessA, GetSystemDirectoryA, VirtualAllocEx, WriteProcessMemory, ResumeThread, FreeLibrary, SetUnhandledExceptionFilter, GetCurrentProcess, LoadLibraryW, GetConsoleWindow, CreateFileW, GetProcAddress, GetLocalTime, IsDebuggerPresent, GetCurrentProcessId, CreateThread, LCMapStringW, WriteConsoleW, SetStdHandle, GetStringTypeW, MultiByteToWideChar, HeapDestroy, InitializeCriticalSectionAndSpinCount, HeapFree, HeapAlloc, VirtualAlloc, OpenProcess, VirtualFree, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, FlushFileBuffers, GetConsoleCP, SetFilePointer, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, GetStartupInfoW, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwindEx, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, HeapReAlloc, HeapSize, GetProcessHeap, ExitThread, DecodePointer, EncodePointer, GetCommandLineW, RaiseException, RtlPcToFileHeader, TerminateProcess, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, HeapSetInformation, GetVersion, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW
USER32.dll	DispatchMessageW, PostThreadMessageA, PeekMessageW, TranslateMessage, MsgWaitForMultipleObjects, ShowWindow, GetInputState, wsprintfW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegCreateKeyW, RegSetValueExW
WS2_32.dll	WSAWaitForMultipleEvents, WSAIoctl, connect, WSAStartup, select, WSAResetEvent, setsockopt, recv, socket, closesocket, gethostbyname, send, WSASetLastError, WSACreateEvent, shutdown, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSACloseEvent, htons, WSACleanup
WINMM.dll	timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T23:02:01.384196+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	8.218.163.62	6666	TCP
2024-12-26T23:03:37.283111+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49815	8.218.163.62	6666	TCP
2024-12-26T23:04:52.638380+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49815	8.218.163.62	6666	TCP
2024-12-26T23:06:04.482553+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	50008	8.218.163.62	6666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 23:02:01.256304979 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:01.377587080 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:01.377697945 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:01.384196043 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:01.503684044 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:03.280477047 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:03.280872107 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:03.340334892 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:03.340521097 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:03.400624990 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:03.400657892 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:03.400670052 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107058048 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107080936 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107094049 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107141972 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107160091 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107172012 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.107177019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.107244968 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.107244968 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.332432985 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.332503080 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.332578897 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.336545944 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.336669922 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.336726904 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.344973087 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.345052958 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.345107079 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.353471994 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.353594065 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.353642941 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.361763000 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.361816883 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.361874104 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.557562113 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.557636976 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.557723999 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.560034990 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.560139894 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.560200930 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.568468094 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.568578005 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.568628073 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.576961994 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.577064037 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.577121019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.585244894 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.585402012 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.585452080 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.593732119 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.593843937 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.593907118 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.602081060 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.602178097 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.602248907 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.782749891 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.782861948 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.782912016 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.786832094 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.788350105 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.788400888 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.788464069 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.796644926 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.796704054 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.796785116 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.804903984 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.804965019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.804995060 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.813159943 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.813235998 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.813307047 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.821403980 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.821472883 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.821517944 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.829638004 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.829687119 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.829725027 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.837986946 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.838035107 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.838063955 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.846153975 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.846209049 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:04.846296072 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:04.887926102 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.009057045 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.009188890 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.009244919 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.012703896 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.013933897 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.013988972 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.014077902 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.021153927 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.021207094 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.021306992 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.027688026 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.027700901 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.027751923 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.035376072 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.035437107 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.035499096 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.042660952 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.042682886 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.042731047 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.049685001 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.049746037 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.049843073 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.056946993 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.057008028 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.057105064 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.063951015 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.063962936 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.064009905 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.071132898 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.071188927 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.071330070 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.078213930 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.078273058 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.078351974 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.084475994 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.084523916 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.084544897 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.091615915 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.091675997 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.233664989 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.233711958 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.233788967 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.236356020 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.236448050 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.236502886 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.241851091 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.241928101 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.241982937 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.247261047 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.247405052 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.247457027 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.252757072 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.252953053 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.253010988 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.258227110 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.258342028 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.258392096 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.263689995 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.263791084 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.263838053 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.269166946 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.269273996 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.269326925 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.274651051 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.274753094 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.274811983 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.280177116 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.280267000 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.280318975 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.285588026 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.285682917 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.285727978 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.291102886 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.291166067 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.291218996 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.296519041 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.296627045 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.296680927 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.302017927 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.302135944 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.302182913 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.307473898 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.307707071 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.307760000 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.313034058 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.313103914 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.313159943 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.318455935 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.318572998 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.318634987 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.323879957 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.323925018 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.323982954 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.459136963 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.459206104 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.459345102 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.461163044 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.461334944 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.461389065 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.465424061 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.465605021 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.465682983 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.469305992 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.469407082 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.469448090 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.473448992 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.473490953 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.473551035 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.477590084 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.477607965 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.477678061 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.481549025 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.481631041 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.481677055 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.485625029 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.485837936 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.485898972 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.489732981 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.489800930 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.489845037 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.493803978 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.494021893 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.494076014 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.497895002 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.498006105 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.498064995 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.501954079 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.502032042 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.502075911 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.506023884 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.506133080 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.506201029 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.510188103 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.510272026 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.510323048 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.514234066 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.514368057 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.514420033 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.518274069 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.518388033 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.518443108 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.522372961 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.522509098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.522578955 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.526504993 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.526954889 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.527012110 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.530649900 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.530754089 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.530802011 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.534640074 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.534763098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.534820080 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.538686991 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.538753986 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.538794994 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.543138027 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.543283939 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.543361902 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.546868086 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.546956062 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.547000885 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.550972939 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.551032066 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.551088095 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.555109024 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.555125952 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.555174112 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.684407949 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.684447050 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.684510946 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.685864925 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.686436892 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.686491013 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.686513901 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.689435959 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.689485073 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.689529896 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.692434072 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.692490101 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.692558050 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.695782900 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.695837975 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.695955992 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.698484898 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.698539019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.698596954 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.701508045 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.701561928 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.701575041 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.704504013 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.704560041 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.704617023 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.707592010 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.707648993 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.707698107 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.710630894 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.710647106 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.710681915 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.713700056 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.713752031 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.713757038 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.716598988 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.716653109 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.716720104 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.719727993 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.719774008 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.719780922 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.722616911 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.722671032 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.722737074 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.725615025 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.725670099 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.725699902 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.728689909 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.728741884 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.728794098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.731714964 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.731765032 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.731771946 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.734685898 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.734739065 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.734786987 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.737787962 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.737812042 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.737843037 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.740734100 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.740787029 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.740818024 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.743777990 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.743825912 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.743846893 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.746788979 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.746881962 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.746963024 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.749799967 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.749866009 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.749887943 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.752835989 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.752892017 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.753034115 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.755934000 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.755950928 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.755991936 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.758812904 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.758867979 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.758924961 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.761878014 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.761934996 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.761940002 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.764861107 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.764914989 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.764961004 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.767904997 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.767960072 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.768013000 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.770908117 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.770972967 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.771044970 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.773916960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.773976088 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.774106979 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.777014017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.777049065 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.777071953 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.779927969 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.780006886 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.780083895 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.783071995 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.783088923 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.783137083 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.785928965 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.786003113 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.885472059 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.909765959 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.909828901 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.909882069 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.910861969 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.910922050 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.911001921 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.913098097 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.913136005 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.913142920 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.915286064 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.915347099 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.915386915 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.917556047 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.917608976 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.917615891 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.919693947 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.919748068 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:05.919796944 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:05.966006994 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:06.951699972 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:07.071403027 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:07.071489096 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:08.934964895 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:12.644196987 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:12.764113903 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:12.764134884 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:12.764159918 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:12.764173031 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:13.411444902 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:13.411861897 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:13.531800032 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:24.062874079 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:24.182431936 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:24.600944042 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:24.653522015 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:24.654151917 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:24.773705006 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:40.841260910 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:40.960844994 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:41.379595995 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:41.434806108 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:41.453566074 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:41.573360920 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:57.247380972 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:57.560836077 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:57.568733931 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:58.049026966 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:58.049619913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:02:58.091160059 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:58.107176065 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:02:58.232178926 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:13.044573069 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:13.164547920 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:13.582942009 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:13.638226032 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:13.654225111 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:13.773884058 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:29.513078928 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:29.513134003 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:29.632813931 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:29.632900953 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:31.450979948 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:31.570524931 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:31.570616961 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:36.516350985 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:36.638032913 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:36.638103962 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:36.638137102 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:36.640065908 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:37.282747030 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:37.283111095 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:37.402786016 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:47.903841972 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:48.195132971 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:48.616635084 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:03:48.665025949 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:03:48.784672976 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:04.497592926 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:04.617166996 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:05.038918972 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:05.106853962 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:05.118789911 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:05.238284111 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:20.279217005 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:20.446357965 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:20.820790052 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:20.872514009 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:20.874808073 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:20.994328976 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:36.278964996 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:36.398586988 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:37.013936043 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:37.060062885 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:37.082549095 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:37.202210903 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:52.638380051 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:52.638422012 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:52.758126974 CET	6666	49815	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:52.758183956 CET	49815	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:54.576163054 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:54.695780039 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:54.699410915 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:59.699774027 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:04:59.819567919 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:59.819639921 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:59.819674969 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:04:59.819761038 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:00.475269079 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:00.475605965 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:00.595387936 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:11.982187033 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:11.982348919 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:12.102341890 CET	6666	49993	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:12.103322029 CET	49993	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:13.920098066 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:14.039843082 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:14.043394089 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:19.423604965 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:19.543745995 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:19.543803930 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:19.543858051 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:19.543885946 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:20.199359894 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:20.199834108 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:20.319550037 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:30.919653893 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:31.039453983 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:31.466790915 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:31.515335083 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:31.835895061 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:31.955674887 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:47.497853994 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:47.617701054 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:48.044775963 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:05:48.091424942 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:48.122428894 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:05:48.242419004 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:06:04.482553005 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:06:04.482593060 CET	50008	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:06:04.607287884 CET	6666	50008	8.218.163.62	192.168.2.4
Dec 26, 2024 23:06:04.607356071 CET	50008	6666	192.168.2.4	8.218.163.62

Target ID:	0
Start time:	17:01:58
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\EpCAySF1G6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EpCAySF1G6.exe"
Imagebase:	0x7ff7f8df0000
File size:	133'632 bytes
MD5 hash:	6C2F397589156433B18B4C931A684A25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	52.6%
Signature Coverage:	22.5%
Total number of Nodes:	880
Total number of Limit Nodes:	38

Executed Functions

Function 00007FF7F8DF73D0 Relevance: 98.9, APIs: 31, Strings: 25, Instructions: 870stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DF72A0: lstrlenW.KERNEL32 ref: 00007FF7F8DF72CF
Part of subcall function 00007FF7F8DF72A0: lstrlenW.KERNEL32 ref: 00007FF7F8DF72F0
Part of subcall function 00007FF7F8DF72A0: lstrlenW.KERNEL32 ref: 00007FF7F8DF72FC

lstrlenW.KERNEL32 ref: 00007FF7F8DF7459
lstrlenW.KERNEL32 ref: 00007FF7F8DF746C
lstrlenW.KERNEL32 ref: 00007FF7F8DF7548
lstrlenW.KERNEL32 ref: 00007FF7F8DF755B
lstrlenW.KERNEL32 ref: 00007FF7F8DF7628
lstrlenW.KERNEL32 ref: 00007FF7F8DF763B
lstrlenW.KERNEL32 ref: 00007FF7F8DF774E
lstrlenW.KERNEL32 ref: 00007FF7F8DF7761
lstrlenW.KERNEL32 ref: 00007FF7F8DF7810
lstrlenW.KERNEL32 ref: 00007FF7F8DF7823
lstrlenW.KERNEL32 ref: 00007FF7F8DF78D0
lstrlenW.KERNEL32 ref: 00007FF7F8DF78E3
lstrlenW.KERNEL32 ref: 00007FF7F8DF7990
lstrlenW.KERNEL32 ref: 00007FF7F8DF79A3
lstrlenW.KERNEL32 ref: 00007FF7F8DF7A50
lstrlenW.KERNEL32 ref: 00007FF7F8DF7A63
lstrlenW.KERNEL32 ref: 00007FF7F8DF7B10
lstrlenW.KERNEL32 ref: 00007FF7F8DF7B23
lstrlenW.KERNEL32 ref: 00007FF7F8DF7BD0
lstrlenW.KERNEL32 ref: 00007FF7F8DF7BE3
lstrlenW.KERNEL32 ref: 00007FF7F8DF7C90
lstrlenW.KERNEL32 ref: 00007FF7F8DF7CA3
RegOpenKeyExW.KERNEL32 ref: 00007FF7F8DF7D81
RegQueryValueExW.KERNEL32 ref: 00007FF7F8DF7DB5
RegQueryValueExW.ADVAPI32 ref: 00007FF7F8DF7DFC
lstrlenW.KERNEL32 ref: 00007FF7F8DF7E31
lstrlenW.KERNEL32 ref: 00007FF7F8DF7E3D
lstrlenW.KERNEL32 ref: 00007FF7F8DF7EF7
lstrlenW.KERNEL32 ref: 00007FF7F8DF7F0A
lstrlenW.KERNEL32 ref: 00007FF7F8DF7FFC
lstrlenW.KERNEL32 ref: 00007FF7F8DF8008

Strings

IpDate, xrefs: 00007FF7F8DF7DA2, 00007FF7F8DF7DED
t1:, xrefs: 00007FF7F8DF745F
o1:, xrefs: 00007FF7F8DF7447, 00007FF7F8DF7E1F
sx:, xrefs: 00007FF7F8DF7816
jp:, xrefs: 00007FF7F8DF7754
|p1:8.218.163.62|o1:6666|t1:1|p2:8.218.163.62|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 00007FF7F8DF73FC
ll:, xrefs: 00007FF7F8DF7996
o2:, xrefs: 00007FF7F8DF7536, 00007FF7F8DF7EE5
dl:, xrefs: 00007FF7F8DF7A56
p1:, xrefs: 00007FF7F8DF7431, 00007FF7F8DF7E09
kl:, xrefs: 00007FF7F8DF7BD6
sh:, xrefs: 00007FF7F8DF7B16
t3:, xrefs: 00007FF7F8DF762E
o3:, xrefs: 00007FF7F8DF7616, 00007FF7F8DF7FEA
t2:, xrefs: 00007FF7F8DF754E, 00007FF7F8DF7EFD
p3:, xrefs: 00007FF7F8DF7600, 00007FF7F8DF7FD4
dd:, xrefs: 00007FF7F8DF76E4
p2:, xrefs: 00007FF7F8DF7520, 00007FF7F8DF7ECF
Console, xrefs: 00007FF7F8DF7D55
bd:, xrefs: 00007FF7F8DF7C96
bb:, xrefs: 00007FF7F8DF7726
bh:, xrefs: 00007FF7F8DF78D6
fz:, xrefs: 00007FF7F8DF7710
bz:, xrefs: 00007FF7F8DF773C
cl:, xrefs: 00007FF7F8DF76FA

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: Console$IpDate$bb:$bd:$bh:$bz:$cl:$dd:$dl:$fz:$jp:$kl:$ll:$o1:$o2:$o3:$p1:$p2:$p3:$sh:$sx:$t1:$t2:$t3:$|p1:8.218.163.62|o1:6666|t1:1|p2:8.218.163.62|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
API String ID: 1772312705-3774728195
Opcode ID: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction ID: 5145230fa482634ea0ee9bf68d35d51adaac2a8b7d2bd783cb75ad5ebf2fc50e
Opcode Fuzzy Hash: e7c24950faba3f9ac85f5f069f5f95afb0107786a1c82c81ace9b637109b25c1
Instruction Fuzzy Hash: EC72F465F0999A86EB10BB1498446F8E361FF48784FC49035C93F066C9EE7CA549F3E8

Function 02C46790 Relevance: 73.8, APIs: 29, Strings: 13, Instructions: 324
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

gethostname.WS2_32 ref: 02C46841
gethostbyname.WS2_32 ref: 02C4684E
inet_ntoa.WS2_32 ref: 02C4686C

Part of subcall function 02C562F4: _errno.LIBCMT ref: 02C56312
Part of subcall function 02C562F4: _invalid_parameter_noinfo.LIBCMT ref: 02C5631E

Part of subcall function 02C562F4: _errno.LIBCMT ref: 02C56360

inet_ntoa.WS2_32 ref: 02C468BD
MultiByteToWideChar.KERNEL32 ref: 02C4691A
MultiByteToWideChar.KERNEL32 ref: 02C4693C
GetLastInputInfo.USER32 ref: 02C4694F
GetTickCount.KERNEL32 ref: 02C46955
wsprintfW.USER32 ref: 02C46989
MultiByteToWideChar.KERNEL32 ref: 02C469A8
MultiByteToWideChar.KERNEL32 ref: 02C469CD
GetSystemInfo.KERNEL32 ref: 02C46A05
wsprintfW.USER32 ref: 02C46A1D
GetForegroundWindow.USER32 ref: 02C46A42
GetWindowTextW.USER32 ref: 02C46A5D
lstrlenW.KERNEL32 ref: 02C46A6A
lstrlenW.KERNEL32 ref: 02C46AD9
GetModuleHandleW.KERNEL32 ref: 02C46B34
GetProcAddress.KERNEL32 ref: 02C46B44
GetNativeSystemInfo.KERNEL32 ref: 02C46B54
GetSystemInfo.KERNEL32 ref: 02C46B58
wsprintfW.USER32 ref: 02C46BA2
GetCurrentProcessId.KERNEL32 ref: 02C46BB0
GetTickCount.KERNEL32 ref: 02C46C1F
_localtime64.LIBCMT ref: 02C46C4F
wsprintfW.USER32 ref: 02C46C9B
GetLocaleInfoW.KERNEL32 ref: 02C46CB6
GetSystemDirectoryW.KERNEL32 ref: 02C46CC8
GetCurrentHwProfileW.ADVAPI32 ref: 02C46CD2

Strings

REMARK, xrefs: 02C46AE6
kernel32.dll, xrefs: 02C46B14
GetNativeSystemInfo, xrefs: 02C46B3A
x86, xrefs: 02C46B89
GROUP, xrefs: 02C46A8A
2024.12.22, xrefs: 02C46AFA
Network, xrefs: 02C46A7C
X64, xrefs: 02C46D0D
x64, xrefs: 02C46B80
X64 %s, xrefs: 02C46B9B
AppEvents, xrefs: 02C46A75
1.0, xrefs: 02C46AC1
%d min, xrefs: 02C46982

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Info$ByteCharMultiSystemWidewsprintf$CountCurrentTickWindow_errnoinet_ntoalstrlen$AddressDirectoryForegroundHandleInputLastLocaleModuleNativeProcProcessProfileText_invalid_parameter_noinfo_localtime64gethostbynamegethostnamemalloc
String ID: %d min$1.0$2024.12.22$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X64$X64 %s$kernel32.dll$x64$x86
API String ID: 1661628823-624405038
Opcode ID: 122f8fed04f656ffedd24d25d979499a4dac23aeb6196086108b6fd699c96e62
Instruction ID: 46bdf25aa93c84d72954466c3ee2b93cda8e8c1d06741c7facbfc7d430c08ec5
Opcode Fuzzy Hash: 122f8fed04f656ffedd24d25d979499a4dac23aeb6196086108b6fd699c96e62
Instruction Fuzzy Hash: 84F1A132304A86D6EB18DF61E8487DE77B5F784788F908126CA5E53B64DF38C669CB40

Function 02C515C0 Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 301
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 02C51614
CloseHandle.KERNEL32 ref: 02C5164F

Part of subcall function 02C55560: _errno.LIBCMT ref: 02C5557F
Part of subcall function 02C55560: _invalid_parameter_noinfo.LIBCMT ref: 02C5558B

Part of subcall function 02C55560: _errno.LIBCMT ref: 02C555BB

GetLocalTime.KERNEL32 ref: 02C51668
wsprintfW.USER32 ref: 02C516AE
SetUnhandledExceptionFilter.KERNEL32 ref: 02C516BB
CloseHandle.KERNEL32 ref: 02C516E1
EnumWindows.USER32 ref: 02C5185A

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

Part of subcall function 02C5576C: _errno.LIBCMT ref: 02C55797
Part of subcall function 02C5576C: _invalid_parameter_noinfo.LIBCMT ref: 02C557A2

Sleep.KERNEL32 ref: 02C51875
EnumWindows.USER32 ref: 02C5188C
Sleep.KERNEL32 ref: 02C518CC
CreateEventA.KERNEL32 ref: 02C51921
RegOpenKeyExW.ADVAPI32 ref: 02C5198F
Sleep.KERNEL32 ref: 02C519C1
RegOpenKeyExW.ADVAPI32 ref: 02C519F5
RegQueryValueExW.ADVAPI32 ref: 02C51A22
Sleep.KERNEL32 ref: 02C51A9E
WaitForSingleObject.KERNEL32 ref: 02C51ACF
CloseHandle.KERNEL32 ref: 02C51AD8
Sleep.KERNEL32 ref: 02C51AE3

Part of subcall function 02C5576C: _getptd.LIBCMT ref: 02C557C8
Part of subcall function 02C5576C: CreateThread.KERNEL32 ref: 02C5581D
Part of subcall function 02C5576C: GetLastError.KERNEL32 ref: 02C55828
Part of subcall function 02C5576C: free.LIBCMT ref: 02C55833

WaitForSingleObject.KERNEL32 ref: 02C51B08
CloseHandle.KERNEL32 ref: 02C51B11
Sleep.KERNEL32 ref: 02C51B2B
CloseHandle.KERNEL32 ref: 02C51B42

Strings

IpDatespecial, xrefs: 02C51A16
Console\1, xrefs: 02C51981
6666, xrefs: 02C51783
127.0.0.1, xrefs: 02C517D1
6666, xrefs: 02C51756
8.218.163.62, xrefs: 02C5174A
Console, xrefs: 02C519E7
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 02C516A0
8.218.163.62, xrefs: 02C51777
8.218.163.62, xrefs: 02C5173A, 02C517DD, 02C518B2, 02C51941
6666, xrefs: 02C51762, 02C5178F, 02C517F5, 02C518A3, 02C518E3

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Sleep$CloseHandle$_errno$CreateEnumObjectOpenSingleWaitWindows_invalid_parameter_noinfo$ErrorEventExceptionFilterLastLocalQueryThreadTimeUnhandledValue_getptdfreemallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$6666$6666$6666$8.218.163.62$8.218.163.62$8.218.163.62$Console$Console\1$IpDatespecial
API String ID: 3428909306-2719144650
Opcode ID: 34ca53d58691d4d6b77f75a5af062a653cd39c481d55b8bdfed8d27cbe8b0b01
Instruction ID: 43212b69ecb7c4588e26361021f6cf24e94e75d8022e6f66cc57b106fea7b443
Opcode Fuzzy Hash: 34ca53d58691d4d6b77f75a5af062a653cd39c481d55b8bdfed8d27cbe8b0b01
Instruction Fuzzy Hash: 67E16C32614B90C6F710DF25F848BAE73A5F785B85F94812ADE4E47AA4DF78C684CB04

Function 02C4EBE0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 302
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 02C4EC21
GetDC.USER32 ref: 02C4EC2A
CreateCompatibleDC.GDI32 ref: 02C4EC36
GetDC.USER32 ref: 02C4EC42
GetDeviceCaps.GDI32 ref: 02C4EC53
GetDeviceCaps.GDI32 ref: 02C4EC63
ReleaseDC.USER32 ref: 02C4EC80
GetSystemMetrics.USER32 ref: 02C4EC9E
GetSystemMetrics.USER32 ref: 02C4ECD4
GetSystemMetrics.USER32 ref: 02C4ED27
GetSystemMetrics.USER32 ref: 02C4ED41
CreateCompatibleBitmap.GDI32 ref: 02C4ED5F
SelectObject.GDI32 ref: 02C4ED73
SetStretchBltMode.GDI32 ref: 02C4ED81
GetSystemMetrics.USER32 ref: 02C4ED8C
GetSystemMetrics.USER32 ref: 02C4EDA6
StretchBlt.GDI32 ref: 02C4EDEC
GetDIBits.GDI32 ref: 02C4EE91

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

DeleteObject.GDI32 ref: 02C4EF44
DeleteObject.GDI32 ref: 02C4EF4E
ReleaseDC.USER32 ref: 02C4EF59
DeleteObject.GDI32 ref: 02C4EFE7
DeleteObject.GDI32 ref: 02C4EFF1
ReleaseDC.USER32 ref: 02C4EFFC

Strings

, xrefs: 02C4EDAC
gfff, xrefs: 02C4ECDE
gfff, xrefs: 02C4ECB8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch$BitmapBitsDesktopModeSelectWindowmalloc
String ID: $gfff$gfff
API String ID: 1524144516-4202476792
Opcode ID: 13dd4c7c1d2cbe625612e10cc7ad245c133778d1992cad39df60de0e299c626f
Instruction ID: dfd96107628cc807fee86cd6b4b997fafd9a77033af6f6658a1c67b91927488c
Opcode Fuzzy Hash: 13dd4c7c1d2cbe625612e10cc7ad245c133778d1992cad39df60de0e299c626f
Instruction Fuzzy Hash: 08C1BE32714B408AE714DF76E41875E73B2FB99B88F054229DE0AABB58EF38D485C744

Function 00007FF7F8DF6860 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 213
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF7F8DF68C7
RegQueryValueExW.ADVAPI32 ref: 00007FF7F8DF68FC
RegQueryValueExW.ADVAPI32 ref: 00007FF7F8DF6961
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF6993
RegCloseKey.ADVAPI32 ref: 00007FF7F8DF69C4
VirtualFree.KERNEL32 ref: 00007FF7F8DF6A10
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF6B4E
RegCreateKeyW.ADVAPI32 ref: 00007FF7F8DF6BD5
RegDeleteValueW.KERNEL32 ref: 00007FF7F8DF6BED
RegSetValueExW.KERNEL32 ref: 00007FF7F8DF6C13
RegCloseKey.KERNEL32 ref: 00007FF7F8DF6C20
SleepEx.KERNEL32 ref: 00007FF7F8DF6C55

Strings

n, xrefs: 00007FF7F8DF6A84
l, xrefs: 00007FF7F8DF6A72
Console\1, xrefs: 00007FF7F8DF6899, 00007FF7F8DF6BC7
d33f351a4aeea5e608853d1a56661059, xrefs: 00007FF7F8DF68ED, 00007FF7F8DF6952, 00007FF7F8DF6BE6, 00007FF7F8DF6BFA
310ab5735122252c78549f78b4c30746, xrefs: 00007FF7F8DF69CE
., xrefs: 00007FF7F8DF6A60

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Value$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: .$310ab5735122252c78549f78b4c30746$Console\1$d33f351a4aeea5e608853d1a56661059$l$n
API String ID: 544495302-2415055341
Opcode ID: 5694b7b157a9f67dd129e53dc4729af0b4b0346885f9078a4b7e41d62d996c72
Instruction ID: 3c6f940f7a47096b24a807f62c3d667a3941332eb03a86511096b99326fd386a
Opcode Fuzzy Hash: 5694b7b157a9f67dd129e53dc4729af0b4b0346885f9078a4b7e41d62d996c72
Instruction Fuzzy Hash: 8DB1A221B18B8285EB60AF61E8407A9F760FF89754F804035DA7E47AD9DF3CD108E798

Function 02C43360 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 02C43391
timeGetTime.WINMM ref: 02C433A0
socket.WS2_32 ref: 02C433D5
lstrlenW.KERNEL32 ref: 02C43402
WideCharToMultiByte.KERNEL32 ref: 02C43426
lstrlenW.KERNEL32 ref: 02C43440
WideCharToMultiByte.KERNEL32 ref: 02C43463
gethostbyname.WS2_32 ref: 02C43470
htons.WS2_32 ref: 02C43498
connect.WS2_32 ref: 02C434C2

Strings

0u, xrefs: 02C43545

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 950253168-3203441087
Opcode ID: c675cf8a70220d83b9f5f9eeca867539601b1c5dcc2814c4a89447bde27aa509
Instruction ID: 343cee1a1e81dac290e0cf3a17086a9af0ed35bf6b4e086e037090cd7793d8d9
Opcode Fuzzy Hash: c675cf8a70220d83b9f5f9eeca867539601b1c5dcc2814c4a89447bde27aa509
Instruction Fuzzy Hash: 21713972218B8186E720CF66F44875EB7A5F788B98F504129EB8A57F68DF3CD149CB04

Function 00007FF7F8DF3390 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF7F8DF33C1
timeGetTime.WINMM ref: 00007FF7F8DF33D0
socket.WS2_32 ref: 00007FF7F8DF3405
lstrlenW.KERNEL32 ref: 00007FF7F8DF3432
WideCharToMultiByte.KERNEL32 ref: 00007FF7F8DF3456
lstrlenW.KERNEL32 ref: 00007FF7F8DF3470
WideCharToMultiByte.KERNEL32 ref: 00007FF7F8DF3493
gethostbyname.WS2_32 ref: 00007FF7F8DF34A0
htons.WS2_32 ref: 00007FF7F8DF34C8
connect.WS2_32 ref: 00007FF7F8DF34F2

Strings

0u, xrefs: 00007FF7F8DF3575

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 950253168-3203441087
Opcode ID: 1ebe5ea999ada77dc3c15e7a43abbca18abc7bbb5c037e0ba44f4efe06a9ee2b
Instruction ID: a89fe235abc81fcef5eb4cffa8bef933f7f0078a1c855104e349fc2b2d283462
Opcode Fuzzy Hash: 1ebe5ea999ada77dc3c15e7a43abbca18abc7bbb5c037e0ba44f4efe06a9ee2b
Instruction Fuzzy Hash: 2B813E72608B8186E724DF61F44026AF7A4FB88B94F504135EBAE47B98CF3CD049EB54

Function 02C5FF94 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 292
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 02C5FFBF

Part of subcall function 02C62CBC: _amsg_exit.LIBCMT ref: 02C62CE6

_get_daylight.LIBCMT ref: 02C5FFD5

Part of subcall function 02C60D30: _errno.LIBCMT ref: 02C60D39
Part of subcall function 02C60D30: _invalid_parameter_noinfo.LIBCMT ref: 02C60D44

_get_daylight.LIBCMT ref: 02C5FFEA

Part of subcall function 02C60CD0: _errno.LIBCMT ref: 02C60CD9
Part of subcall function 02C60CD0: _invalid_parameter_noinfo.LIBCMT ref: 02C60CE4

_get_daylight.LIBCMT ref: 02C5FFFF

Part of subcall function 02C60D00: _errno.LIBCMT ref: 02C60D09
Part of subcall function 02C60D00: _invalid_parameter_noinfo.LIBCMT ref: 02C60D14

___lc_codepage_func.LIBCMT ref: 02C6000C

Part of subcall function 02C5A770: _getptd.LIBCMT ref: 02C5A774

Part of subcall function 02C67620: __wtomb_environ.LIBCMT ref: 02C67650

free.LIBCMT ref: 02C6007D

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

free.LIBCMT ref: 02C600E6
GetTimeZoneInformation.KERNEL32 ref: 02C600F9
WideCharToMultiByte.KERNEL32 ref: 02C601AF
WideCharToMultiByte.KERNEL32 ref: 02C60202

Strings

Eastern Summer Time, xrefs: 02C601F7
Eastern Standard Time, xrefs: 02C601A4

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_get_daylight_invalid_parameter_noinfo$ByteCharMultiWidefree$ErrorFreeHeapInformationLastTimeZone___lc_codepage_func__wtomb_environ_amsg_exit_getptd_lock
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2532449802-239921721
Opcode ID: 0c97cee6d145cff3ac5e51c77ab776f690a74dde89f2690ff405645e1eb8e359
Instruction ID: 818c6e6815c6cfcc5a73ab1cfb3a9ba86861143dfa1c916c84a22d23d2d3b458
Opcode Fuzzy Hash: 0c97cee6d145cff3ac5e51c77ab776f690a74dde89f2690ff405645e1eb8e359
Instruction Fuzzy Hash: F5B1B3322047808AEB34DF25E9D877E7BA6FB85784F4481299E8E67B64DF38C551CB04

Function 02C474F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 199
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32 ref: 02C475AB
lstrcatW.KERNEL32 ref: 02C475BB

Part of subcall function 02C4A900: GetCurrentProcess.KERNEL32 ref: 02C4A917
Part of subcall function 02C4A900: OpenProcessToken.ADVAPI32 ref: 02C4A928
Part of subcall function 02C4A900: LookupPrivilegeValueW.ADVAPI32 ref: 02C4A948
Part of subcall function 02C4A900: AdjustTokenPrivileges.ADVAPI32 ref: 02C4A970
Part of subcall function 02C4A900: GetLastError.KERNEL32 ref: 02C4A976
Part of subcall function 02C4A900: CloseHandle.KERNEL32 ref: 02C4A986

Part of subcall function 02C4A600: CreateToolhelp32Snapshot.KERNEL32 ref: 02C4A637

CoCreateInstance.OLE32 ref: 02C47606
wsprintfW.USER32 ref: 02C47703
RegOpenKeyExW.ADVAPI32 ref: 02C4772A
RegQueryValueExW.ADVAPI32 ref: 02C47778
lstrcatW.KERNEL32 ref: 02C4778C
lstrcatW.KERNEL32 ref: 02C4779C
RegCloseKey.ADVAPI32 ref: 02C477A6

Part of subcall function 02C47400: CreateToolhelp32Snapshot.KERNEL32 ref: 02C47441
Part of subcall function 02C47400: Process32FirstW.KERNEL32 ref: 02C47460
Part of subcall function 02C47400: Process32NextW.KERNEL32 ref: 02C474A0
Part of subcall function 02C47400: CloseHandle.KERNEL32 ref: 02C474AD

lstrlenW.KERNEL32 ref: 02C477DD
lstrcatW.KERNEL32 ref: 02C477F1

Part of subcall function 02C4A550: GetModuleHandleA.KERNEL32 ref: 02C4A55D
Part of subcall function 02C4A550: GetProcAddress.KERNEL32 ref: 02C4A575
Part of subcall function 02C4A550: GetProcAddress.KERNEL32 ref: 02C4A58C
Part of subcall function 02C4A550: GetProcAddress.KERNEL32 ref: 02C4A5A3

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 02C476F8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrcat$AddressCloseCreateHandleProc$OpenProcessProcess32SnapshotTokenToolhelp32Value$AdjustCurrentErrorFirstInstanceLastLookupModuleNextPrivilegePrivilegesQuerylstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
API String ID: 1729154408-4035668053
Opcode ID: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction ID: 2ed17d04980e8076a8f0db70fb0334c1b21ba0532b3eff66e4afd3fa221a4536
Opcode Fuzzy Hash: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction Fuzzy Hash: 01915C72704B9086EB20CF65E854B9E7BB1FB89B98F504116DE4D5BB28DF38C549CB40

Function 02C47BF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C466A0: SysFreeString.OLEAUT32 ref: 02C466FD
Part of subcall function 02C466A0: SysAllocString.OLEAUT32 ref: 02C46749

GetTokenInformation.ADVAPI32 ref: 02C47C66
GetLastError.KERNEL32 ref: 02C47C70
GetProcessHeap.KERNEL32 ref: 02C47C83
HeapAlloc.KERNEL32 ref: 02C47C92
GetTokenInformation.ADVAPI32 ref: 02C47CBE
LookupAccountSidW.ADVAPI32 ref: 02C47CFC
GetLastError.KERNEL32 ref: 02C47D06
GetProcessHeap.KERNEL32 ref: 02C47D56
HeapFree.KERNEL32 ref: 02C47D64

Strings

Network, xrefs: 02C47BF0
NONE_MAPPED, xrefs: 02C47D13

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountLookup
String ID: NONE_MAPPED$Network
API String ID: 1972796461-3150097737
Opcode ID: ac7feef6db6130654831ced217b9bb5803c1e798a4c6bdfe98388abe7cb67064
Instruction ID: a53d567c2539a4a175b27a11f2dc5917b7e70c0cfc6cb960f2c360484cfbb843
Opcode Fuzzy Hash: ac7feef6db6130654831ced217b9bb5803c1e798a4c6bdfe98388abe7cb67064
Instruction Fuzzy Hash: C2416232314A8186EA24DB11F848BAFB365FBC9B99F944025DE4A47B58EF3CD549CB00

Function 02C48A70 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 02C48A85
GetProcAddress.KERNEL32 ref: 02C48AA1
FreeLibrary.KERNEL32 ref: 02C48BCD

Part of subcall function 02C5553C: _vswprintf_s_l.LIBCMT ref: 02C55556

Part of subcall function 02C489F0: GetModuleHandleW.KERNEL32 ref: 02C48A1B
Part of subcall function 02C489F0: GetProcAddress.KERNEL32 ref: 02C48A2B
Part of subcall function 02C489F0: GetNativeSystemInfo.KERNEL32 ref: 02C48A3B

RegOpenKeyExW.ADVAPI32 ref: 02C48B67
RegQueryValueExW.ADVAPI32 ref: 02C48B92
RegCloseKey.ADVAPI32 ref: 02C48BB7

Strings

ntdll.dll, xrefs: 02C48A7B
ProductName, xrefs: 02C48B7E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02C48B46
RtlGetNtVersionNumbers, xrefs: 02C48A97
%d.%d.%d, xrefs: 02C48AE6

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValue_vswprintf_s_l
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1477497710-3190923360
Opcode ID: 8fccf4e8e9dfffdbce54dd016b3a3e640cc6c4c560ac19f32a706210135c0e15
Instruction ID: 597de29e342e22bdaab0eb0f5b5bc57f0a9c44ca21c9201c75316df88e00854e
Opcode Fuzzy Hash: 8fccf4e8e9dfffdbce54dd016b3a3e640cc6c4c560ac19f32a706210135c0e15
Instruction Fuzzy Hash: 8B31B07221978186EB60DF11F848B5E7760FB89BE4F444215EE9A47B98EF3CC644CB00

Function 00007FF7F8DF6F70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF7F8DF6FB0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7F8DF7077
CreateEventW.KERNEL32 ref: 00007FF7F8DF70B8
CreateEventW.KERNEL32 ref: 00007FF7F8DF70E6
CreateEventW.KERNEL32 ref: 00007FF7F8DF7114
timeGetTime.WINMM ref: 00007FF7F8DF722A
CreateEventW.KERNEL32 ref: 00007FF7F8DF723F
CreateEventW.KERNEL32 ref: 00007FF7F8DF7253

Strings

<, xrefs: 00007FF7F8DF6FF7
<, xrefs: 00007FF7F8DF6FFE

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpinTimetime
String ID: <$<
API String ID: 4111701721-213342407
Opcode ID: 203e18af1a8a4e1e889c7495eccf5284d8b72f4a964f0ba929df4dc58f6d7ff2
Instruction ID: a908459800c507a9ba625334e6452727eddc3b5553096ac11ca38e7828660490
Opcode Fuzzy Hash: 203e18af1a8a4e1e889c7495eccf5284d8b72f4a964f0ba929df4dc58f6d7ff2
Instruction Fuzzy Hash: 2C81BC32601B9286E704AF30E8547AD73A8FB48F08F58413DEE694B7D8CF388055DBA4

Function 02C49960 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 02C499BC
lstrcmpiW.KERNEL32 ref: 02C499FB
lstrcmpiW.KERNEL32 ref: 02C49A0F
QueryDosDeviceW.KERNEL32 ref: 02C49A40
lstrlenW.KERNEL32 ref: 02C49A4F
lstrcpyW.KERNEL32 ref: 02C49A83
lstrcpyW.KERNEL32 ref: 02C49ACE
lstrcatW.KERNEL32 ref: 02C49ADB

Strings

A:\, xrefs: 02C499E9
B:\, xrefs: 02C49A05

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStringslstrcatlstrlen
String ID: A:\$B:\
API String ID: 1889997506-1009255891
Opcode ID: 5dc2d984e07fee21b3691a8fb012607491010a079a3f60e72f83a1abb6f6c642
Instruction ID: e8889277c7c3d910eae3fed6214e2823309a73140da13e9a37a70cee7300599c
Opcode Fuzzy Hash: 5dc2d984e07fee21b3691a8fb012607491010a079a3f60e72f83a1abb6f6c642
Instruction Fuzzy Hash: 47316166218A9185EB30DF12F8487AF6364F7C9B89F445116DE8A87B58EF7CC245CF40

Function 00007FF7F8DF8580 Relevance: 15.0, APIs: 10, Instructions: 34threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F8DF858B
GetConsoleWindow.KERNEL32 ref: 00007FF7F8DF8591
ShowWindow.USER32 ref: 00007FF7F8DF859C
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF85A2
PostThreadMessageA.USER32 ref: 00007FF7F8DF85B2
GetInputState.USER32 ref: 00007FF7F8DF85B8

Part of subcall function 00007FF7F8DF73D0: lstrlenW.KERNEL32 ref: 00007FF7F8DF7459
Part of subcall function 00007FF7F8DF73D0: lstrlenW.KERNEL32 ref: 00007FF7F8DF746C
Part of subcall function 00007FF7F8DF73D0: lstrlenW.KERNEL32 ref: 00007FF7F8DF7548
Part of subcall function 00007FF7F8DF73D0: lstrlenW.KERNEL32 ref: 00007FF7F8DF755B

CreateThread.KERNEL32 ref: 00007FF7F8DF85DE
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF85F1
CloseHandle.KERNEL32 ref: 00007FF7F8DF85FE
Sleep.KERNEL32 ref: 00007FF7F8DF8609

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen$Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 3551332608-0
Opcode ID: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
Instruction ID: 1685a28f009144f55dbf9b1bfc204bcdebf1a030d4fb220c8f738b109a44304f
Opcode Fuzzy Hash: 152ae417eb4b62f33c842a60702934fe7b1e65802cfc5c2bd98c8d5dbe26bc31
Instruction Fuzzy Hash: 1C014820F18E5282F704BB75BC19569E3A1FF88B16BC08934D57F422F0DE3C6419A2A8

Function 02C48180 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 02C481EA
GetDiskFreeSpaceExW.KERNEL32 ref: 02C4820E
GlobalMemoryStatusEx.KERNEL32 ref: 02C48275

Strings

:, xrefs: 02C481CE
HDD:%d, xrefs: 02C48289
%sFree%d Gb , xrefs: 02C482B7
@, xrefs: 02C4823E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: DiskDriveFreeGlobalMemorySpaceStatusType
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3475944273-3501811827
Opcode ID: 76de7998e9de80cc2ded53d2e4fe325184efc08d04f63c850a58e7016f2c78a4
Instruction ID: d8c8c6a4d1e8d43cc55d892e4e3f98172fea36612f8227234114d771dd1bde30
Opcode Fuzzy Hash: 76de7998e9de80cc2ded53d2e4fe325184efc08d04f63c850a58e7016f2c78a4
Instruction Fuzzy Hash: EA310736209B8486E760DF15B844B8BB7A4F389798F901216EECD43B18DF38C556CB40

Function 02C47A90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 02C47A9A
CoCreateInstance.OLE32 ref: 02C47ABE
SysFreeString.OLEAUT32 ref: 02C47B88
CoUninitialize.OLE32 ref: 02C47BD5

Strings

Network, xrefs: 02C47A90
FriendlyName, xrefs: 02C47B70

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName$Network
API String ID: 841178590-1437807293
Opcode ID: 84c243b931c5992d681145c8f6e0b05a35417d470a1a95b211a46464dadc8825
Instruction ID: 5403e7f4a03aa2c7fa5a3e09dc66f9b455da7a56a1db49801ee79afc33cb4ef9
Opcode Fuzzy Hash: 84c243b931c5992d681145c8f6e0b05a35417d470a1a95b211a46464dadc8825
Instruction Fuzzy Hash: E931FD76204A8692EB20DF75E444B9EB760F7C8F99F559016DA8E83B24DF38C189CB00

Function 02C489F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 02C48A1B
GetProcAddress.KERNEL32 ref: 02C48A2B
GetNativeSystemInfo.KERNEL32 ref: 02C48A3B
GetSystemInfo.KERNEL32 ref: 02C48A3F

Strings

kernel32.dll, xrefs: 02C489F6
GetNativeSystemInfo, xrefs: 02C48A21

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 89cb0620d88a823d197d8a4edb78f2da70a6a6bea98d141efa7987b94c4cb817
Instruction ID: f42b971558cef748db4263fdfbe33890cc6acd348a7621cd2231a68e33888276
Opcode Fuzzy Hash: 89cb0620d88a823d197d8a4edb78f2da70a6a6bea98d141efa7987b94c4cb817
Instruction Fuzzy Hash: A1F03C36619F8586EA60EB10FC5875A73A4F7C8B44F840229D6CF83758EF7CC2558B00

Function 02C43660 Relevance: 7.6, APIs: 5, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 02C436F5
recv.WS2_32 ref: 02C4371B
_errno.LIBCMT ref: 02C43727
_errno.LIBCMT ref: 02C43731
_errno.LIBCMT ref: 02C4373E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$recvselect
String ID:
API String ID: 4102763267-0
Opcode ID: a87cada1dcbfab8d9f4ea9d1832976277f26580d7a4e36eb41945066a534f54b
Instruction ID: 723ae2cc4c4a02a4eafea5649024e450d51b842de221e30600f4f323f3df8de1
Opcode Fuzzy Hash: a87cada1dcbfab8d9f4ea9d1832976277f26580d7a4e36eb41945066a534f54b
Instruction Fuzzy Hash: 7F319AB2214AD081EB309F25E948B6E73A1FBC9BD8F944265CE8A47B94DF38C0408B15

Function 02C47400 Relevance: 7.6, APIs: 5, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02C47441
Process32FirstW.KERNEL32 ref: 02C47460
Process32NextW.KERNEL32 ref: 02C474A0
CloseHandle.KERNEL32 ref: 02C474AD
CloseHandle.KERNEL32 ref: 02C474D6

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 0be9ed80d58a340915f6c32b2beb49099068b08a59c1afc760e6751da2d599d4
Instruction ID: 2b2ed5070eba9ac0beaa16cde73ca24b14d98a85102d834a24b9d15d46090a5b
Opcode Fuzzy Hash: 0be9ed80d58a340915f6c32b2beb49099068b08a59c1afc760e6751da2d599d4
Instruction Fuzzy Hash: 4721782260864185EB64DB26F45C37BB7A1F7C8B98F849225DA5E47B54EF3CC548CF10

Function 02C48440 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 02C484B0

Strings

%s%s %d*%d , xrefs: 02C488FD
%s%s %d %d , xrefs: 02C486B0
vector<T> too long, xrefs: 02C4862F, 02C4863C, 02C48983, 02C48990

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateFactory
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 1145517477-257307503
Opcode ID: 32845b5ceee2c9c9111369cf511fee31bcf8c5e9523092c1b243209fcc5ace9d
Instruction ID: d4e6eb185b9f0e0d9ef0cb01671c6db3702fc38cb6c186dd9ec63cd0a36cdf29
Opcode Fuzzy Hash: 32845b5ceee2c9c9111369cf511fee31bcf8c5e9523092c1b243209fcc5ace9d
Instruction Fuzzy Hash: 2DD1E072714A8486DF10CF66E8542AE7762F784BE8F544722DE6E27BA8DF38C585C700

Function 02C5BA94 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02C5BAAA
GetVersion.KERNEL32 ref: 02C5BABC
HeapSetInformation.KERNEL32 ref: 02C5BADA

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 90aacd7874f7576210f1b8e18ccfcd6701819cf72a36e26adf16026e4497063d
Instruction ID: e4487430f56595025de3f75e68d48044155b3625cbb861d7c238c55c089aa63e
Opcode Fuzzy Hash: 90aacd7874f7576210f1b8e18ccfcd6701819cf72a36e26adf16026e4497063d
Instruction Fuzzy Hash: 4FE0D834211A9182FB595715F80DB6E3711F7C8344F805018FA0B43F44EF3CC0468714

Function 02C4F080 Relevance: 34.7, APIs: 23, Instructions: 201
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 02C4F0CA
GlobalLock.KERNEL32 ref: 02C4F0D6
GlobalUnlock.KERNEL32 ref: 02C4F0ED
CreateStreamOnHGlobal.OLE32 ref: 02C4F102
EnterCriticalSection.KERNEL32 ref: 02C4F14B
LeaveCriticalSection.KERNEL32 ref: 02C4F15E
GdipCreateBitmapFromStream.GDIPLUS ref: 02C4F18E
GdipDisposeImage.GDIPLUS ref: 02C4F1A5
GdipDisposeImage.GDIPLUS ref: 02C4F1C3
CreateStreamOnHGlobal.OLE32 ref: 02C4F1E2
GetHGlobalFromStream.OLE32 ref: 02C4F20D
GlobalLock.KERNEL32 ref: 02C4F218
GlobalFree.KERNEL32 ref: 02C4F233
DeleteObject.GDI32 ref: 02C4F338
EnterCriticalSection.KERNEL32 ref: 02C4F345
EnterCriticalSection.KERNEL32 ref: 02C4F35A
GdiplusShutdown.GDIPLUS ref: 02C4F36C
LeaveCriticalSection.KERNEL32 ref: 02C4F380
LeaveCriticalSection.KERNEL32 ref: 02C4F38D
GlobalFree.KERNEL32 ref: 02C4F396

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$DisposeFreeFromImageLock$AllocBitmapDeleteGdiplusObjectShutdownUnlock
String ID:
API String ID: 562715702-0
Opcode ID: 1f20682f04d03fbf3385fc7b2c80d26b451ef2743fd3ada5c9c0ffae22fdbc8f
Instruction ID: aa42ab7b9e1b9e2b513ca5302404251525dfea6eefc8b3418df8460a176674a6
Opcode Fuzzy Hash: 1f20682f04d03fbf3385fc7b2c80d26b451ef2743fd3ada5c9c0ffae22fdbc8f
Instruction Fuzzy Hash: 9191F436704B418AFB24DBA1F85879E33B1F788BA8F404619CE5E57EA8DF38C1598750

Function 02C4CC50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 02C4CC8E
malloc.LIBCMT ref: 02C4CCFA
free.LIBCMT ref: 02C4CD26
GdipGetImageEncoders.GDIPLUS ref: 02C4CD3F
free.LIBCMT ref: 02C4CD56
free.LIBCMT ref: 02C4CE2B
GdipCreateBitmapFromScan0.GDIPLUS ref: 02C4CE72
GdipSaveImageToStream.GDIPLUS ref: 02C4CE89
GdipDisposeImage.GDIPLUS ref: 02C4CE96
free.LIBCMT ref: 02C4CEAB
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 02C4CEC5
GdipSaveImageToStream.GDIPLUS ref: 02C4CEDC
GdipDisposeImage.GDIPLUS ref: 02C4CEE9
free.LIBCMT ref: 02C4CF06
GdipDisposeImage.GDIPLUS ref: 02C4CF15
free.LIBCMT ref: 02C4CF26

Strings

&, xrefs: 02C4CE5D

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Gdip$Image$free$Dispose$BitmapCreateEncodersFromSaveStream$Scan0Sizemalloc
String ID: &
API String ID: 1890951399-3042966939
Opcode ID: 1b113133b1d1c7f617ae231253ae617589de5df3b5f4aa67eb334f1dad3f7bec
Instruction ID: 22b8f0daee8bd10b65e2c4fc07b282112646a4a4ab2ce894e02b86a160d17ea5
Opcode Fuzzy Hash: 1b113133b1d1c7f617ae231253ae617589de5df3b5f4aa67eb334f1dad3f7bec
Instruction Fuzzy Hash: 05719232302A8196EF149F35D9147AA2765F784BD8F889637DE1A477A4EF38D345C340

Function 02C47F70 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02C47FA5
wsprintfW.USER32 ref: 02C47FBC

Part of subcall function 02C47D90: GetCurrentProcessId.KERNEL32 ref: 02C47DAD
Part of subcall function 02C47D90: OpenProcess.KERNEL32 ref: 02C47DBD
Part of subcall function 02C47D90: OpenProcessToken.ADVAPI32 ref: 02C47DE5
Part of subcall function 02C47D90: CloseHandle.KERNEL32 ref: 02C47DF2

GetVersionExW.KERNEL32 ref: 02C47FEB
GetCurrentProcess.KERNEL32 ref: 02C48014
OpenProcessToken.ADVAPI32 ref: 02C48025
GetTokenInformation.ADVAPI32 ref: 02C4804F
GetLastError.KERNEL32 ref: 02C48059
LocalAlloc.KERNEL32 ref: 02C48073
GetTokenInformation.ADVAPI32 ref: 02C4809B
GetSidSubAuthorityCount.ADVAPI32 ref: 02C480A9
GetSidSubAuthority.ADVAPI32 ref: 02C480B8
LocalFree.KERNEL32 ref: 02C480C3
CloseHandle.KERNEL32 ref: 02C480D6
wsprintfW.USER32 ref: 02C48135

Strings

NO/, xrefs: 02C4811B
None/%s, xrefs: 02C48124
-N/, xrefs: 02C48112

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: -N/$NO/$None/%s
API String ID: 4155081256-3095023699
Opcode ID: eabe9c37c142d0c42af826881d2ffa50fe86e3bf6b1343313f3b0a9839f108bd
Instruction ID: c63cf3c1e8bc528343da7a5177e253b37759364df28ab70b8b844e2a99d84034
Opcode Fuzzy Hash: eabe9c37c142d0c42af826881d2ffa50fe86e3bf6b1343313f3b0a9839f108bd
Instruction Fuzzy Hash: E151FC31218B85C6EB64DF21FC98BAE7371F789B88F441126DA4A47A58DF38D549CB40

Function 02C4C830 Relevance: 27.3, APIs: 18, Instructions: 283
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 02C4C86F
GdipGetImageHeight.GDIPLUS ref: 02C4C8D8
GdipGetImageWidth.GDIPLUS ref: 02C4C8F6
GdipGetImagePaletteSize.GDIPLUS ref: 02C4C93C
malloc.LIBCMT ref: 02C4C9A2

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

free.LIBCMT ref: 02C4C9CB
GdipGetImagePalette.GDIPLUS ref: 02C4C9EA
GdipBitmapLockBits.GDIPLUS ref: 02C4CAA7
free.LIBCMT ref: 02C4CAC6
GdipCreateBitmapFromScan0.GDIPLUS ref: 02C4CBBF
GdipGetImageGraphicsContext.GDIPLUS ref: 02C4CBD4
GdipDrawImageI.GDIPLUS ref: 02C4CBEC
GdipDeleteGraphics.GDIPLUS ref: 02C4CBF5
GdipDisposeImage.GDIPLUS ref: 02C4CBFE
free.LIBCMT ref: 02C4CAE6

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

memcpy_s.LIBCMT ref: 02C4CB2C
GdipBitmapUnlockBits.GDIPLUS ref: 02C4CB68
free.LIBCMT ref: 02C4CC16

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Gdip$Image$free$Bitmap_errno$BitsGraphicsHeapPalette$AllocContextCreateDeleteDisposeDrawErrorFormatFreeFromHeightLastLockPixelScan0SizeUnlockWidth_callnewhmallocmemcpy_s
String ID:
API String ID: 1886978121-0
Opcode ID: 42f3f85edf21d4ffff2d38a0cd1d8951f1e28ef6d88c4ef60eeee2c527c753ee
Instruction ID: 68d27722fb6ad545c9af7539c8d24348ea2f930c845b351df14f9fb605470e99
Opcode Fuzzy Hash: 42f3f85edf21d4ffff2d38a0cd1d8951f1e28ef6d88c4ef60eeee2c527c753ee
Instruction Fuzzy Hash: ACB1BE72301A809ADB20CF26D848B9E37A5F788BD8F459527DE5A87B64DF38C345C744

Function 02C472D0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 67
synchronizationsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 02C472F4
CreateMutexExW.KERNEL32 ref: 02C472FA
Sleep.KERNEL32 ref: 02C47315
CreateMutexW.KERNEL32 ref: 02C47326
GetLastError.KERNEL32 ref: 02C4732C
lstrlenW.KERNEL32 ref: 02C47365
lstrcmpW.KERNEL32 ref: 02C47393
Sleep.KERNEL32 ref: 02C473A2
GetModuleHandleW.KERNEL32 ref: 02C473B3
GetConsoleWindow.KERNEL32 ref: 02C473BE

Strings

open, xrefs: 02C47370
2024.12.22, xrefs: 02C472E9, 02C4731B
key, xrefs: 02C47377

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateMutex$Sleep$ConsoleErrorHandleLastModuleWindowlstrcmplstrlen
String ID: 2024.12.22$key$open
API String ID: 4141083079-4017660554
Opcode ID: 4a448574df46548b3933a1e0e783c702eebcdd2863c0193c8b969a62963df4fc
Instruction ID: 6314a240ff7cad442cc0e5d094e0b9314be5452bd39a9dea482017a706f306d5
Opcode Fuzzy Hash: 4a448574df46548b3933a1e0e783c702eebcdd2863c0193c8b969a62963df4fc
Instruction Fuzzy Hash: 35311D31614A82C2FB24AB25F85CBAE7361FB84B49F849526D94F43964DF3CC24DCB51

Function 00007FF7F8DF80E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 140synchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF7F8DF8114

Part of subcall function 00007FF7F8DF9128: malloc.LIBCMT ref: 00007FF7F8DF9142

SleepEx.KERNEL32 ref: 00007FF7F8DF828D
CreateEventA.KERNEL32 ref: 00007FF7F8DF82E4
SleepEx.KERNEL32 ref: 00007FF7F8DF8333
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF833F

Part of subcall function 00007FF7F8DF3230: WSAStartup.WS2_32 ref: 00007FF7F8DF32AF
Part of subcall function 00007FF7F8DF3230: CreateEventW.KERNEL32 ref: 00007FF7F8DF32C0

Part of subcall function 00007FF7F8DF92D0: _errno.LIBCMT ref: 00007FF7F8DF92EF
Part of subcall function 00007FF7F8DF92D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DF92FB

Part of subcall function 00007FF7F8DF92D0: _errno.LIBCMT ref: 00007FF7F8DF932B

CloseHandle.KERNEL32 ref: 00007FF7F8DF8350
CloseHandle.KERNEL32 ref: 00007FF7F8DF8360

Strings

8.218.163.62, xrefs: 00007FF7F8DF817E, 00007FF7F8DF8221, 00007FF7F8DF82A5
6666, xrefs: 00007FF7F8DF81A6, 00007FF7F8DF81D3, 00007FF7F8DF8239, 00007FF7F8DF8296

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Sleep$CloseCreateEventHandle_errno$ObjectSingleStartupWait_invalid_parameter_noinfomalloc
String ID: 6666$8.218.163.62
API String ID: 407272786-298227647
Opcode ID: 13c9adc974c42543c4138414809006d942cbbcd1fe96e939a7d0cf87f8cfa7a0
Instruction ID: 7231b3b37c19e2bbc70c54a1fd6e73eedb3610591661210b2eccabf5dad05798
Opcode Fuzzy Hash: 13c9adc974c42543c4138414809006d942cbbcd1fe96e939a7d0cf87f8cfa7a0
Instruction Fuzzy Hash: C6614C21A18A4295E710FB20E8441A9E360FF497A0FD04535E97E43BE9DF3CE549F7A8

Function 00007FF7F8DF6690 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF7F8DF66EC
RegDeleteValueW.KERNEL32 ref: 00007FF7F8DF66FE
RegSetValueExW.KERNEL32 ref: 00007FF7F8DF6726
RegCloseKey.KERNEL32 ref: 00007FF7F8DF6731
OpenProcess.KERNEL32 ref: 00007FF7F8DF6770
GetExitCodeProcess.KERNEL32 ref: 00007FF7F8DF6783
Sleep.KERNEL32 ref: 00007FF7F8DF679C

Strings

IpDates_info, xrefs: 00007FF7F8DF66F7, 00007FF7F8DF6709
SOFTWARE, xrefs: 00007FF7F8DF66D0

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: 7273320449914747eef314da4b35d0b3e2dae11081ca32cb48a94620bb4d36a9
Instruction ID: 9a6b81caa6e7f08867cf5f4f436e07a2e9a4fa7722baa200d8a664ef76231238
Opcode Fuzzy Hash: 7273320449914747eef314da4b35d0b3e2dae11081ca32cb48a94620bb4d36a9
Instruction Fuzzy Hash: FF318771B1CA0282EB50AB11F844569F3A5FF88794F800534D57E42AE8DF3CE449EB98

Function 02C47D90 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02C47DAD
OpenProcess.KERNEL32 ref: 02C47DBD
OpenProcessToken.ADVAPI32 ref: 02C47DE5
CloseHandle.KERNEL32 ref: 02C47DF2
SysStringLen.OLEAUT32 ref: 02C47E40
SysStringLen.OLEAUT32 ref: 02C47E53
CloseHandle.KERNEL32 ref: 02C47EBD
CloseHandle.KERNEL32 ref: 02C47EC6
SysFreeString.OLEAUT32 ref: 02C47EFC
SysFreeString.OLEAUT32 ref: 02C47F39

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: String$CloseHandleProcess$FreeOpen$CurrentToken
String ID:
API String ID: 3697972778-0
Opcode ID: 250c813f0b5ac911f241f73868ced926d4be8b2829d6ef28bc566a87a8018372
Instruction ID: 43f6eab0ddb4925f4f65fe5bb7e0e85413eef59a9949bf1bc05c415af50cbf26
Opcode Fuzzy Hash: 250c813f0b5ac911f241f73868ced926d4be8b2829d6ef28bc566a87a8018372
Instruction Fuzzy Hash: D8418026205B8086EF24DF22E41476EA365FBC4F98F484629CE9E4BB54DF3CC949C740

Function 00007FF7F8DF98FC Relevance: 15.1, APIs: 10, Instructions: 87COMMON

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF9966
_FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF9991
_RTC_Initialize.LIBCMT ref: 00007FF7F8DF99AA
_amsg_exit.LIBCMT ref: 00007FF7F8DF99BE
GetCommandLineW.KERNEL32 ref: 00007FF7F8DF99C3
__wsetargv.LIBCMT ref: 00007FF7F8DF99DC
_amsg_exit.LIBCMT ref: 00007FF7F8DF99EA
_amsg_exit.LIBCMT ref: 00007FF7F8DF99FD
_cinit.LIBCMT ref: 00007FF7F8DF9A07
_amsg_exit.LIBCMT ref: 00007FF7F8DF9A12

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
String ID:
API String ID: 2949660345-0
Opcode ID: bc546b9b31afb54ae0084185d84276419e05a16c241d08c8ffe122babf2c2063
Instruction ID: d71707a4bb3ffdf27923d4f80045a51a6b4522bc923edc26638b653523f4861c
Opcode Fuzzy Hash: bc546b9b31afb54ae0084185d84276419e05a16c241d08c8ffe122babf2c2063
Instruction Fuzzy Hash: 8D314D20E0C60396FB54776094462B9E291AF89348FC55035D57D462DFDE2CB848B6FD

Function 02C47860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C478C9
RegQueryInfoKeyW.ADVAPI32 ref: 02C47924
RegEnumKeyExW.ADVAPI32 ref: 02C479B9
lstrlenW.KERNEL32 ref: 02C479C3
lstrlenW.KERNEL32 ref: 02C479D2

Part of subcall function 02C55F08: _errno.LIBCMT ref: 02C55F27
Part of subcall function 02C55F08: _invalid_parameter_noinfo.LIBCMT ref: 02C55F33

Part of subcall function 02C55F08: _errno.LIBCMT ref: 02C55F7D

RegCloseKey.ADVAPI32 ref: 02C47A1B
lstrlenW.KERNEL32 ref: 02C47A38

Strings

Software\Tencent\Plugin\VAS, xrefs: 02C478AD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen$_errno$CloseEnumInfoOpenQuery_invalid_parameter_noinfo
String ID: Software\Tencent\Plugin\VAS
API String ID: 47975445-3343197220
Opcode ID: 36ec62b793e39dcc94c07c2d0a1f741258fd71675ca2a9683c074fb8b423db42
Instruction ID: 2de507f8b95efb75efd50783ddc8c4ec3adc3ba75586b7db8a3beaeddcb76310
Opcode Fuzzy Hash: 36ec62b793e39dcc94c07c2d0a1f741258fd71675ca2a9683c074fb8b423db42
Instruction Fuzzy Hash: CE513D36614B9186E720CF25F89479FB3A5F788748F901126DA8D57E18DF38C289CB44

Function 02C4EA30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

GetLastInputInfo.USER32 ref: 02C4EA7A
GetTickCount.KERNEL32 ref: 02C4EA80
wsprintfW.USER32 ref: 02C4EAB4
GetForegroundWindow.USER32 ref: 02C4EABA
GetWindowTextW.USER32 ref: 02C4EAD2

Strings

%d min, xrefs: 02C4EAAD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTickmallocwsprintf
String ID: %d min
API String ID: 4179731349-1947832151
Opcode ID: 40337b7360b93958c7ffefbf7603324078d7470535306a49e8a517b9f1626132
Instruction ID: 4ab693a0118955d4d5723498529b46d916083bb7d96202c33a0f7974c2c58d51
Opcode Fuzzy Hash: 40337b7360b93958c7ffefbf7603324078d7470535306a49e8a517b9f1626132
Instruction Fuzzy Hash: E041AF727046909ADB28EF26E49879FBBA1F785B88F444029DE4E07B58DF3CC645CB04

Function 00007FF7F8DF3860 Relevance: 9.2, APIs: 6, Instructions: 154memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF3883
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF3910
VirtualFree.KERNEL32 ref: 00007FF7F8DF3952
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF39DF
VirtualFree.KERNEL32 ref: 00007FF7F8DF3A21
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF3AE3

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocCurrentFreeThread
String ID:
API String ID: 1155560630-0
Opcode ID: 4b852a1b5dd8efe1026821f14150178db2e8c6b99ec0c6da190b714437e6e122
Instruction ID: f7f98412b715cf2f31871e68f0c7e089468514aed2b3a307a924c2adea323aa1
Opcode Fuzzy Hash: 4b852a1b5dd8efe1026821f14150178db2e8c6b99ec0c6da190b714437e6e122
Instruction Fuzzy Hash: 82717F32718A8197D75CAB25E140769F3A0FB48784F908134DB7E87788DF38E4A9E754

Function 02C48310 Relevance: 9.1, APIs: 6, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C48375
RegQueryValueExW.ADVAPI32 ref: 02C483BD
lstrcmpW.KERNEL32 ref: 02C483D3
RegCloseKey.ADVAPI32 ref: 02C483FC
RegCloseKey.ADVAPI32 ref: 02C48407

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 43d7abf421c986796ffab67def199f110ce2357268e7baf3c27bcbaffcd6d8c5
Instruction ID: e386a12214e8bc301b50c717d425310c629cad9b50395c0cdaed6ee8837352a3
Opcode Fuzzy Hash: 43d7abf421c986796ffab67def199f110ce2357268e7baf3c27bcbaffcd6d8c5
Instruction Fuzzy Hash: C021F031318A8086EB609B25FC88B5B7360FB85B98F545225AE9E43B98DF38C545CB44

Function 02C5576C Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C55797
_invalid_parameter_noinfo.LIBCMT ref: 02C557A2
_getptd.LIBCMT ref: 02C557C8
CreateThread.KERNEL32 ref: 02C5581D
GetLastError.KERNEL32 ref: 02C55828
free.LIBCMT ref: 02C55833

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: ef76c9431adcd85a319d1e57cb9e2ef9ae5cf1fbd286b1b05233d4a8e7f6675d
Instruction ID: 2ef2d8a909c518783cfe1ed61fd6f5d7b895b3a5d0946951ca5257266cd569bb
Opcode Fuzzy Hash: ef76c9431adcd85a319d1e57cb9e2ef9ae5cf1fbd286b1b05233d4a8e7f6675d
Instruction Fuzzy Hash: 4521933130479086EB14EBA6E94075EB3A5FB84BD4F844625EF6903B95CF3CD195CB08

Function 00007FF7F8DF94DC Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8DF9507
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DF9512
_getptd.LIBCMT ref: 00007FF7F8DF9538
CreateThread.KERNEL32 ref: 00007FF7F8DF958D
GetLastError.KERNEL32 ref: 00007FF7F8DF9598
free.LIBCMT ref: 00007FF7F8DF95A3

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: 3cde405814183ac50174b4c7b06ee0a655b453fe3172371e7738c2e9b2a32393
Instruction ID: 5652ffae701dbf665c86039f6aa1f8cc687acd9dbf66f7882a8f8853b33150e5
Opcode Fuzzy Hash: 3cde405814183ac50174b4c7b06ee0a655b453fe3172371e7738c2e9b2a32393
Instruction Fuzzy Hash: 5C21C721A0878191EB04BB65A544269F290BF88B94F844235EE7D037DECF3CE059A798

Function 00007FF7F8DF3690 Relevance: 7.6, APIs: 5, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF7F8DF3725
recv.WS2_32 ref: 00007FF7F8DF374B
_errno.LIBCMT ref: 00007FF7F8DF3757
_errno.LIBCMT ref: 00007FF7F8DF3761
_errno.LIBCMT ref: 00007FF7F8DF376E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$recvselect
String ID:
API String ID: 4102763267-0
Opcode ID: 9990d17f50331093fb9b0363c6e75c664667ad3c976c3c73e9e25bfe87bb2aa3
Instruction ID: c750b0de2e33cc0fcb9d0d7cbe054d04985a16bf9f343b52ab36ff3a055f1877
Opcode Fuzzy Hash: 9990d17f50331093fb9b0363c6e75c664667ad3c976c3c73e9e25bfe87bb2aa3
Instruction Fuzzy Hash: AD31A571A0C68181E7646B25E40437DF290EF88B88F854135DA7D4BACDCF3CD008A769

Function 02C4D920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C4D989
RegQueryValueExW.ADVAPI32 ref: 02C4D9B3

Strings

IpDatespecial, xrefs: 02C4D9A4
Console, xrefs: 02C4D963

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: OpenQueryValue
String ID: Console$IpDatespecial
API String ID: 4153817207-1840232981
Opcode ID: f597642ce5486d2b0d97fa684612b1f2a97d83d6342d12bdc6a07c867f32ff83
Instruction ID: 38d2ea1c1b176a3667678235a98f10f47043cc2750cfad7c28e62bbc6e895ea0
Opcode Fuzzy Hash: f597642ce5486d2b0d97fa684612b1f2a97d83d6342d12bdc6a07c867f32ff83
Instruction Fuzzy Hash: 16218E33718AA099E7218B61F844B9E7774F78879CF844126EE9913A58DF38C25ACB00

Function 00007FF7F8DF9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF7F8DF9136
malloc.LIBCMT ref: 00007FF7F8DF9142

Part of subcall function 00007FF7F8DF9070: _FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF90A0
Part of subcall function 00007FF7F8DF9070: HeapAlloc.KERNEL32(?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DF90C5
Part of subcall function 00007FF7F8DF9070: _callnewh.LIBCMT ref: 00007FF7F8DF90DE
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90E9
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90F4

std::exception::exception.LIBCMT ref: 00007FF7F8DF91AF

Strings

bad allocation, xrefs: 00007FF7F8DF917F

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 4f08dc12cc9b3052129dc1c476ad1ada57a0f8fd3b1b96a9833c9c367f9ae114
Instruction ID: 40856d39fdb91f5e45c8b6bc512ecd28b1668116268e8f4c0756d8088b139449
Opcode Fuzzy Hash: 4f08dc12cc9b3052129dc1c476ad1ada57a0f8fd3b1b96a9833c9c367f9ae114
Instruction Fuzzy Hash: 08010061F08A0790EF14BB10A8444B4E360AF48354FC41431E9BE467E9EE3CE149F7A8

Function 02C49AF0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 02C49B2A
GetProcessImageFileNameW.PSAPI ref: 02C49B46
CloseHandle.KERNEL32 ref: 02C49B53
CloseHandle.KERNEL32 ref: 02C49B71

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleProcess$FileImageNameOpen
String ID:
API String ID: 93767460-0
Opcode ID: f4c9a00bd5335a512c6e2cdfdcb9c4e881643e77e15c2ea394c83688fc739c2e
Instruction ID: e04ca4180f64c35907188de245296b9b9f9491b796b3bd762bd5910c8af0678f
Opcode Fuzzy Hash: f4c9a00bd5335a512c6e2cdfdcb9c4e881643e77e15c2ea394c83688fc739c2e
Instruction Fuzzy Hash: 90011E61318B9182FF34DB26F89C76B6291BB89BD8F8454288E4E87B44EF3DC145CB10

Function 00007FF7F8DF945C Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F8DF9491
ExitThread.KERNEL32 ref: 00007FF7F8DF9499
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF94A0
_freefls.LIBCMT ref: 00007FF7F8DF94D1

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: c1032e5ba32211df7021af190faab52d392a270f38cd16aa57ea7f747e353cbe
Instruction ID: e21a123fffa3d408a722a3b22baf346c50d54c92a5292d1fda80772351faf0bc
Opcode Fuzzy Hash: c1032e5ba32211df7021af190faab52d392a270f38cd16aa57ea7f747e353cbe
Instruction Fuzzy Hash: 6A018160E09B0681EB007B71940927CE390AF5DB88F940830C93D473CAEE3CA448B3F8

Function 02C432E0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 02C4331D
CancelIo.KERNEL32 ref: 02C4332A
closesocket.WS2_32 ref: 02C4333A
SetEvent.KERNEL32 ref: 02C43344

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 03eef7d3bc33077443603d47114998edeb02d6415146c2d3186012465a948f41
Instruction ID: a78a2ea9538fb4e6cebac172ad15aebfe766489f16b6ee1370455cede7c2f0e7
Opcode Fuzzy Hash: 03eef7d3bc33077443603d47114998edeb02d6415146c2d3186012465a948f41
Instruction Fuzzy Hash: 65F03C36201B8183E7148F25E55875EB331F785B64F640329DBBD07AA4CF39C0658740

Function 00007FF7F8DF3310 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF7F8DF334D
CancelIo.KERNEL32 ref: 00007FF7F8DF335A
closesocket.WS2_32 ref: 00007FF7F8DF336A
SetEvent.KERNEL32 ref: 00007FF7F8DF3374

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
Instruction ID: b64a1c14b3cadeb2d5fbf8966022272a6df8269e7391967b21685711881daa16
Opcode Fuzzy Hash: 77c2693313518921cd1b9c8efffd3d9e865a5c66b2e60eb56a87be25d9ebaed2
Instruction Fuzzy Hash: 85F04632604A8183E7149F25E85432AF331FB89BA0F604735CBBD07AE4CF39D0698B44

Function 00007FF7F8DF3C10 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF3C20
SleepEx.KERNEL32 ref: 00007FF7F8DF3C2B
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF3C40
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF3C50

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
Instruction ID: fb6518377ff59d4dcbfdc82806ce1cd01ec18006214317196d6d6b9ffcf2e054
Opcode Fuzzy Hash: bc31317e1241cbe88b87a2fddbfd8f69b2015d3f2dce8f37f5b894eda6bc4ee3
Instruction Fuzzy Hash: A0F08232704D4586F740AF75DC04328B360FB8AB24F640B31CA3E462D4CF388445D3A4

Function 02C4FC40 Relevance: 4.7, APIs: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 02C4FCB6
RegEnumValueW.ADVAPI32 ref: 02C4FD67

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

Part of subcall function 02C55378: _callnewh.LIBCMT ref: 02C55386
Part of subcall function 02C55378: std::exception::exception.LIBCMT ref: 02C553FF

RegCloseKey.ADVAPI32 ref: 02C4FF30

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseEnumInfoQueryValue_callnewhmallocstd::exception::exception
String ID:
API String ID: 1242514309-0
Opcode ID: 3305b858c53ab821ca1a14390b6984ca58f21078f84b97f883c0325d42e4eb17
Instruction ID: b820f8b5800fedff4009c8b4bfb59587eb1c8b297df4429ba79eb8d26345203f
Opcode Fuzzy Hash: 3305b858c53ab821ca1a14390b6984ca58f21078f84b97f883c0325d42e4eb17
Instruction Fuzzy Hash: 01818C32301B508AEB10CF65E884B9D73E8F788B98F51822AEE5D87B64EF34C551C744

Function 00007FF7F8DF3C80 Relevance: 4.7, APIs: 3, Instructions: 152memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DF1080: VirtualAlloc.KERNEL32 ref: 00007FF7F8DF10F8
Part of subcall function 00007FF7F8DF1080: VirtualFree.KERNELBASE ref: 00007FF7F8DF1133

timeGetTime.WINMM(?,?,?,?,?,00007FF7F8DF37C7), ref: 00007FF7F8DF3D24
VirtualAlloc.KERNEL32(?,?,?,?,?,00007FF7F8DF37C7), ref: 00007FF7F8DF3E3F
VirtualFree.KERNEL32(?,?,?,?,?,00007FF7F8DF37C7), ref: 00007FF7F8DF3E77

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree$Timetime
String ID:
API String ID: 3637049079-0
Opcode ID: 772ceebf875e37336e87943166f2de9f2810a96974fdecb1bd8079b0e36f7ae3
Instruction ID: 8ed9e700f83e6c15afd99b5cc434ec4fa31a76eb250dca9160d0447b383244f8
Opcode Fuzzy Hash: 772ceebf875e37336e87943166f2de9f2810a96974fdecb1bd8079b0e36f7ae3
Instruction Fuzzy Hash: 0061A532A0465286DB18AB29D44CA6EF3A4FF4C7C0F420135DA6D477D8DF38E449E794

Function 02C4C570 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02C4C590
GdiplusStartup.GDIPLUS ref: 02C4C5CC
LeaveCriticalSection.KERNEL32 ref: 02C4C5E6

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: 95c4991dab0195ebe368ffd66680bcf302dcdb8c8965a393e09ff6184bfe9b5d
Instruction ID: 259627cd0abdd625e46d7507609bdbc6a8c7acb24cbc01bcc76e7f01b292be6e
Opcode Fuzzy Hash: 95c4991dab0195ebe368ffd66680bcf302dcdb8c8965a393e09ff6184bfe9b5d
Instruction Fuzzy Hash: FB011936608B82C2FB249F11F88879EB3B5F7A1754F84110AE68A43A64DF7CC159CB00

Function 00007FF7F8DF9EC8 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 00007FF7F8DF9EDE
GetVersion.KERNEL32 ref: 00007FF7F8DF9EF0
HeapSetInformation.KERNEL32 ref: 00007FF7F8DF9F0E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
Instruction ID: f8e789210f7a4378c5affb65caef39dfae3c58a9cd136b3cd4362e5dcd383362
Opcode Fuzzy Hash: 548033a4c8ebb5abcb3e3bdf629b7b62b8a0c9b1179596de6b3cb96c9a1ceea0
Instruction Fuzzy Hash: CCE06534F19A5282FB457710A809775E260FF98355FC04434E92F027D8DF3CD485A6E8

Function 02AF00DC Relevance: 3.4, APIs: 2, Instructions: 391memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02AF0157
LoadLibraryA.KERNEL32 ref: 02AF02BD

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction ID: a5043f71722adb4e56d79d1b5f8a10d3b6fe671748cfacc8a7a17af30c6acd4c
Opcode Fuzzy Hash: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction Fuzzy Hash: A5B1B631614E0A8FCB689FA9C8C4675B3E0FB54315B05427DEA8AC7256DF78E892C7C1

Function 02C466A0 Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02C466FD
SysAllocString.OLEAUT32 ref: 02C46749

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 2ff8072f682cb467b12351a1f9e4afe1b1f9cbb5b4c9ea14b380adfe7e6cb5a0
Instruction ID: ad5085fd50d39b1936a7b34e33b1c55e120a24c19cc6a7e69c56304fa459d9d6
Opcode Fuzzy Hash: 2ff8072f682cb467b12351a1f9e4afe1b1f9cbb5b4c9ea14b380adfe7e6cb5a0
Instruction Fuzzy Hash: C9219531202B5182EF199F25D11476AA264AFC5BA8F2C4629CF690B798EF7CC5518700

Function 02C43A30 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 02C43A93
send.WS2_32 ref: 02C43AE0

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 2e59fa7294a7467a9ddcbc0dceddb505d2c61d6133225b8cfaa6b415a71a6c04
Instruction ID: 6a39be0dbea0d9109769f9d60819a67665bf98c40ad3573ed4131fa2c027a38b
Opcode Fuzzy Hash: 2e59fa7294a7467a9ddcbc0dceddb505d2c61d6133225b8cfaa6b415a71a6c04
Instruction Fuzzy Hash: 68110822784BD041D3209BA6BC4872F7A55F7C9BD8F242166EF5A93F54EFB8C1828704

Function 00007FF7F8DF3B10 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF7F8DF3B73
send.WS2_32 ref: 00007FF7F8DF3BC0

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
Instruction ID: f41bbbdb6b268767c2dc0b876d915a0da560fd97b6252b150ee308d60f203f57
Opcode Fuzzy Hash: 993fe9fb8bd5cda1ffd7d49de116850fd78509aad300088003f3a940471f662b
Instruction Fuzzy Hash: D221D422A08A9240E3646B16E85137AF650FF8CBD4F851131DF3D87BD9EEBCD446A348

Function 02C4FF90 Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 02C4FFC1
free.LIBCMT ref: 02C50004

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: f3c853349a5c59fd3449079867ad891792ce2dd8b9137124cb1d366ba339df00
Instruction ID: 3039bd34787fc9b617b2b406c23a6fd0aa885d781df2a5faca1fb6a4d1840c2d
Opcode Fuzzy Hash: f3c853349a5c59fd3449079867ad891792ce2dd8b9137124cb1d366ba339df00
Instruction Fuzzy Hash: CF111BB25217608AEB54CF69E48031D77F8F788F48F25511AEB4997B18CB78C492CB84

Function 00007FF7F8DF8650 Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 00007FF7F8DF8681
free.LIBCMT ref: 00007FF7F8DF86C4

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: d06350443261b5c44dc0382cd6166cd32f98e0a7bcc8923f0c5a309339592e20
Instruction ID: f9442018347a61d2dc4719f860d55fd96af13d8d9e9327c41b6ddcfda4d1090c
Opcode Fuzzy Hash: d06350443261b5c44dc0382cd6166cd32f98e0a7bcc8923f0c5a309339592e20
Instruction Fuzzy Hash: FE119EB292576086E740DF24E480219B7F8FB48F48F64403AEB6957798CF78D482DB88

Function 02C437B0 Relevance: 3.0, APIs: 2, Instructions: 37sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02C437DB
timeGetTime.WINMM ref: 02C437FF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: a0bf3c937420c0917f34046eef8d55b82e3cbf61d4d324ed7221063299da0014
Instruction ID: aa92e0f732966ba41fb040104e8f30f883fea044cbd712aee4400a8d09667eac
Opcode Fuzzy Hash: a0bf3c937420c0917f34046eef8d55b82e3cbf61d4d324ed7221063299da0014
Instruction Fuzzy Hash: AC01A232718684C7E7288B74E28833D7361F7C4B89F145265DB5B03A94CFB8C1A5C745

Function 00007FF7F8DF37E0 Relevance: 3.0, APIs: 2, Instructions: 37timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF7F8DF380B
timeGetTime.WINMM ref: 00007FF7F8DF382F

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
Instruction ID: 4f8d83e790dbe0505d4e8c9c37960858946940d1694da8c2e449d45ec669defb
Opcode Fuzzy Hash: 88df6c9814dd7951e769eaa4fec861968935f3fc4ebb5d812e480bd371ef65fc
Instruction Fuzzy Hash: 9601B522B1864187E7685B24D18833CE660FF48B94F444234C77E07AD4CF7CD4A8D798

Function 02C5569C Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02C5DF0C: GetLastError.KERNEL32 ref: 02C5DF16
Part of subcall function 02C5DF0C: FlsGetValue.KERNEL32 ref: 02C5DF24
Part of subcall function 02C5DF0C: FlsSetValue.KERNEL32 ref: 02C5DF50
Part of subcall function 02C5DF0C: GetCurrentThreadId.KERNEL32 ref: 02C5DF64
Part of subcall function 02C5DF0C: SetLastError.KERNEL32 ref: 02C5DF7C

ExitThread.KERNEL32 ref: 02C556B8
_getptd.LIBCMT ref: 02C556C4

Part of subcall function 02C5E0E8: FlsGetValue.KERNEL32 ref: 02C5E101
Part of subcall function 02C5E0E8: FlsSetValue.KERNEL32 ref: 02C5E112
Part of subcall function 02C5E0E8: _freefls.LIBCMT ref: 02C5E11B

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls_getptd
String ID:
API String ID: 3588098115-0
Opcode ID: 69fd6f60cbd72f61ca7718c2e2a29e064edf9474930f3cd69f06ff0a27feda29
Instruction ID: 852f1b7712578fe4de5cbc400faf793876fe0d69b99410f2488701e23a6c08e0
Opcode Fuzzy Hash: 69fd6f60cbd72f61ca7718c2e2a29e064edf9474930f3cd69f06ff0a27feda29
Instruction Fuzzy Hash: BFE0EC10F0239442DE1CB7B1589972C03A2ABD9B44F5858788E0B57741EE39C8D99B08

Function 02C51B50 Relevance: 3.0, APIs: 2, Instructions: 20synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 02C51B7B
WaitForSingleObject.KERNEL32 ref: 02C51B8E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 91d2d110985bb54daf9c0b435a0f1d873197dfe1a6e7d7fc0f20f16f28882229
Instruction ID: 652736ddb5858705cc52b3d441dc603472992ea94c1757d1ef7a4568d50f74ae
Opcode Fuzzy Hash: 91d2d110985bb54daf9c0b435a0f1d873197dfe1a6e7d7fc0f20f16f28882229
Instruction Fuzzy Hash: 15E01271D14E5081FB609B65BC0D7A92391F794354FA44229945E86760EF7C81858604

Function 00007FF7F8DF1080 Relevance: 2.6, APIs: 2, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7F8DF10F8
VirtualFree.KERNELBASE ref: 00007FF7F8DF1133

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 26e2137525513526dd013d54ad7f142b8e6e46a3c1df15383bd1b51481be757a
Instruction ID: e6c12b10c22b05d92e0c9452536b565eecbb04bf32591194b63a2955a5901111
Opcode Fuzzy Hash: 26e2137525513526dd013d54ad7f142b8e6e46a3c1df15383bd1b51481be757a
Instruction Fuzzy Hash: 2E413832B04A8586DB09EB29E410569F395FF88BC8F448538EE2E83798DF38C545E790

Function 02C41140 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02C411B1
VirtualFree.KERNEL32 ref: 02C411E5

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 530910900c37fe9613c3ff3dda4de058dcfccbb59fe36364dc77c55757d465c3
Instruction ID: f3b0ef5fa7facc1e92d1d3d46b90a3c913b95796b6fe7315934c2f78fd0e1512
Opcode Fuzzy Hash: 530910900c37fe9613c3ff3dda4de058dcfccbb59fe36364dc77c55757d465c3
Instruction Fuzzy Hash: B5219932714A5087D755CF2AF54471E73A1F789B80F588525DB5A93B04EF74D8E2CB40

Function 00007FF7F8DF11F0 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7F8DF1261
VirtualFree.KERNELBASE ref: 00007FF7F8DF1295

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 95b57b51fc333e6316162f6326f5110e0a83f6deb2dcaf3171337f97a5765aa6
Instruction ID: 3a9cea7acb787d46da92e8fe3567acac98b81a8e6c489bf8a975296f6f5615d0
Opcode Fuzzy Hash: 95b57b51fc333e6316162f6326f5110e0a83f6deb2dcaf3171337f97a5765aa6
Instruction Fuzzy Hash: 9F21FB32B14A4187DB45DB69E140219F3A0FB4CB80F544531EB6ED3748EF38D8D19784

Function 02C41080 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02C410D3
VirtualFree.KERNEL32 ref: 02C4110C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e37b62da0ecbe8d6c4feb3876bb8c88a6cb38d412b61bd74b990c88d492ffce2
Instruction ID: e2016a09ce3c21ba644840193f908035d6102fd1c23beb47e64d3d8b27f6d906
Opcode Fuzzy Hash: e37b62da0ecbe8d6c4feb3876bb8c88a6cb38d412b61bd74b990c88d492ffce2
Instruction Fuzzy Hash: 2B11A731724B8486D759CF36F54471AF3A5EB84BC4F189125DA8A93B18EF38C9D1CB80

Function 00007FF7F8E074F0 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF7F8E07520

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 69ce0e59409c3ed63e01fee79cb91035653ccaefa39d6bbe4741f0a49fc59aaf
Instruction ID: b8bb1764d0555347eb0258f71e1e84848773130226cbd782ba7ee11e30160afa
Opcode Fuzzy Hash: 69ce0e59409c3ed63e01fee79cb91035653ccaefa39d6bbe4741f0a49fc59aaf
Instruction Fuzzy Hash: 26F03A35A14A86DAEB00EF24D8550A8F3A4FB4C304FC48431E9AE47799DE3CE1149B54

Function 00007FF7F8DF9430 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8DF9434

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

Part of subcall function 00007FF7F8DF940C: ExitThread.KERNEL32 ref: 00007FF7F8DF9428

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ExitThread_amsg_exit_getptd
String ID:
API String ID: 449628364-0
Opcode ID: 556d5509b120e02cdcca8f06fb680f1e7bbffed6d54eb6d90fa9cde67232f795
Instruction ID: 0f047080506480a1a018ab91a26821c5d1389aae57a865d87505731140c5d942
Opcode Fuzzy Hash: 556d5509b120e02cdcca8f06fb680f1e7bbffed6d54eb6d90fa9cde67232f795
Instruction Fuzzy Hash: B8C01211F4714182DF087371846B6BC9251DFD9704F849070E13D433C7CD1D545EA258

Function 00007FF7F8DF940C Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DFB9B0: GetLastError.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9BA
Part of subcall function 00007FF7F8DFB9B0: FlsGetValue.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9C8
Part of subcall function 00007FF7F8DFB9B0: FlsSetValue.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9F4
Part of subcall function 00007FF7F8DFB9B0: GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DFBA08
Part of subcall function 00007FF7F8DFB9B0: SetLastError.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFBA20

ExitThread.KERNEL32 ref: 00007FF7F8DF9428

Part of subcall function 00007FF7F8DFBB8C: FlsGetValue.KERNEL32(?,?,?,00007FF7F8DF9426), ref: 00007FF7F8DFBBA5
Part of subcall function 00007FF7F8DFBB8C: FlsSetValue.KERNEL32(?,?,?,00007FF7F8DF9426), ref: 00007FF7F8DFBBB6
Part of subcall function 00007FF7F8DFBB8C: _freefls.LIBCMT ref: 00007FF7F8DFBBBF

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls
String ID:
API String ID: 1216290073-0
Opcode ID: c93bf5a72a887f659e3f866e1ba6ff3216b61a395110430233b074b26d48111d
Instruction ID: 1ccdd86d67293db53b8c50f7db7705c98286406b9ad6a213ddae3181ccf88c8a
Opcode Fuzzy Hash: c93bf5a72a887f659e3f866e1ba6ff3216b61a395110430233b074b26d48111d
Instruction Fuzzy Hash: 3BC00250F1A60642EF1877B12959078D2501F5D701F885838997E063DAED3CA44976A8

Non-executed Functions

Function 02C48EC0 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 202libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 02C48F4B
CreateProcessA.KERNEL32 ref: 02C48FAE
OpenProcess.KERNEL32 ref: 02C48FD3
LoadLibraryA.KERNEL32 ref: 02C49001
GetProcAddress.KERNEL32 ref: 02C49011
LoadLibraryA.KERNEL32 ref: 02C49022
GetProcAddress.KERNEL32 ref: 02C49032
LoadLibraryA.KERNEL32 ref: 02C49043
GetProcAddress.KERNEL32 ref: 02C49053
LoadLibraryA.KERNEL32 ref: 02C49064
GetProcAddress.KERNEL32 ref: 02C49074
GetCurrentProcess.KERNEL32 ref: 02C4907E
GetProcessId.KERNEL32 ref: 02C49087
GetModuleFileNameA.KERNEL32 ref: 02C490BB
VirtualAllocEx.KERNEL32 ref: 02C490F1
WriteProcessMemory.KERNEL32 ref: 02C49114

Strings

%s%s, xrefs: 02C48F5F
Kernel32.dll, xrefs: 02C48FFA, 02C49017, 02C49038, 02C49059
ExitProcess, xrefs: 02C49028
WinExec, xrefs: 02C49049
@, xrefs: 02C49165
Windows\System32\svchost.exe, xrefs: 02C48F51
OpenProcess, xrefs: 02C49007
WaitForSingleObject, xrefs: 02C4906A
h, xrefs: 02C48F2B

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process$AddressLibraryLoadProc$AllocCreateCurrentDirectoryFileMemoryModuleNameOpenSystemVirtualWrite
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 675209239-4110464286
Opcode ID: 0a9a7cb759e9cd70e4e7ad241d6db3e1b1dac7647f357b7e36e456aaf75e7cd7
Instruction ID: efea0fda83e05a4912fd08c3eeb5a7986b7dcb6ef67b6ccf225eff7954523107
Opcode Fuzzy Hash: 0a9a7cb759e9cd70e4e7ad241d6db3e1b1dac7647f357b7e36e456aaf75e7cd7
Instruction Fuzzy Hash: 08913B31214B9186FB24DF62F818B9E77A5F789B88F804119DE4A07B58DF7DC249CB44

Function 02C52000 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 223stringclipboardsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02C52088
GetTickCount.KERNEL32 ref: 02C5208E
GetTickCount.KERNEL32 ref: 02C520A5
OpenClipboard.USER32 ref: 02C520B3
GetClipboardData.USER32 ref: 02C520BE
GlobalSize.KERNEL32 ref: 02C520D3
GlobalLock.KERNEL32 ref: 02C520E0
wsprintfW.USER32 ref: 02C5213E
GlobalUnlock.KERNEL32 ref: 02C52163
CloseClipboard.USER32 ref: 02C52170
GetKeyState.USER32 ref: 02C52205
lstrlenW.KERNEL32 ref: 02C5225F
lstrlenW.KERNEL32 ref: 02C5227F
lstrlenW.KERNEL32 ref: 02C522A7
wsprintfW.USER32 ref: 02C522CD
wsprintfW.USER32 ref: 02C522EC
wsprintfW.USER32 ref: 02C5231F
lstrlenW.KERNEL32 ref: 02C5236D

Strings

), xrefs: 02C522FE
), xrefs: 02C5222F
5, xrefs: 02C52238
[, xrefs: 02C5212F
5, xrefs: 02C52303
%s%s, xrefs: 02C5230B
%s%s, xrefs: 02C522C0
[esc], xrefs: 02C52075
%s%s, xrefs: 02C522D8
f, xrefs: 02C52339
9, xrefs: 02C521FD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlenwsprintf$ClipboardGlobal$CountTick$CloseDataLockOpenSizeSleepStateUnlock
String ID: [$%s%s$%s%s$%s%s$)$)$5$5$9$[esc]$f
API String ID: 4137050888-2084089848
Opcode ID: 1b461a56441360ce845689485ed66bb0008adf4a0547f8c3c9596193dca8de7b
Instruction ID: bd0fa51ef6c8093b44c1a50bc94e3f95302d9fd5f39941aa0e42d2a9fee44ccf
Opcode Fuzzy Hash: 1b461a56441360ce845689485ed66bb0008adf4a0547f8c3c9596193dca8de7b
Instruction Fuzzy Hash: 6091BD31200B9196FB14CF21EC4CBAE33A9F784B88F548029DE4A57B64DF78C685CB85

Function 02C62D00 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C62D56
_errno.LIBCMT ref: 02C62D5D
_invalid_parameter_noinfo.LIBCMT ref: 02C62D68

Strings

U, xrefs: 02C632E4

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 933f7ccd4e57a0c3640cd29298bfcbe6b8f7dd673e4b2ab9a2227a01ddb3188f
Instruction ID: e05b40b0eb2c3cab6e31735b28c21813af9cf8ceaff3fdea0311bc90c684b685
Opcode Fuzzy Hash: 933f7ccd4e57a0c3640cd29298bfcbe6b8f7dd673e4b2ab9a2227a01ddb3188f
Instruction Fuzzy Hash: 0C02D132614AC186EB208F25E88C77EB761F7C4B98F55412ADE8A47B58DF3DC14ACB11

Function 00007FF7F8DFE1C0 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7F8DFE216
_errno.LIBCMT ref: 00007FF7F8DFE21D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFE228

Strings

U, xrefs: 00007FF7F8DFE7A4

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 059fcb8d0d384e491ef6770d9f73524f45f969136b4973030bd1143b1e84cbf4
Instruction ID: 0f937c6f2906f0d8086753d0e88d45bbd258bfbb65a0e4197c34c0a86766c69b
Opcode Fuzzy Hash: 059fcb8d0d384e491ef6770d9f73524f45f969136b4973030bd1143b1e84cbf4
Instruction Fuzzy Hash: 5112F462A0864286EB20AF25D444379E3A1FFC8754F940135DA7E4B7D8DF3CE449E7A8

Function 00007FF7F8DFC28C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 722COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DFABF8: _getptd.LIBCMT ref: 00007FF7F8DFAC0A

_errno.LIBCMT ref: 00007FF7F8DFC2FF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFC30A
_fileno.LIBCMT ref: 00007FF7F8DFC343
_errno.LIBCMT ref: 00007FF7F8DFC3B6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFC3C1
write_multi_char.LIBCMT ref: 00007FF7F8DFC9AB
write_multi_char.LIBCMT ref: 00007FF7F8DFC9DD
write_multi_char.LIBCMT ref: 00007FF7F8DFCA7E
free.LIBCMT ref: 00007FF7F8DFCA96
write_char.LIBCMT ref: 00007FF7F8DFCBE9
write_char.LIBCMT ref: 00007FF7F8DFCC14

Strings

@, xrefs: 00007FF7F8DFC32F
, xrefs: 00007FF7F8DFC97B

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: d243f7bfa6fd055a53a23daff3e65f4d6fa7b73664807df99c45da9877ccf527
Instruction ID: ce4daeba76f8ad3cc6968a131a3490cee12cbecd366da999bb7005bc9fae9910
Opcode Fuzzy Hash: d243f7bfa6fd055a53a23daff3e65f4d6fa7b73664807df99c45da9877ccf527
Instruction Fuzzy Hash: 2552F662D0C66285FB24AB15A44027DEAA0BF497C4F944035DA7D476DCCF3CE868F7A8

Function 02C5F4E8 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 721COMMON

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C5F55B
_invalid_parameter_noinfo.LIBCMT ref: 02C5F566
_fileno.LIBCMT ref: 02C5F59F
_errno.LIBCMT ref: 02C5F612
_invalid_parameter_noinfo.LIBCMT ref: 02C5F61D
write_multi_char.LIBCMT ref: 02C5FC07
write_multi_char.LIBCMT ref: 02C5FC39
write_multi_char.LIBCMT ref: 02C5FCDA
free.LIBCMT ref: 02C5FCF2
write_char.LIBCMT ref: 02C5FE45
write_char.LIBCMT ref: 02C5FE70

Strings

, xrefs: 02C5FBD7
@, xrefs: 02C5F58B

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: ec179a5fd378d13b2d58a736491d49f451d9c3920d36331e28fa716487c53895
Instruction ID: 352b92e6a7dffc8ca350ee2135834c05e669515515a3d9a87a6062c36b1b4cdf
Opcode Fuzzy Hash: ec179a5fd378d13b2d58a736491d49f451d9c3920d36331e28fa716487c53895
Instruction Fuzzy Hash: 5A421572618AA086EB2D8F29D54436E6B61F7C779CF24101EDF4A47E64DB38C6C1CB09

Function 02C5C870 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C5C8DE
_invalid_parameter_noinfo.LIBCMT ref: 02C5C8E9
_fileno.LIBCMT ref: 02C5C921
_errno.LIBCMT ref: 02C5C992
_invalid_parameter_noinfo.LIBCMT ref: 02C5C99D
write_multi_char.LIBCMT ref: 02C5CF6A
write_multi_char.LIBCMT ref: 02C5CF9C
write_multi_char.LIBCMT ref: 02C5D048
free.LIBCMT ref: 02C5D061
write_char.LIBCMT ref: 02C5D1A0
write_char.LIBCMT ref: 02C5D1C1

Strings

@, xrefs: 02C5C90D
, xrefs: 02C5CF3A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: 777b2bbc50e84923bb68a82086348877efee093c21b5f3dd8466455b5af6995b
Instruction ID: 95c632886a1aa090647f6a81f1645b7f43225c82730dfa4cfa0eb00fa174ca97
Opcode Fuzzy Hash: 777b2bbc50e84923bb68a82086348877efee093c21b5f3dd8466455b5af6995b
Instruction Fuzzy Hash: 5A422572218BB086EB25CB29D54436E6B71FBC5788F185007DE4747AA8DB79C7C2CB48

Function 00007FF7F8DFAD44 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DFABF8: _getptd.LIBCMT ref: 00007FF7F8DFAC0A

_errno.LIBCMT ref: 00007FF7F8DFADB2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFADBD
_fileno.LIBCMT ref: 00007FF7F8DFADF5
_errno.LIBCMT ref: 00007FF7F8DFAE66
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFAE71
write_multi_char.LIBCMT ref: 00007FF7F8DFB43E
write_multi_char.LIBCMT ref: 00007FF7F8DFB470
write_multi_char.LIBCMT ref: 00007FF7F8DFB51C
free.LIBCMT ref: 00007FF7F8DFB535
write_char.LIBCMT ref: 00007FF7F8DFB674
write_char.LIBCMT ref: 00007FF7F8DFB695

Strings

@, xrefs: 00007FF7F8DFADE1
, xrefs: 00007FF7F8DFB40E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: 658b0638e96a2018847d66b84efea279705a0a6da686782ae5e0afd207c87506
Instruction ID: 132ccf5b5cab6b989436577801e528955e672b92ecd61a503b8c27ac8a391598
Opcode Fuzzy Hash: 658b0638e96a2018847d66b84efea279705a0a6da686782ae5e0afd207c87506
Instruction Fuzzy Hash: 0252F762E0D65286FB24AB14954037EE6A0BF49748F940035DA7D476DCCF3DE848F7A8

Function 02C49460 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 123libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 02C494A7
GetProcAddress.KERNEL32 ref: 02C494BA
FreeLibrary.KERNEL32 ref: 02C494E6
GetProcAddress.KERNEL32 ref: 02C494FD
CreateFileW.KERNEL32 ref: 02C49546
GetProcAddress.KERNEL32 ref: 02C4958C
WriteFile.KERNEL32 ref: 02C495CD
CloseHandle.KERNEL32 ref: 02C495E2
Sleep.KERNEL32 ref: 02C495F5
GetProcAddress.KERNEL32 ref: 02C49605
FreeLibrary.KERNEL32 ref: 02C49620

Strings

wininet.dll, xrefs: 02C4948A
MSIE 6.0, xrefs: 02C494C0
InternetCloseHandle, xrefs: 02C495FB
InternetReadFile, xrefs: 02C49582
InternetOpenW, xrefs: 02C494AD
InternetOpenUrlW, xrefs: 02C494F3

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: 3bed2e3fed1dd97c3597bc5c297f86b790980d851acd740cd57b361686804748
Instruction ID: 2b4476638d6cc315e7533a0a3ffb5c9036752fd725a5d749d5d3aa17dadd72d5
Opcode Fuzzy Hash: 3bed2e3fed1dd97c3597bc5c297f86b790980d851acd740cd57b361686804748
Instruction Fuzzy Hash: 6B417122209A9182FA249B52F958B6FB3B1F789BE5F445215DE4A07B64DF3CC146CB00

Function 02C66254 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C6626F

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

GetUserDefaultLCID.KERNEL32 ref: 02C6636F
GetLocaleInfoW.KERNEL32 ref: 02C663D3
IsValidCodePage.KERNEL32 ref: 02C66445
IsValidLocale.KERNEL32 ref: 02C6645B
GetLocaleInfoA.KERNEL32 ref: 02C664D5
GetLocaleInfoA.KERNEL32 ref: 02C664F2
_itow_s.LIBCMT ref: 02C66510

Strings

Norwegian-Nynorsk, xrefs: 02C66496
ACP, xrefs: 02C6639C
OCP, xrefs: 02C663AF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Locale$Info$Valid$CodeDefaultPageUser_amsg_exit_getptd_itow_s
String ID: ACP$Norwegian-Nynorsk$OCP
API String ID: 1236750932-4064345498
Opcode ID: 1f16e3efabc551431a5c0578b677a8b35f1afe1a9ab028db14e8eca5c82f04ed
Instruction ID: fe37881df1917ff48ec365da920c51b57b3ae93b2d3b87ef1d86e64d59459dce
Opcode Fuzzy Hash: 1f16e3efabc551431a5c0578b677a8b35f1afe1a9ab028db14e8eca5c82f04ed
Instruction Fuzzy Hash: 8A71AE7230478186EB259F22E48C7BD7769FB84B88F284026CE4E47A98DF7CC645CB11

Function 02C51BF0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 121synchronizationfilekeyboardCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 02C51C2D
lstrcatW.KERNEL32 ref: 02C51C3D
CreateMutexW.KERNEL32 ref: 02C51C4A
WaitForSingleObject.KERNEL32 ref: 02C51C5D
CreateFileW.KERNEL32 ref: 02C51C8B
GetFileSize.KERNEL32 ref: 02C51C99
CloseHandle.KERNEL32 ref: 02C51CA4
DeleteFileW.KERNEL32 ref: 02C51CB5
ReleaseMutex.KERNEL32 ref: 02C51CC2
DirectInput8Create.DINPUT8 ref: 02C51CE3
GetTickCount.KERNEL32 ref: 02C51D9B
GetKeyState.USER32 ref: 02C51DAC

Strings

\DisplaySessionContainers.log, xrefs: 02C51C33
<, xrefs: 02C51D66

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 1095970075-1170057892
Opcode ID: a7707feeb2605cd531d5f7e39eeb4ae4399d5209c77fcb40601b151f21c5fa34
Instruction ID: 5fdf3ce613260fd59d3c8c564ce1c7f77135015ec2fb1287aa6211a85bd933da
Opcode Fuzzy Hash: a7707feeb2605cd531d5f7e39eeb4ae4399d5209c77fcb40601b151f21c5fa34
Instruction Fuzzy Hash: 8E512776204A8586FB108F66F85CB5E3765FB88B89F948029DE4E47B25CF7DD089CB40

Function 02C4F520 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 02C4F5B3
lstrlenW.KERNEL32 ref: 02C4F5D5
wsprintfW.USER32 ref: 02C4F631
ExpandEnvironmentStringsW.KERNEL32 ref: 02C4F698
lstrcatW.KERNEL32 ref: 02C4F6D3
lstrcatW.KERNEL32 ref: 02C4F6E0
lstrcpyW.KERNEL32 ref: 02C4F6EE
CreateProcessW.KERNEL32 ref: 02C4F75D

Strings

, xrefs: 02C4F5C2
WinSta0\Default, xrefs: 02C4F710
%s\shell\open\command, xrefs: 02C4F623
h, xrefs: 02C4F704
"%1, xrefs: 02C4F69E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: $"%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-2159495357
Opcode ID: 753f1e88c2c9bcdca436a99e464efae067fe74ee41da2aa91f75f24b88240b9b
Instruction ID: faa2874844b147baedd5aeb34f2047cb1fe9b1aa6b435b899210a2161352825d
Opcode Fuzzy Hash: 753f1e88c2c9bcdca436a99e464efae067fe74ee41da2aa91f75f24b88240b9b
Instruction Fuzzy Hash: D4517172314A9595FB20DF65E854BEE7365FB88788F804019CE0E47E68EF78C249CB14

Function 02B127D1 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B12827
_errno.LIBCMT ref: 02B1282E
_invalid_parameter_noinfo.LIBCMT ref: 02B12839

Strings

U, xrefs: 02B12DB5

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: c9aa7ff1a95c4116b5dadac855f6185198e8c2debe563feb1bdbf6b2915f54c6
Instruction ID: a5f5b088f9ec21756a687b4f1f32a1022fd79c8c9f5d2760e25ec0a81ea87d76
Opcode Fuzzy Hash: c9aa7ff1a95c4116b5dadac855f6185198e8c2debe563feb1bdbf6b2915f54c6
Instruction Fuzzy Hash: 1B220731118A598BD729EF68C8857BAB7E1FB85704F94069DECC7C3291DB34E442CB82

Function 02C60F30 Relevance: 20.3, APIs: 13, Instructions: 753COMMON

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C60FA7
_invalid_parameter_noinfo.LIBCMT ref: 02C60FB2
DecodePointer.KERNEL32 ref: 02C6158C
DecodePointer.KERNEL32 ref: 02C615CD
DecodePointer.KERNEL32 ref: 02C615F2
write_multi_char.LIBCMT ref: 02C6168C
write_multi_char.LIBCMT ref: 02C616C1
write_char.LIBCMT ref: 02C6170D
write_multi_char.LIBCMT ref: 02C61765
free.LIBCMT ref: 02C6178C
_errno.LIBCMT ref: 02C61A47
_invalid_parameter_noinfo.LIBCMT ref: 02C61A52

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno_invalid_parameter_noinfo$_getptdfreewrite_char
String ID:
API String ID: 3562693915-0
Opcode ID: e017b06b56cf3657e822e1d9cdd52de123d41ff819c9629cd0d88fe18efbce1b
Instruction ID: d06f051bc6d291d8642c4dbac7c7a709922de6311af726a51dbe37765d7d4661
Opcode Fuzzy Hash: e017b06b56cf3657e822e1d9cdd52de123d41ff819c9629cd0d88fe18efbce1b
Instruction Fuzzy Hash: FF4202766086808ADB248B66D4C837E7BB1F7C179AF1C4126DF4E87B94DBB9C641CB40

Function 02C4F790 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C4F806
RegQueryValueExW.ADVAPI32 ref: 02C4F879
lstrcpyW.KERNEL32 ref: 02C4F9D0
RegCloseKey.ADVAPI32 ref: 02C4F9E2
RegCloseKey.ADVAPI32 ref: 02C4F9ED

Strings

%08X, xrefs: 02C4F97E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 0207c94b67bd13682df5198da5d4066036a53627cf85588037e8996df98b4a62
Instruction ID: 05d0b7c78e4f28cb0c666dff399c2ea3d7a136a2069cd52284896bee63bc3cc2
Opcode Fuzzy Hash: 0207c94b67bd13682df5198da5d4066036a53627cf85588037e8996df98b4a62
Instruction Fuzzy Hash: 6C513F72218A8092EB60CF16F48875BB361FBD5794F90512AEA9E87E68DF38C145CB44

Function 02C49650 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 102threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 02C496F0
CreateProcessA.KERNEL32 ref: 02C49758
VirtualAllocEx.KERNEL32 ref: 02C49789
WriteProcessMemory.KERNEL32 ref: 02C497AA
GetThreadContext.KERNEL32 ref: 02C497C4
SetThreadContext.KERNEL32 ref: 02C497DE
ResumeThread.KERNEL32 ref: 02C497F1

Strings

%s%s, xrefs: 02C49704
h, xrefs: 02C496C4
Windows\System32\svchost.exe, xrefs: 02C496F6
@, xrefs: 02C4977E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\svchost.exe$h
API String ID: 4033188109-2160973000
Opcode ID: f34bcb2dd40bef71e100a131e5ce0c990cbd285b2e4561fe4d7e6fc0a56b66df
Instruction ID: 938576669cc8797bfa815aac75f60ce95714f950bf030c45e1bfc9329e66a9c6
Opcode Fuzzy Hash: f34bcb2dd40bef71e100a131e5ce0c990cbd285b2e4561fe4d7e6fc0a56b66df
Instruction Fuzzy Hash: F3416B72204BC186EB20CF62E854B9FB7A5F788788F445019DB8E57A68DF7DC259CB04

Function 00007FF7F8DF6C80 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 101threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF7F8DF6D2B
CreateProcessA.KERNEL32 ref: 00007FF7F8DF6D92
VirtualAllocEx.KERNEL32 ref: 00007FF7F8DF6DC1
WriteProcessMemory.KERNEL32 ref: 00007FF7F8DF6DE0
GetThreadContext.KERNEL32 ref: 00007FF7F8DF6E01
SetThreadContext.KERNEL32 ref: 00007FF7F8DF6E1F
ResumeThread.KERNEL32 ref: 00007FF7F8DF6E31

Strings

h, xrefs: 00007FF7F8DF6CF5
%s%s, xrefs: 00007FF7F8DF6D40
@, xrefs: 00007FF7F8DF6DB6
Windows\System32\tracerpt.exe, xrefs: 00007FF7F8DF6D31

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\tracerpt.exe$h
API String ID: 4033188109-528786837
Opcode ID: ccbe77caa5910820af2e6a65459cec20809b89b451be36ee65506754dcdfb72f
Instruction ID: 805fe2acf89786bb2edbb4e0d8fb91d85721e2228f507646e0a52b80c1f29d41
Opcode Fuzzy Hash: ccbe77caa5910820af2e6a65459cec20809b89b451be36ee65506754dcdfb72f
Instruction Fuzzy Hash: DE419232608A8285E720DF11F8407AAF365FF88B84F844035DAAD47A99DF3CD518DB54

Function 02C48C80 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C48C95
OpenProcessToken.ADVAPI32 ref: 02C48CA8
LookupPrivilegeValueW.ADVAPI32 ref: 02C48CC8
AdjustTokenPrivileges.ADVAPI32 ref: 02C48CF2
CloseHandle.KERNEL32 ref: 02C48CFD
GetModuleHandleA.KERNEL32 ref: 02C48D0A
GetProcAddress.KERNEL32 ref: 02C48D1A
OpenProcess.KERNEL32 ref: 02C48D52

Strings

NtDll.dll, xrefs: 02C48D03
NtSetInformationProcess, xrefs: 02C48D10
SeDebugPrivilege, xrefs: 02C48CB7

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process$HandleOpenToken$AddressAdjustCloseCurrentLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 2787840106-1577477132
Opcode ID: 006c88d0e4742fc9033daaec659e694211f69195633ac62cbb13f472629f2bb1
Instruction ID: f6b35964fb141e2339972424ecf430663a67af64918529af751547747249468f
Opcode Fuzzy Hash: 006c88d0e4742fc9033daaec659e694211f69195633ac62cbb13f472629f2bb1
Instruction Fuzzy Hash: 9C213E72219A4582FB14DB61F81C79E77A0FBC9B58F801119DA4E47B14EF7CC18ACB40

Function 02C4C1A0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 02C4C1E0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02C4C2A7
CreateEventW.KERNEL32 ref: 02C4C2E8
CreateEventW.KERNEL32 ref: 02C4C316
CreateEventW.KERNEL32 ref: 02C4C344
timeGetTime.WINMM ref: 02C4C45A
CreateEventW.KERNEL32 ref: 02C4C46F
CreateEventW.KERNEL32 ref: 02C4C483

Strings

<, xrefs: 02C4C22E
<, xrefs: 02C4C227

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpinTimetime
String ID: <$<
API String ID: 4111701721-213342407
Opcode ID: 048dc3425349f8fc4623e606ca67483624ffdc734d22f1d365165c3f50b062b1
Instruction ID: a8ad8148a5d0fbacb81837a6405d1d11e031afd76108a170731348066be83a62
Opcode Fuzzy Hash: 048dc3425349f8fc4623e606ca67483624ffdc734d22f1d365165c3f50b062b1
Instruction Fuzzy Hash: 6E817B72212B9186E7589F30E85879E37A9F344F4CF18423EDE598BB98CF788191CB54

Function 00007FF7F8DFA30C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00007FF7F8DFA351
_set_error_mode.LIBCMT ref: 00007FF7F8DFA362
GetModuleFileNameW.KERNEL32 ref: 00007FF7F8DFA3C4

Part of subcall function 00007FF7F8DFA740: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F8DFA7E2), ref: 00007FF7F8DFA758

GetStdHandle.KERNEL32 ref: 00007FF7F8DFA4D9
WriteFile.KERNEL32 ref: 00007FF7F8DFA536

Strings

Runtime Error!Program: , xrefs: 00007FF7F8DFA391
<program name unknown>, xrefs: 00007FF7F8DFA3D3
Microsoft Visual C++ Runtime Library, xrefs: 00007FF7F8DFA47D
ceil, xrefs: 00007FF7F8DFA31C
..., xrefs: 00007FF7F8DFA416

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $ceil
API String ID: 2183313154-2708072404
Opcode ID: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction ID: 082ab25898ac3aa3717d27b0311da1325dfa80c9745edf15a470f4d1830a93ec
Opcode Fuzzy Hash: 44de1f721c027da7a128cc94a5ad70c9ea0fd816ea6c17f66893cfbd735dff7b
Instruction Fuzzy Hash: D651E821B0864241FB28FB2564166BAE251EF8D788FC40531EE7D42BC9CF3CE109B698

Function 02C5D328 Relevance: 17.2, APIs: 11, Instructions: 726COMMON

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C5D39F
_invalid_parameter_noinfo.LIBCMT ref: 02C5D3AA
DecodePointer.KERNEL32 ref: 02C5D966
DecodePointer.KERNEL32 ref: 02C5D9A7
DecodePointer.KERNEL32 ref: 02C5D9CC
write_multi_char.LIBCMT ref: 02C5DA5E
write_multi_char.LIBCMT ref: 02C5DA93
write_char.LIBCMT ref: 02C5DAE2
write_multi_char.LIBCMT ref: 02C5DB3A

Part of subcall function 02C60E84: _errno.LIBCMT ref: 02C60EA8

free.LIBCMT ref: 02C5DB61

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno$_getptd_invalid_parameter_noinfofreewrite_char
String ID:
API String ID: 1806013980-0
Opcode ID: 1552cd673f4c9009c00e4e5aebb7c2d1653934e03051cbe30d545ed572ffd0fa
Instruction ID: 59bcbf3be55cd8a5602d9d9a0d2be5298247a839e0fda44ac720e67b5e3a5178
Opcode Fuzzy Hash: 1552cd673f4c9009c00e4e5aebb7c2d1653934e03051cbe30d545ed572ffd0fa
Instruction Fuzzy Hash: 3E4214B2608BA086EB248F65D44036E77B1F7C1798F541016DF4B97B98DB78C6C1CB48

Function 02C5BEDC Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 02C5BF21
_set_error_mode.LIBCMT ref: 02C5BF32
GetModuleFileNameW.KERNEL32 ref: 02C5BF94
GetStdHandle.KERNEL32 ref: 02C5C0A9
WriteFile.KERNEL32 ref: 02C5C106

Strings

Microsoft Visual C++ Runtime Library, xrefs: 02C5C04D
..., xrefs: 02C5BFE6
<program name unknown>, xrefs: 02C5BFA3
Runtime Error!Program: , xrefs: 02C5BF61

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: File_set_error_mode$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1085760375-4022980321
Opcode ID: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction ID: 7a33043928d038ea8c728bfe03ff58daa414a507fa09c1d629bb19d7fe688c10
Opcode Fuzzy Hash: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction Fuzzy Hash: CB51F3353047A086EB24DB26B828BAF6356FBC57C4F944116DE5A43B54DF3CC385CA08

Function 02B05A61 Relevance: 15.4, APIs: 10, Instructions: 379COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B05A83
_invalid_parameter_noinfo.LIBCMT ref: 02B05A8F
_errno.LIBCMT ref: 02B05AB9
__tzset.LIBCMT ref: 02B05AD6
_get_daylight.LIBCMT ref: 02B05ADF
_get_daylight.LIBCMT ref: 02B05AF0
_get_daylight.LIBCMT ref: 02B05B01
_isindst.LIBCMT ref: 02B05B45
_isindst.LIBCMT ref: 02B05B95
__getgmtimebuf.LIBCMT ref: 02B05D8F

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
String ID:
API String ID: 1457502553-0
Opcode ID: bf35303e10df82c9ff8321bc2ee6641708b0343ee9c83fc063de617ffaa70a58
Instruction ID: 385a623344ebd0380d16618e15ce9d5a837cc153f463b215e30daf07167adb47
Opcode Fuzzy Hash: bf35303e10df82c9ff8321bc2ee6641708b0343ee9c83fc063de617ffaa70a58
Instruction Fuzzy Hash: CFA1C531724A094BDB6DAF38C8D93B57AD6FB54305B8485BFEC06CA6A5EF74C4818B40

Function 02C55F90 Relevance: 15.3, APIs: 10, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C55FB2
_invalid_parameter_noinfo.LIBCMT ref: 02C55FBE
_errno.LIBCMT ref: 02C55FE8
__tzset.LIBCMT ref: 02C56005
_get_daylight.LIBCMT ref: 02C5600E
_get_daylight.LIBCMT ref: 02C5601F
_get_daylight.LIBCMT ref: 02C56030
_isindst.LIBCMT ref: 02C56074
_isindst.LIBCMT ref: 02C560C4
__getgmtimebuf.LIBCMT ref: 02C562BE

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _get_daylight$_errno_isindst$__getgmtimebuf__tzset_invalid_parameter_noinfo
String ID:
API String ID: 1457502553-0
Opcode ID: fc98137501184263b1711a368e79b6b7fedf990296f419f9690ea9b2a4686320
Instruction ID: f05503d5ecde0a668b8b2f0b1548cfe0cc7e5e11cf9547c68608387d68b19bdf
Opcode Fuzzy Hash: fc98137501184263b1711a368e79b6b7fedf990296f419f9690ea9b2a4686320
Instruction Fuzzy Hash: 3781E4B27007598BDB289F75C8557A963A6EB947C8F448136DF0A8BB48EB39D181CB04

Function 02C492E0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C492F7
OpenProcessToken.ADVAPI32 ref: 02C4930A
LookupPrivilegeValueW.ADVAPI32 ref: 02C49335
AdjustTokenPrivileges.ADVAPI32 ref: 02C49358
GetLastError.KERNEL32 ref: 02C4935E
CloseHandle.KERNEL32 ref: 02C4936D
CloseHandle.KERNEL32 ref: 02C49388

Strings

SeShutdownPrivilege, xrefs: 02C4931B

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 3b408c9696417f386299ba55a60d1e887952e7de7df739ea596fa54433349fd8
Instruction ID: b1cd5f861efc0d87b3f1b4891d10f3942150b8070b6a5c0cd679a801f2b8cc6d
Opcode Fuzzy Hash: 3b408c9696417f386299ba55a60d1e887952e7de7df739ea596fa54433349fd8
Instruction Fuzzy Hash: 75114F72628A4082F7509F25F85D75E77A0FBC8B95F805419EA8F97A24DF3CC195CB00

Function 02C69CA0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C69CF0
_invalid_parameter_noinfo.LIBCMT ref: 02C69CFA
_errno.LIBCMT ref: 02C69D1C
_invalid_parameter_noinfo.LIBCMT ref: 02C69D28
_errno.LIBCMT ref: 02C69D50
_cftoe_l.LIBCMT ref: 02C69D94

Strings

gfffffff, xrefs: 02C6A01F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 2ccce6238921ff669830667409cdcc1f0cb7341e5ebed707410b45c5fc83ee90
Instruction ID: f8e308bd2f287ef1ca9ad28ed622702bfac36c069cf77f8142378fc51c32c5f8
Opcode Fuzzy Hash: 2ccce6238921ff669830667409cdcc1f0cb7341e5ebed707410b45c5fc83ee90
Instruction Fuzzy Hash: 5AA142637047C48ADB01CB2AC6883BD7BA5E751BE8F04C622CF5A0B799EB39D165C311

Function 00007FF7F8E024BC Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DFABF8: _getptd.LIBCMT ref: 00007FF7F8DFAC0A

_errno.LIBCMT ref: 00007FF7F8E0250C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E02516
_errno.LIBCMT ref: 00007FF7F8E02538
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E02544
_errno.LIBCMT ref: 00007FF7F8E0256C
_cftoe_l.LIBCMT ref: 00007FF7F8E025B0

Strings

gfffffff, xrefs: 00007FF7F8E0283B

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: c07b627f99c2cd4ae9dd9b17e96f21b7b9fb9e47b31fd93882c95997571751ba
Instruction ID: 96b99a24b9d3bfb6519982869f8c7d05a6a3a2d4fcf2ba6917e1591684b5e912
Opcode Fuzzy Hash: c07b627f99c2cd4ae9dd9b17e96f21b7b9fb9e47b31fd93882c95997571751ba
Instruction Fuzzy Hash: C2B17563F0838646EB029B3595443ADEFE5AB11794F488932CF7E077D6DA3CA414E3A4

Function 00007FF7F8DFA5F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F8DFA661
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F8DFA679
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F8DFA6B3
IsDebuggerPresent.KERNEL32 ref: 00007FF7F8DFA6E9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F8DFA6F3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F8DFA6FE

Strings

ceil, xrefs: 00007FF7F8DFA600

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: ceil
API String ID: 1239891234-3069211559
Opcode ID: 3144257c3ae2fa2d6dbd42b967809008da2bff6455cce039acfe86bdf2b0df6d
Instruction ID: 92cabb05573b07975ad4d96cedabfe6ce0bc70fc3a161d1ce7adcac2ff214c36
Opcode Fuzzy Hash: 3144257c3ae2fa2d6dbd42b967809008da2bff6455cce039acfe86bdf2b0df6d
Instruction Fuzzy Hash: 7E318332608F8286DB24DB25E8406AEF3A0FB88758F900135EABD47B99DF38D545DB54

Function 02C4A410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 02C4A442
WriteProcessMemory.KERNEL32 ref: 02C4A4AE
WriteProcessMemory.KERNEL32 ref: 02C4A4D5
CreateRemoteThread.KERNEL32 ref: 02C4A4FA
WaitForSingleObject.KERNEL32 ref: 02C4A50B
VirtualFreeEx.KERNEL32 ref: 02C4A522

Strings

@, xrefs: 02C4A43A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: MemoryProcessVirtualWrite$AllocCreateFreeObjectRemoteSingleThreadWait
String ID: @
API String ID: 1392168757-2766056989
Opcode ID: ebdf221f38e794e2455333eaf63dd99797fa0bae23e01971042895992485c932
Instruction ID: 821fec044f362f7bed7beea6b815e8be3a28b538d4e492857decb319a585f4c3
Opcode Fuzzy Hash: ebdf221f38e794e2455333eaf63dd99797fa0bae23e01971042895992485c932
Instruction Fuzzy Hash: 0A312932208B8486EB60CB26F918B5AB7A4F789BD4F545229EACD43F58DF3CC111CB40

Function 02C4A900 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C4A917
OpenProcessToken.ADVAPI32 ref: 02C4A928
LookupPrivilegeValueW.ADVAPI32 ref: 02C4A948
AdjustTokenPrivileges.ADVAPI32 ref: 02C4A970
GetLastError.KERNEL32 ref: 02C4A976
CloseHandle.KERNEL32 ref: 02C4A986

Strings

SeDebugPrivilege, xrefs: 02C4A937

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3398352648-2896544425
Opcode ID: 4520cdda6bbee7e720759b10c361dc6be193f20f51fac45c03cbca138d1582c9
Instruction ID: d91180d087df36c1dbbcc4691afb7ba6c8b4ba695340ca355b3e732698fb509c
Opcode Fuzzy Hash: 4520cdda6bbee7e720759b10c361dc6be193f20f51fac45c03cbca138d1582c9
Instruction Fuzzy Hash: EA011B72218B4682FB108F25F848B5E77B0F788B98F801019EA8F43A24DF7CC159CB40

Function 02C54CD0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 02C5B7BF
RtlLookupFunctionEntry.KERNEL32 ref: 02C5B7DE
RtlVirtualUnwind.KERNEL32 ref: 02C5B82A
IsDebuggerPresent.KERNEL32 ref: 02C5B89C
SetUnhandledExceptionFilter.KERNEL32 ref: 02C5B8B4
UnhandledExceptionFilter.KERNEL32 ref: 02C5B8C1
GetCurrentProcess.KERNEL32 ref: 02C5B8DA
TerminateProcess.KERNEL32 ref: 02C5B8E8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 1c94f059e661cec249e69166cae7fc2ba1f8093385c11fe141dccac600b505b7
Instruction ID: d79d7fe8cc5779df0851d4a1ff21d8bfd264e2d53b40695013e12e4d61d8d818
Opcode Fuzzy Hash: 1c94f059e661cec249e69166cae7fc2ba1f8093385c11fe141dccac600b505b7
Instruction Fuzzy Hash: 09311535109B8586FB64DF51F888B5E77A4FB85794F50802ADA8E43B68EF7CC594CB00

Function 00007FF7F8DF8AD0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F8DF9B2F
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F8DF9B4E
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F8DF9B9A
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFA727), ref: 00007FF7F8DF9C0C
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFA727), ref: 00007FF7F8DF9C24
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFA727), ref: 00007FF7F8DF9C31
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFA727), ref: 00007FF7F8DF9C4A
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFA727), ref: 00007FF7F8DF9C58

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a174535eb0d5241deb48ece9e46a2be905d6ec3f467502f47f0e199c436921ae
Instruction ID: 541ed207c9e271295a393dd127e2b6261475bc5266488dba328e6d5ac24ffbd4
Opcode Fuzzy Hash: a174535eb0d5241deb48ece9e46a2be905d6ec3f467502f47f0e199c436921ae
Instruction Fuzzy Hash: 5E31FC35A08F4695EB50AB11F84436AF3A4FF48754F900435E9AE427E9DF7CE044E7A8

Function 02B0FA65 Relevance: 10.9, APIs: 7, Instructions: 423COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 02B0FA90
_get_daylight.LIBCMT ref: 02B0FAA6

Part of subcall function 02B10801: _errno.LIBCMT ref: 02B1080A
Part of subcall function 02B10801: _invalid_parameter_noinfo.LIBCMT ref: 02B10815

_get_daylight.LIBCMT ref: 02B0FABB

Part of subcall function 02B107A1: _errno.LIBCMT ref: 02B107AA
Part of subcall function 02B107A1: _invalid_parameter_noinfo.LIBCMT ref: 02B107B5

_get_daylight.LIBCMT ref: 02B0FAD0

Part of subcall function 02B107D1: _errno.LIBCMT ref: 02B107DA
Part of subcall function 02B107D1: _invalid_parameter_noinfo.LIBCMT ref: 02B107E5

___lc_codepage_func.LIBCMT ref: 02B0FADD

Part of subcall function 02B0A241: _getptd.LIBCMT ref: 02B0A245

Part of subcall function 02B170F1: __wtomb_environ.LIBCMT ref: 02B17121

free.LIBCMT ref: 02B0FB4E

Part of subcall function 02B04D51: _errno.LIBCMT ref: 02B04D71

free.LIBCMT ref: 02B0FBB7

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_get_daylight_invalid_parameter_noinfo$free$___lc_codepage_func__wtomb_environ_getptd_lock
String ID:
API String ID: 4268574505-0
Opcode ID: 7159bc568df38b9c3179c3a6b8ecde503eabb8b4a7846a162cf2957cd589cd5c
Instruction ID: bc6453b8c167a81e3b0ec084be84bf0c82d0c50a09556d98e9427a6e8d14f906
Opcode Fuzzy Hash: 7159bc568df38b9c3179c3a6b8ecde503eabb8b4a7846a162cf2957cd589cd5c
Instruction Fuzzy Hash: C5C1C5307187444FD73AEF28D89137ABBD6FB89714F5456AE98CBC3691DF3094028A86

Function 02C5E590 Relevance: 10.6, APIs: 7, Instructions: 142COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02C5E5F4

Part of subcall function 02C5A860: Sleep.KERNEL32 ref: 02C5A8A5

free.LIBCMT ref: 02C5E672
free.LIBCMT ref: 02C5E6B9
GetLocaleInfoW.KERNEL32 ref: 02C5E6F0
GetLocaleInfoW.KERNEL32 ref: 02C5E71A
free.LIBCMT ref: 02C5E727
GetLocaleInfoW.KERNEL32 ref: 02C5E752

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocalefree$ErrorLastSleep
String ID:
API String ID: 3746651342-0
Opcode ID: f411498c33e338e04b103db1a04ef947ba4a4d6889c3b4acdbdfe8f2a9a6c589
Instruction ID: 306a11e595276f7cdce4ccdc4954e6fabd62c6f96669557dae22c90b357ccb57
Opcode Fuzzy Hash: f411498c33e338e04b103db1a04ef947ba4a4d6889c3b4acdbdfe8f2a9a6c589
Instruction Fuzzy Hash: 96412A2271176942E7349B23A914B3B62D5BBC8BCCF405125CE4947F49EF3DC645CB49

Function 02C4E03A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 02C4E067
ClearEventLogW.ADVAPI32 ref: 02C4E07A
CloseEventLog.ADVAPI32 ref: 02C4E083

Strings

Security, xrefs: 02C4E045
System, xrefs: 02C4E050
Application, xrefs: 02C4E03A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 3bc1dfbc75c3ebd05fd2da803e87ea6cab878e66fd4d64df736414c5c99f1579
Instruction ID: 3a2ef120ed91aacea7fe57314111757fcba6e362f9e1c52d4d80a94f5c97cf85
Opcode Fuzzy Hash: 3bc1dfbc75c3ebd05fd2da803e87ea6cab878e66fd4d64df736414c5c99f1579
Instruction Fuzzy Hash: 6DF0FF3660AB40C5EB25DB25F84879973A8FB48759F45913ACD5E03B24EE38C155D740

Function 02C5C1C4 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 02C5C231
RtlLookupFunctionEntry.KERNEL32 ref: 02C5C249
RtlVirtualUnwind.KERNEL32 ref: 02C5C283
IsDebuggerPresent.KERNEL32 ref: 02C5C2B9
SetUnhandledExceptionFilter.KERNEL32 ref: 02C5C2C3
UnhandledExceptionFilter.KERNEL32 ref: 02C5C2CE

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3d258a40fe85b90a637c04ac03ec31110b46b64e3441f59e6290187bd834b7bf
Instruction ID: dd5c1f78a91a63a0df8ea5349821b8574de09e94aec749d16f5fa0b7f0ae349a
Opcode Fuzzy Hash: 3d258a40fe85b90a637c04ac03ec31110b46b64e3441f59e6290187bd834b7bf
Instruction Fuzzy Hash: 50313E32214F8186DB60CF65E8447AE73A5F7897A8F50022AEE9D47B58DF38C695CB04

Function 02C48E00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C48E13
OpenProcessToken.ADVAPI32 ref: 02C48E26
LookupPrivilegeValueW.ADVAPI32 ref: 02C48E55
AdjustTokenPrivileges.ADVAPI32 ref: 02C48E9A

Strings

SeDebugPrivilege, xrefs: 02C48E4C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: e89a9577fea48bf07b96b5dd8fdb992d40661bb12393655a7267710922112fa6
Instruction ID: b032fd7d4c3896377900c4980cd8d2f0cb041e54a8f5913e38c381a5dec7bbba
Opcode Fuzzy Hash: e89a9577fea48bf07b96b5dd8fdb992d40661bb12393655a7267710922112fa6
Instruction Fuzzy Hash: 8E111C76219B8182EB109F65F84978EB3A1F7C9B48F84101AEA8E47B18DF7DC159CB00

Function 02C43BA0 Relevance: 7.8, APIs: 5, Instructions: 251memorytimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 02C43C6A
VirtualAlloc.KERNEL32 ref: 02C43CDF
VirtualFree.KERNEL32 ref: 02C43D19
VirtualAlloc.KERNEL32 ref: 02C43E75
VirtualFree.KERNEL32 ref: 02C43EAA

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree$Timetime
String ID:
API String ID: 3637049079-0
Opcode ID: 315d6375471e1a4f99404568f3a68aecd704ec3ded472f731a93e9d2a0cb6b08
Instruction ID: 0549a4c73453957a4043e326179febb6d1a082d37f6060bfa32330dce7cbb9f7
Opcode Fuzzy Hash: 315d6375471e1a4f99404568f3a68aecd704ec3ded472f731a93e9d2a0cb6b08
Instruction Fuzzy Hash: 2A91EF72310AD497CB19DF2AD154B2E77A6FB84B84B148529DE0A87B44EF34D5A1CB80

Function 02C45930 Relevance: 7.8, APIs: 5, Instructions: 250memorytimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 02C45A08
VirtualAlloc.KERNEL32 ref: 02C45A83
VirtualFree.KERNEL32 ref: 02C45ABD
VirtualAlloc.KERNEL32 ref: 02C45C27
VirtualFree.KERNEL32 ref: 02C45C5C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree$Timetime
String ID:
API String ID: 3637049079-0
Opcode ID: 84916634be90c530f7462dae8c686f5c956e195b309b681075306a52318ba857
Instruction ID: df2006b8fa10cb9387bb1cada17e2835c2fdf72413bee4ccb771b4da5670d3dd
Opcode Fuzzy Hash: 84916634be90c530f7462dae8c686f5c956e195b309b681075306a52318ba857
Instruction Fuzzy Hash: 9891F372310A949BCB1DCF2AD184B6E73A5F794BC4F848529DE0A87714EF34D9A1C780

Function 02C65D50 Relevance: 7.7, APIs: 5, Instructions: 165COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C65D77

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

GetLocaleInfoA.KERNEL32 ref: 02C65DAC
GetLocaleInfoA.KERNEL32 ref: 02C65E04
GetLocaleInfoA.KERNEL32 ref: 02C65EF8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocale$_amsg_exit_getptd
String ID:
API String ID: 3133215516-0
Opcode ID: f3123c2221976c618b7d76a248a557ec73608dd870584710d301b4c347307875
Instruction ID: 7bf1c826c4e23aaa6f29c365b116415ad51a41bbaf60e783c6365cefa95b5dd2
Opcode Fuzzy Hash: f3123c2221976c618b7d76a248a557ec73608dd870584710d301b4c347307875
Instruction Fuzzy Hash: 87618D72300AC1EBDB198B61DA9C7EDB3A1F7C8389F90412ADB1987644CB39E165CB00

Function 02C673F4 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 02C6743F
GetLocaleInfoW.KERNEL32 ref: 02C674D0
WideCharToMultiByte.KERNEL32 ref: 02C6750B
free.LIBCMT ref: 02C6751F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocale$ByteCharMultiWidefree
String ID:
API String ID: 40707599-0
Opcode ID: 9d849a486a771a2ba975f60ce01952f084c2181aa9eeb1ca35fe4748fd4a6f39
Instruction ID: ba61ac81d5c51426258ccfe4ff08ebcd4c20157a07eeb1b27a795ae51b083a1d
Opcode Fuzzy Hash: 9d849a486a771a2ba975f60ce01952f084c2181aa9eeb1ca35fe4748fd4a6f39
Instruction Fuzzy Hash: DC318532600B8086DB108F26D888779B796F784BECF484A15EF5E47F94DB38C545CB10

Function 02C5B0BC Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5B0F5

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

Part of subcall function 02C5AE80: _getptd.LIBCMT ref: 02C5AEBA

Part of subcall function 02C5A7E0: malloc.LIBCMT ref: 02C5A80B
Part of subcall function 02C5A7E0: Sleep.KERNEL32 ref: 02C5A81E

free.LIBCMT ref: 02C5B352
free.LIBCMT ref: 02C5B389
free.LIBCMT ref: 02C5B396

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$_getptd$Sleep_amsg_exitmalloc
String ID:
API String ID: 1310838139-0
Opcode ID: 82d67bd4074a8292135078b0dbf5279acc9a43100bda11809bbff80ac0b4c86f
Instruction ID: 062de8af8a7bbb92f588aed06e268487f18ef754585f6282fed044484cd27134
Opcode Fuzzy Hash: 82d67bd4074a8292135078b0dbf5279acc9a43100bda11809bbff80ac0b4c86f
Instruction Fuzzy Hash: 32910E32305B949ADB24DF26E58479EBBA1F788788F504126EF4E47B18EF38D581CB00

Function 00007FF7F8E06130 Relevance: 5.8, Strings: 4, Instructions: 796COMMONLIBRARYCODE

Download Yara Rule

Strings

1#SNAN, xrefs: 00007FF7F8E0621A
1#IND, xrefs: 00007FF7F8E0625F
1#QNAN, xrefs: 00007FF7F8E062CD
1#INF, xrefs: 00007FF7F8E06296

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: e04492fe7783e9350fb6ad516c2b891bc40bfb42d811b819843ac43adcea1734
Instruction ID: e32da79011ef7945428703f649c953d98e09ffd3d48bce78e636a3717dac811a
Opcode Fuzzy Hash: e04492fe7783e9350fb6ad516c2b891bc40bfb42d811b819843ac43adcea1734
Instruction Fuzzy Hash: C562F877F183528BF7149FB48000BBDB7B1BB54348F804835DE2A57AD8DA38A915D7A8

Function 02C6BD50 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Strings

1#INF, xrefs: 02C6BEB6
1#QNAN, xrefs: 02C6BEED
1#SNAN, xrefs: 02C6BE3A
1#IND, xrefs: 02C6BE7F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 88125a201e65d8ed1bd1aa500e04f75a90837a246ad31d7ce44a8951280eefc8
Instruction ID: dd73a85ace16031b35fe249eb28d22b082f5d63c271f7035f53886f9aed63b97
Opcode Fuzzy Hash: 88125a201e65d8ed1bd1aa500e04f75a90837a246ad31d7ce44a8951280eefc8
Instruction Fuzzy Hash: 2652D077B246918FE724CFB5C098BBD37B2B79474CB40901ADE86A7A48E7348B15CB44

Function 02B104D1 Relevance: 4.8, APIs: 3, Instructions: 302COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B104F2
_invalid_parameter_noinfo.LIBCMT ref: 02B104FE
_errno.LIBCMT ref: 02B1052B

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: a727305f7ab2d231e16c0c1e18c561513dfc79dc93774605cde997b43438ff15
Instruction ID: c6d50ed6b8d6eeebe2af0b73bc9811bbd044c4cbc8f89bc7a40c1e7c1ce083e4
Opcode Fuzzy Hash: a727305f7ab2d231e16c0c1e18c561513dfc79dc93774605cde997b43438ff15
Instruction Fuzzy Hash: 2C812971764D0A4FD70CAE2C8CAA2B436C6E7D831575896BFE847CF7A6E934D4828640

Function 02C60A00 Relevance: 4.7, APIs: 3, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C60A21
_invalid_parameter_noinfo.LIBCMT ref: 02C60A2D
_errno.LIBCMT ref: 02C60A5A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 5302ddf32cfdaea319d3eae1ccb86372f1c86f96e15f9b218755445e13fbde08
Instruction ID: 83fc23048673dd5cb85552af54a4e50ba15497324f53df914199b33a9afa92b6
Opcode Fuzzy Hash: 5302ddf32cfdaea319d3eae1ccb86372f1c86f96e15f9b218755445e13fbde08
Instruction Fuzzy Hash: 20612BB2B1164A4BCF1C8F29D8557786256F7D8788F48D136EA0A8F794FB3CE6018740

Function 02C63650 Relevance: 4.7, APIs: 3, Instructions: 199fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02C6368A

Part of subcall function 02C62988: _errno.LIBCMT ref: 02C62991
Part of subcall function 02C62988: _invalid_parameter_noinfo.LIBCMT ref: 02C6299C

ReadFile.KERNEL32 ref: 02C63777

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: FileRead_errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 1416837532-0
Opcode ID: 309e42a65739554cb7027ffa9ae403e92d91995be6d779599bdefef1943cc8b0
Instruction ID: aeb3117b64582f2a11d3ecbacf9414613b015b6d9b897b32bc35e4ad500eb60e
Opcode Fuzzy Hash: 309e42a65739554cb7027ffa9ae403e92d91995be6d779599bdefef1943cc8b0
Instruction Fuzzy Hash: FD71E222705BC49AEB21CF25D5CC3B96BA1FB84FD8F48559ADE4A07B94DB39C182C700

Function 02C66020 Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C66042

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

GetLocaleInfoA.KERNEL32 ref: 02C66077

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: 7a4bdbe237ab676890a3ead7a57c4d4f21b5585354efe19da6d086acf39470f5
Instruction ID: 6ee05e9805728315eda3412a3e35c0e198adb5569df9f8ab701aef4c8fff31d6
Opcode Fuzzy Hash: 7a4bdbe237ab676890a3ead7a57c4d4f21b5585354efe19da6d086acf39470f5
Instruction Fuzzy Hash: 33219432704AC197EB289B25E9997E9B3A5F7C8749F504126C71A87744DF3CD164CB00

Function 02AFE6B1 Relevance: 4.2, Strings: 3, Instructions: 440COMMON

Download Yara Rule

Strings

gfff, xrefs: 02AFE789
, xrefs: 02AFE87D
gfff, xrefs: 02AFE7AF

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: malloc
String ID: $gfff$gfff
API String ID: 2803490479-4202476792
Opcode ID: 257e01863ca11b1cadb907d1c4591d5c9f1f35a1bc80c96a1e8e6b6bf0ab3bac
Instruction ID: a34387c47cafccd26a0046582bf526bd1937711dfb515033c016fa9c92e960d1
Opcode Fuzzy Hash: 257e01863ca11b1cadb907d1c4591d5c9f1f35a1bc80c96a1e8e6b6bf0ab3bac
Instruction Fuzzy Hash: 3AD1B470A14B088FDB59EF78D48936DB7F2FF59305F50422AA54AE7251EF389842CB81

Function 02C6B4EC Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C6B54F
_invalid_parameter_noinfo.LIBCMT ref: 02C6B55A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ae4538f1a2572c5f67e6bc6f8f9159affb98521cd537506b2088318c8aa4d645
Instruction ID: e53342e60cfc76ea99c5ac0eb7ce36c30e14389796d71f4ce69e8f47f0129196
Opcode Fuzzy Hash: ae4538f1a2572c5f67e6bc6f8f9159affb98521cd537506b2088318c8aa4d645
Instruction Fuzzy Hash: B722EF77B146458AEB288F6AD0D8BFC3762B79474CF84001ADE46B7B95D7398E46C700

Function 00007FF7F8E058CC Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8E0592F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E0593A

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 83054cf6376330cdffa8c0059fbe92ae39825d7729f5d374ebb6e6e75b54dafc
Instruction ID: 4bf210d02c0b31c4b74f9a3e23ff0629bf0a246981caac518c77fc5a92edc1b7
Opcode Fuzzy Hash: 83054cf6376330cdffa8c0059fbe92ae39825d7729f5d374ebb6e6e75b54dafc
Instruction Fuzzy Hash: 9232C872E0C2468AF7249F6488407BCE7A2BB10348FD44436CE7B776C5CA3DA945E799

Function 02B0FEE5 Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 02B10157
_get_daylight.LIBCMT ref: 02B101DD

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _get_daylight
String ID:
API String ID: 4143689357-0
Opcode ID: 65a60c61c288ee5ec1fa32ff6f7ce43a8cb756956cff9c9d544f6ad1e4491dfb
Instruction ID: 5172556f3bb5c4ff67451543397f9649933165f9f7dd631a823489ed1b992d2f
Opcode Fuzzy Hash: 65a60c61c288ee5ec1fa32ff6f7ce43a8cb756956cff9c9d544f6ad1e4491dfb
Instruction Fuzzy Hash: 8A917471B1460A4FC70CEE28DC926B577DAF399304B18C57EEC87CB695EA30E5428A81

Function 02B0B9AD Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 02B0B9F2
_set_error_mode.LIBCMT ref: 02B0BA03

Part of subcall function 02B059D9: _errno.LIBCMT ref: 02B059F8
Part of subcall function 02B059D9: _invalid_parameter_noinfo.LIBCMT ref: 02B05A04

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _set_error_mode$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1239817535-0
Opcode ID: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction ID: 7734e532db980d8d21edb9080666160c2ad84facbfbb2e528783c06168326a88
Opcode Fuzzy Hash: bec6e322233c2a72ef1b69bf324003f95e38173e60baee35a0643b7f6f4324e7
Instruction Fuzzy Hash: 0C51F631718A0C4BD72EFF28A89526A77D6FB98308B5086AED49BC31D5DF34C5068B46

Function 02C60414 Relevance: 3.2, APIs: 2, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 02C60686

Part of subcall function 02C60D00: _errno.LIBCMT ref: 02C60D09
Part of subcall function 02C60D00: _invalid_parameter_noinfo.LIBCMT ref: 02C60D14

_get_daylight.LIBCMT ref: 02C6070C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _get_daylight$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3559991230-0
Opcode ID: 52ea9ba5fbf5ede55e2a5c23ec7a03d404610338de9f7afb62735d1d5f3e1368
Instruction ID: 924339f7b5183eae3345b2c32b9808fbe6ca00f1199ed93cbb39c31a50804c03
Opcode Fuzzy Hash: 52ea9ba5fbf5ede55e2a5c23ec7a03d404610338de9f7afb62735d1d5f3e1368
Instruction Fuzzy Hash: 6E813672B146544BD31CCF29ED99BB86756F3D8344F449136EE069BB94EB38E600CB40

Function 02C65BD8 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C65BFF

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

GetLocaleInfoA.KERNEL32 ref: 02C65C34

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocale_amsg_exit_getptd
String ID:
API String ID: 488165793-0
Opcode ID: a79cb05d7a59cd07edb9214c990442f87c4db8d832ef21515e078df8ae412a83
Instruction ID: 4ba6ddbda5fc13f40fdc8d37a28808259720220cca06122d184a972983ee07c9
Opcode Fuzzy Hash: a79cb05d7a59cd07edb9214c990442f87c4db8d832ef21515e078df8ae412a83
Instruction Fuzzy Hash: 1511D072300B8196DB28CF25E8897EE73A2F7CCB88F944126DA5E87714DB38D565CB00

Function 02C4E097 Relevance: 3.0, APIs: 2, Instructions: 23shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02C48BE0: GetModuleFileNameW.KERNEL32 ref: 02C48C0B
Part of subcall function 02C48BE0: GetCommandLineW.KERNEL32 ref: 02C48C11
Part of subcall function 02C48BE0: GetStartupInfoW.KERNEL32 ref: 02C48C1F
Part of subcall function 02C48BE0: CreateProcessW.KERNEL32 ref: 02C48C62
Part of subcall function 02C48BE0: ExitProcess.KERNEL32 ref: 02C48C6B

ExitProcess.KERNEL32 ref: 02C4E09F

Part of subcall function 02C492E0: GetCurrentProcess.KERNEL32 ref: 02C492F7
Part of subcall function 02C492E0: OpenProcessToken.ADVAPI32 ref: 02C4930A
Part of subcall function 02C492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02C49335
Part of subcall function 02C492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02C49358
Part of subcall function 02C492E0: GetLastError.KERNEL32 ref: 02C4935E
Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C4936D

ExitWindowsEx.USER32 ref: 02C4E0B5

Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C49388

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process$Exit$CloseHandleToken$AdjustCommandCreateCurrentErrorFileInfoLastLineLookupModuleNameOpenPrivilegePrivilegesStartupValueWindows
String ID:
API String ID: 2667809516-0
Opcode ID: b3d21a28ab8203c73efd544b6153422eeffcacae9f052cfca13134f61e2c620e
Instruction ID: baba384a30a3336bacf189697b18464cdce5586a38743119cb0233d3f51755b6
Opcode Fuzzy Hash: b3d21a28ab8203c73efd544b6153422eeffcacae9f052cfca13134f61e2c620e
Instruction Fuzzy Hash: F1E04F7620844085E729A735B9597AF6211BB407A4F04812B8E5B02D84CE38C0D6C610

Function 02AF8991 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

@, xrefs: 02AF8C36
h, xrefs: 02AF89FC

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: @$h
API String ID: 0-1029331998
Opcode ID: 358b050d685c7cb6894111cd8e9f28b6b6c6eb8fd1bfa1ed20978f7fec48c2c2
Instruction ID: 388006eccee906edaf683299eb1b09f4e83d8f98dc1e8058333ba3a5cf9309f2
Opcode Fuzzy Hash: 358b050d685c7cb6894111cd8e9f28b6b6c6eb8fd1bfa1ed20978f7fec48c2c2
Instruction Fuzzy Hash: B4B19970618B488FEB69EF68D8993AA77E5FB98305F10052EA54BC3150DF3CD546CB82

Function 02AFBC71 Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

<, xrefs: 02AFBCF8
<, xrefs: 02AFBCFF

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: <$<
API String ID: 0-213342407
Opcode ID: dd92d63dcdd426f59a9e2fa5ae2e36dc6ecd9943a307a728b4c21ce2e3eda32d
Instruction ID: b4450ee39c0c7f96db51f8099ab1f1852006a5e470ca553d4605cb5b5772752a
Opcode Fuzzy Hash: dd92d63dcdd426f59a9e2fa5ae2e36dc6ecd9943a307a728b4c21ce2e3eda32d
Instruction Fuzzy Hash: B89118B05547098FDBA8DF28D4D43953BE5FB08704F1842BEAD0ECE29ADF7885458BA0

Function 02AFEFF1 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

, xrefs: 02AFF093
h, xrefs: 02AFF1D5

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: $h
API String ID: 0-1972213566
Opcode ID: 139f1a407b2d328bfd50579990b57c49ae2f375fd998e8cadf9efc8e2fa61e9f
Instruction ID: fc613c58d32890faa99598d04e40c5e35270e6c4da8311ba9ec454c38bf4a4d2
Opcode Fuzzy Hash: 139f1a407b2d328bfd50579990b57c49ae2f375fd998e8cadf9efc8e2fa61e9f
Instruction Fuzzy Hash: 2061D731514A4D8FEB69FF58C8946EEB7A5FBA8304F40422AE54BD3590DF38D506CB82

Function 02AF9121 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 02AF924F
h, xrefs: 02AF9195

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: @$h
API String ID: 0-1029331998
Opcode ID: 73e096c04b7ac91e4f4ddcf25b2638513d8ffedd270eb0e705266d52b718efac
Instruction ID: 0238604a7ec890bf33e85d4c495f6d1d2aeb44aaf7a1efa4863c47a641f20dde
Opcode Fuzzy Hash: 73e096c04b7ac91e4f4ddcf25b2638513d8ffedd270eb0e705266d52b718efac
Instruction Fuzzy Hash: FE519E70518B898FDB64EF58DC857ABB7E1FB98305F10462EA58AC3250DF78E505CB82

Function 02AF6261 Relevance: 2.0, APIs: 1, Instructions: 508COMMON

Download Yara Rule

APIs

Part of subcall function 02B04E49: malloc.LIBCMT ref: 02B04E63

Part of subcall function 02B05DC5: _errno.LIBCMT ref: 02B05DE3
Part of subcall function 02B05DC5: _invalid_parameter_noinfo.LIBCMT ref: 02B05DEF

Part of subcall function 02B05DC5: _errno.LIBCMT ref: 02B05E31

_localtime64.LIBCMT ref: 02AF6720

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_localtime64malloc
String ID:
API String ID: 1702167547-0
Opcode ID: c5b4f4277aaa9297e0fe623575a3fb09da6160c7b2addc55117edda21951fe1f
Instruction ID: 16bc452ad31086c53073be7e5a1004c79dd3766be754e64e02963de4eeb1ed68
Opcode Fuzzy Hash: c5b4f4277aaa9297e0fe623575a3fb09da6160c7b2addc55117edda21951fe1f
Instruction Fuzzy Hash: FF028431614A088FDB69EF64DC89AEAB7E5FB58300F50462AE45BC3260DF34E645CF81

Function 02C42850 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 02C4299A, 02C42EF8, 02C4305F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 0bc9ff0f179f0640927e28c222b33d2ac1d82dab54c563a82b986612fe2dcdf6
Instruction ID: 2180ff51e4fa3cef1629106baeba2264633614bec3bde3a5fe0b62199e8c20bf
Opcode Fuzzy Hash: 0bc9ff0f179f0640927e28c222b33d2ac1d82dab54c563a82b986612fe2dcdf6
Instruction Fuzzy Hash: FE428C736092C48BC329CF29A44079EBFA0F3A5B48F488129DBC587B45DB78E995CB51

Function 00007FF7F8DF2880 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF7F8DF29CA, 00007FF7F8DF2F28, 00007FF7F8DF308F

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 1ed3bb2f404239d74be1f07793ca469e9cb85950aa033daddafdfd33a72f81d3
Instruction ID: 06d8637b4a35f7e44341b407cbcec5a2ba6a9271e59067e78922ca7d0cfa0041
Opcode Fuzzy Hash: 1ed3bb2f404239d74be1f07793ca469e9cb85950aa033daddafdfd33a72f81d3
Instruction Fuzzy Hash: A052D2336092C58FC329CF28E44069DBBA0F759B44F448039DBD987B89DB78E959DB60

Function 02C5AE80 Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5AEBA

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

Part of subcall function 02C5BA30: _errno.LIBCMT ref: 02C5BA48
Part of subcall function 02C5BA30: _invalid_parameter_noinfo.LIBCMT ref: 02C5BA54

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 1050512615-0
Opcode ID: fedb899bdb91596af6e6ee0e969ea8dc5925a75702ece9bdec94cea29fba6568
Instruction ID: 24f3d2a3e779761be92d866ccbf3660d929bc4e1bc8451b4411e6ece0fb77d53
Opcode Fuzzy Hash: fedb899bdb91596af6e6ee0e969ea8dc5925a75702ece9bdec94cea29fba6568
Instruction Fuzzy Hash: 4F51E8B23146A146EF24DB22A55076BAB56FBC4BC8F448521EF4A47B08EF39C185CB48

Function 02C65CC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 02C65CF4

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 57db738d57153fc7c429c22cf91e7162c30465e9021a82ee78624aa2695d2ded
Instruction ID: 2daf68b92c741509236e6bd7b20a75d0855b59971e79bf4d8511412e50cc1bfb
Opcode Fuzzy Hash: 57db738d57153fc7c429c22cf91e7162c30465e9021a82ee78624aa2695d2ded
Instruction Fuzzy Hash: FC01B132214A8186E7244B6AE6CC3B93761F3C5BC8FA84021DF8A4B389CB24C682C744

Function 02C66150 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 02C661A0

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a806821e78272caffabb9aa5d16819259c944b66b3d383c3c5fc35bed0f95a7c
Instruction ID: fea4d0f2510be2b7a9fbc35d987e184c6bc3dc4926d7b14afc306e6b593d2c20
Opcode Fuzzy Hash: a806821e78272caffabb9aa5d16819259c944b66b3d383c3c5fc35bed0f95a7c
Instruction Fuzzy Hash: 40015672A007048BEB198F31D89D37D3795E784B4DF684415CE4906296CBBCC6E9D781

Function 02C661E8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 02C6621D

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 877d5119e145bca4dbe67ff3c00607a04366f90a80b08fa67d988f9d8e585d44
Instruction ID: 43de9d1fe2ab08a2e4a05232c340211ee55360d7ed7947ee010da43cfb6e3caf
Opcode Fuzzy Hash: 877d5119e145bca4dbe67ff3c00607a04366f90a80b08fa67d988f9d8e585d44
Instruction Fuzzy Hash: 66F0BBF2B0464447F7188B35D49D3BA3796EBD4B49F388011CB4942385C77CC2E58681

Function 02C4E0C7 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02C492E0: GetCurrentProcess.KERNEL32 ref: 02C492F7
Part of subcall function 02C492E0: OpenProcessToken.ADVAPI32 ref: 02C4930A
Part of subcall function 02C492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02C49335
Part of subcall function 02C492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02C49358
Part of subcall function 02C492E0: GetLastError.KERNEL32 ref: 02C4935E
Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C4936D

ExitWindowsEx.USER32 ref: 02C4E0D6

Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C49388

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: c5437afb9a504350283759be5a2e2ba688f67b11f6b02529b8aed3acffafb6b3
Instruction ID: 96b985778e16bd9377c1fbfa53a42d39ed32edf6a23cea1aac9c9270326800f5
Opcode Fuzzy Hash: c5437afb9a504350283759be5a2e2ba688f67b11f6b02529b8aed3acffafb6b3
Instruction Fuzzy Hash: FED05E37248450C5F776AB66F806BAFB611BB947B4F4481378EAE03981CE38C0DACB04

Function 02C4E0E8 Relevance: 1.5, APIs: 1, Instructions: 18shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 02C492E0: GetCurrentProcess.KERNEL32 ref: 02C492F7
Part of subcall function 02C492E0: OpenProcessToken.ADVAPI32 ref: 02C4930A
Part of subcall function 02C492E0: LookupPrivilegeValueW.ADVAPI32 ref: 02C49335
Part of subcall function 02C492E0: AdjustTokenPrivileges.ADVAPI32 ref: 02C49358
Part of subcall function 02C492E0: GetLastError.KERNEL32 ref: 02C4935E
Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C4936D

ExitWindowsEx.USER32 ref: 02C4E0F7

Part of subcall function 02C492E0: CloseHandle.KERNEL32 ref: 02C49388

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 7695e8de455b47fc7c4015bd84d56b1e415436a0ef6b3387a5f0b89aca7faf0b
Instruction ID: 5b773c27964da7725445270127a2f2b8b853ab6d043b6f385fea10d714d68c7d
Opcode Fuzzy Hash: 7695e8de455b47fc7c4015bd84d56b1e415436a0ef6b3387a5f0b89aca7faf0b
Instruction Fuzzy Hash: E9D05E37248454C5F776AB25F805BAFB211BB947B4F4581378EAE03981CE38C0DADB04

Function 02AF2E31 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

0u, xrefs: 02AF3016

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: 4f7a807c7884c06512dd7a6c626225b68cdc165c41f7ec5e4356e260b87f41df
Instruction ID: 7a5de61e4dff4d56ac9b86e5cb3e3d000f41290030337cfda7d43c4c0d266c51
Opcode Fuzzy Hash: 4f7a807c7884c06512dd7a6c626225b68cdc165c41f7ec5e4356e260b87f41df
Instruction Fuzzy Hash: FB91727051CB448FD764DF68D48576BB7E1FB99704F20492EE58AC3250DB34E446CB86

Function 00007FF7F8DFCF6C Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F8DFCF77

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9a8ff2a500159e3ed63b44506368299f85c51e85dfafb5f360626af238714718
Instruction ID: dabeb2ae2b5c7a4829a279be4f9c1ff32a0bd830a472893973efb52b6ee61de1
Opcode Fuzzy Hash: 9a8ff2a500159e3ed63b44506368299f85c51e85dfafb5f360626af238714718
Instruction Fuzzy Hash: 54B09211F26412C1D708BB21AC810A0D2A06F6C321FC00830C02E801A0DE2C91EFA754

Function 02B016C1 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

<, xrefs: 02B01837

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 077f69fdd06265c26d877f1f5843b9613f2a9da1eade7d2aef4c89599cd222c9
Instruction ID: ae48a6f4e7f5abece32440707838f1bdc3350917f1565cb68002ef429e5c2d2b
Opcode Fuzzy Hash: 077f69fdd06265c26d877f1f5843b9613f2a9da1eade7d2aef4c89599cd222c9
Instruction Fuzzy Hash: D7519730314A088FE749DF28E889B9677E5FB95304F40816EE44BC76A0DF39E445CB42

Function 02C5AA5C Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

_.,, xrefs: 02C5AADC

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: _.,
API String ID: 0-2709443920
Opcode ID: 20ea197299b378448de38120ea43e05a2a59677407c39c99d419746b8418e36c
Instruction ID: c510ba945ca1e9c4a0905e669ceb2501b640028356c707c6d0c6f1ead5702546
Opcode Fuzzy Hash: 20ea197299b378448de38120ea43e05a2a59677407c39c99d419746b8418e36c
Instruction Fuzzy Hash: 3F412332244BA54AEB38DE73D915B6A3713E3C4788F488716DF8982A45DF79C2C1CB48

Function 02AF2321 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577dbf38f9836090b25adf45b9ef5395d5e3ed3af2fa4e457b5ccb6cbb212996
Instruction ID: 2c5d7a45fbdcc41f651c72465d66b61dcaf9f4633707ca529046a81c86bfbc2f
Opcode Fuzzy Hash: 577dbf38f9836090b25adf45b9ef5395d5e3ed3af2fa4e457b5ccb6cbb212996
Instruction Fuzzy Hash: 84529F302187858FD769CF5C84816A5BBE0FB59300F54896DEDCACB742DB74E846CB92

Function 02C4B050 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0b285a1c183d9ed15233d5e90f35ef3308b6f5fd0085757d0cf32db775e372
Instruction ID: b3a2a1e4f931b53d79908b5f0b8e86ec3c8a12d890d84c594f8d6f833ed919f5
Opcode Fuzzy Hash: 3d0b285a1c183d9ed15233d5e90f35ef3308b6f5fd0085757d0cf32db775e372
Instruction Fuzzy Hash: 5522D577B785504BD71CCB19E892FA977A2F394308749A52CEA17D3F44DA3DEA06CA00

Function 02B01091 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$malloc
String ID:
API String ID: 610097836-0
Opcode ID: d8c1d2824fdf26bac285bba075242ff27231a96c61992707bff1d5ac2219e7e9
Instruction ID: 0593a5c9cd8008484dca36999109043df21c2a31084ffeb89e09aef9780e48c9
Opcode Fuzzy Hash: d8c1d2824fdf26bac285bba075242ff27231a96c61992707bff1d5ac2219e7e9
Instruction Fuzzy Hash: 28F16530518B488FE71AEF28E8856AA7BF5FB99305F40466ED44BC71A0DF389545CF82

Function 02AF3671 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa0175b8b6f08b8c9ecdc74782b28c8b32354c9a2c83be618f6627b7f47bdf9
Instruction ID: 43797936eb020a8d7b5a864c2079ad01825ceddf94ae501876f9b0053c5a9dfc
Opcode Fuzzy Hash: 6fa0175b8b6f08b8c9ecdc74782b28c8b32354c9a2c83be618f6627b7f47bdf9
Instruction Fuzzy Hash: 9CB1BE30618E498BDF8DEF6CC495A75B3E1FB8530171046A9EA5AC7645DF38E892CBC0

Function 02AF5401 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169c863b51fcf6167b5fe823ea54d9709b69dcd928fd84d454ce5827a6fee8e2
Instruction ID: 5b87eee75c0fd736fd64ccc71aa8b6896e2079370be022689e8fa69dcb267980
Opcode Fuzzy Hash: 169c863b51fcf6167b5fe823ea54d9709b69dcd928fd84d454ce5827a6fee8e2
Instruction Fuzzy Hash: 13B1F030A18E098FCB9DDF6CC485679B3E2FB85301B54862DE95AC7655DF34E892CB80

Function 02AF6FC1 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction ID: 08a020f96be3dd78c2cd753cfd82b1210d7eab1685b39435852a105965a0b126
Opcode Fuzzy Hash: 1d2b676108bdf634e983210c69edc8232fb219044d9aa69fb5ef76e773f646e8
Instruction Fuzzy Hash: 9EA1B030518A488FDB69EF68D885AADBBF1FF98304F10426EE54AD7165DF34D902CB81

Function 02B0A52D Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ea197299b378448de38120ea43e05a2a59677407c39c99d419746b8418e36c
Instruction ID: 61f9c48088fe6488606df62f96d8280666d51ea09e8ac7daa2204b939f4df078
Opcode Fuzzy Hash: 20ea197299b378448de38120ea43e05a2a59677407c39c99d419746b8418e36c
Instruction Fuzzy Hash: C641D631228B484FEB2AEEB8889537AB7D6FB54304F454DAD8597C31D1EF28D5414A41

Function 02C6C804 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 10c7a0c8e9403e8482e92735103ded62817db3bab5a1dfd4fb9f1c3786d7218c
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 6551D573B152A18BD7288F19E49CF6C3A99F798385B51E03ADB5297F00D775CA50CB00

Function 00007FF7F8E06C50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: fc3be0e00e7a9cac966036909026ddfd3bc393c6601f2ef95efd68fafdd16a7a
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 96510572B183A68BE7589F08E404F68BA95F794341F91D438DB3787F90DA79DC508B84

Function 02B1481D Relevance: 107.8, APIs: 86, Instructions: 270COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02B14832

Part of subcall function 02B04D51: _errno.LIBCMT ref: 02B04D71

free.LIBCMT ref: 02B1483B
free.LIBCMT ref: 02B14844
free.LIBCMT ref: 02B1484D
free.LIBCMT ref: 02B14856
free.LIBCMT ref: 02B1485F
free.LIBCMT ref: 02B14867
free.LIBCMT ref: 02B14870
free.LIBCMT ref: 02B14879
free.LIBCMT ref: 02B14882
free.LIBCMT ref: 02B1488B
free.LIBCMT ref: 02B14894
free.LIBCMT ref: 02B1489D
free.LIBCMT ref: 02B148A6
free.LIBCMT ref: 02B148AF
free.LIBCMT ref: 02B148B8
free.LIBCMT ref: 02B148C4
free.LIBCMT ref: 02B148D0
free.LIBCMT ref: 02B148DC
free.LIBCMT ref: 02B148E8
free.LIBCMT ref: 02B148F4
free.LIBCMT ref: 02B14900
free.LIBCMT ref: 02B1490C
free.LIBCMT ref: 02B14918
free.LIBCMT ref: 02B14924
free.LIBCMT ref: 02B14930
free.LIBCMT ref: 02B1493C
free.LIBCMT ref: 02B14948
free.LIBCMT ref: 02B14954
free.LIBCMT ref: 02B14960
free.LIBCMT ref: 02B1496C
free.LIBCMT ref: 02B14978
free.LIBCMT ref: 02B14984
free.LIBCMT ref: 02B14990
free.LIBCMT ref: 02B1499C
free.LIBCMT ref: 02B149A8
free.LIBCMT ref: 02B149B4
free.LIBCMT ref: 02B149C0
free.LIBCMT ref: 02B149CC
free.LIBCMT ref: 02B149D8
free.LIBCMT ref: 02B149E4
free.LIBCMT ref: 02B149F0
free.LIBCMT ref: 02B149FC
free.LIBCMT ref: 02B14A08
free.LIBCMT ref: 02B14A14
free.LIBCMT ref: 02B14A20
free.LIBCMT ref: 02B14A2C
free.LIBCMT ref: 02B14A38
free.LIBCMT ref: 02B14A44
free.LIBCMT ref: 02B14A50
free.LIBCMT ref: 02B14A5C
free.LIBCMT ref: 02B14A68
free.LIBCMT ref: 02B14A74
free.LIBCMT ref: 02B14A80
free.LIBCMT ref: 02B14A8C
free.LIBCMT ref: 02B14A98
free.LIBCMT ref: 02B14AA4
free.LIBCMT ref: 02B14AB0
free.LIBCMT ref: 02B14ABC
free.LIBCMT ref: 02B14AC8
free.LIBCMT ref: 02B14AD4
free.LIBCMT ref: 02B14AE0
free.LIBCMT ref: 02B14AEC
free.LIBCMT ref: 02B14AF8
free.LIBCMT ref: 02B14B04
free.LIBCMT ref: 02B14B10
free.LIBCMT ref: 02B14B1C
free.LIBCMT ref: 02B14B28
free.LIBCMT ref: 02B14B34
free.LIBCMT ref: 02B14B40
free.LIBCMT ref: 02B14B4C
free.LIBCMT ref: 02B14B58
free.LIBCMT ref: 02B14B64
free.LIBCMT ref: 02B14B70
free.LIBCMT ref: 02B14B7C
free.LIBCMT ref: 02B14B88
free.LIBCMT ref: 02B14B94
free.LIBCMT ref: 02B14BA0
free.LIBCMT ref: 02B14BAC
free.LIBCMT ref: 02B14BB8
free.LIBCMT ref: 02B14BC4
free.LIBCMT ref: 02B14BD0
free.LIBCMT ref: 02B14BDC
free.LIBCMT ref: 02B14BE8
free.LIBCMT ref: 02B14BF4
free.LIBCMT ref: 02B14C00

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 9aa16b22ebdf764a21f270bcfe908f430863055a3e440207fba421ff0d466c6d
Instruction ID: d64d29c2e7b817b65e3cd3d8f308d0f44fd0046824d0fbc9d778fcc31ae25f1f
Opcode Fuzzy Hash: 9aa16b22ebdf764a21f270bcfe908f430863055a3e440207fba421ff0d466c6d
Instruction Fuzzy Hash: 6AA154306A15098FD69EEB6CC8E47AC3773BF48300F8442B58A6DCA9F6CE519C45CB95

Function 02C64D4C Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 02C64D61

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

free.LIBCMT ref: 02C64D6A
free.LIBCMT ref: 02C64D73
free.LIBCMT ref: 02C64D7C
free.LIBCMT ref: 02C64D85
free.LIBCMT ref: 02C64D8E
free.LIBCMT ref: 02C64D96
free.LIBCMT ref: 02C64D9F
free.LIBCMT ref: 02C64DA8
free.LIBCMT ref: 02C64DB1
free.LIBCMT ref: 02C64DBA
free.LIBCMT ref: 02C64DC3
free.LIBCMT ref: 02C64DCC
free.LIBCMT ref: 02C64DD5
free.LIBCMT ref: 02C64DDE
free.LIBCMT ref: 02C64DE7
free.LIBCMT ref: 02C64DF3
free.LIBCMT ref: 02C64DFF
free.LIBCMT ref: 02C64E0B
free.LIBCMT ref: 02C64E17
free.LIBCMT ref: 02C64E23
free.LIBCMT ref: 02C64E2F
free.LIBCMT ref: 02C64E3B
free.LIBCMT ref: 02C64E47
free.LIBCMT ref: 02C64E53
free.LIBCMT ref: 02C64E5F
free.LIBCMT ref: 02C64E6B
free.LIBCMT ref: 02C64E77
free.LIBCMT ref: 02C64E83
free.LIBCMT ref: 02C64E8F
free.LIBCMT ref: 02C64E9B
free.LIBCMT ref: 02C64EA7
free.LIBCMT ref: 02C64EB3
free.LIBCMT ref: 02C64EBF
free.LIBCMT ref: 02C64ECB
free.LIBCMT ref: 02C64ED7
free.LIBCMT ref: 02C64EE3
free.LIBCMT ref: 02C64EEF
free.LIBCMT ref: 02C64EFB
free.LIBCMT ref: 02C64F07
free.LIBCMT ref: 02C64F13
free.LIBCMT ref: 02C64F1F
free.LIBCMT ref: 02C64F2B
free.LIBCMT ref: 02C64F37
free.LIBCMT ref: 02C64F43
free.LIBCMT ref: 02C64F4F
free.LIBCMT ref: 02C64F5B
free.LIBCMT ref: 02C64F67
free.LIBCMT ref: 02C64F73
free.LIBCMT ref: 02C64F7F
free.LIBCMT ref: 02C64F8B
free.LIBCMT ref: 02C64F97
free.LIBCMT ref: 02C64FA3
free.LIBCMT ref: 02C64FAF
free.LIBCMT ref: 02C64FBB
free.LIBCMT ref: 02C64FC7
free.LIBCMT ref: 02C64FD3
free.LIBCMT ref: 02C64FDF
free.LIBCMT ref: 02C64FEB
free.LIBCMT ref: 02C64FF7
free.LIBCMT ref: 02C65003
free.LIBCMT ref: 02C6500F
free.LIBCMT ref: 02C6501B
free.LIBCMT ref: 02C65027
free.LIBCMT ref: 02C65033
free.LIBCMT ref: 02C6503F
free.LIBCMT ref: 02C6504B
free.LIBCMT ref: 02C65057
free.LIBCMT ref: 02C65063
free.LIBCMT ref: 02C6506F
free.LIBCMT ref: 02C6507B
free.LIBCMT ref: 02C65087
free.LIBCMT ref: 02C65093
free.LIBCMT ref: 02C6509F
free.LIBCMT ref: 02C650AB
free.LIBCMT ref: 02C650B7
free.LIBCMT ref: 02C650C3
free.LIBCMT ref: 02C650CF
free.LIBCMT ref: 02C650DB
free.LIBCMT ref: 02C650E7
free.LIBCMT ref: 02C650F3
free.LIBCMT ref: 02C650FF
free.LIBCMT ref: 02C6510B
free.LIBCMT ref: 02C65117
free.LIBCMT ref: 02C65123
free.LIBCMT ref: 02C6512F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 0020f19ff185dbff27dcfb762236250369b3a71a9d3eaf30a14737fe5e34001e
Instruction ID: 2e78ebba4fa29ef17a92fbf1b5cda1b030bc4adf8b255b8f949ddc6997671d7e
Opcode Fuzzy Hash: 0020f19ff185dbff27dcfb762236250369b3a71a9d3eaf30a14737fe5e34001e
Instruction Fuzzy Hash: 6981582225265489DB85FFF1CCA42AE2322EBC4FC4FC44132CE4D5B525CE31D9859BD6

Function 00007FF7F8E00A90 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F8E00AA5

Part of subcall function 00007FF7F8DF9030: HeapFree.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9046
Part of subcall function 00007FF7F8DF9030: _errno.LIBCMT ref: 00007FF7F8DF9050
Part of subcall function 00007FF7F8DF9030: GetLastError.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9058

free.LIBCMT ref: 00007FF7F8E00AAE
free.LIBCMT ref: 00007FF7F8E00AB7
free.LIBCMT ref: 00007FF7F8E00AC0
free.LIBCMT ref: 00007FF7F8E00AC9
free.LIBCMT ref: 00007FF7F8E00AD2
free.LIBCMT ref: 00007FF7F8E00ADA
free.LIBCMT ref: 00007FF7F8E00AE3
free.LIBCMT ref: 00007FF7F8E00AEC
free.LIBCMT ref: 00007FF7F8E00AF5
free.LIBCMT ref: 00007FF7F8E00AFE
free.LIBCMT ref: 00007FF7F8E00B07
free.LIBCMT ref: 00007FF7F8E00B10
free.LIBCMT ref: 00007FF7F8E00B19
free.LIBCMT ref: 00007FF7F8E00B22
free.LIBCMT ref: 00007FF7F8E00B2B
free.LIBCMT ref: 00007FF7F8E00B37
free.LIBCMT ref: 00007FF7F8E00B43
free.LIBCMT ref: 00007FF7F8E00B4F
free.LIBCMT ref: 00007FF7F8E00B5B
free.LIBCMT ref: 00007FF7F8E00B67
free.LIBCMT ref: 00007FF7F8E00B73
free.LIBCMT ref: 00007FF7F8E00B7F
free.LIBCMT ref: 00007FF7F8E00B8B
free.LIBCMT ref: 00007FF7F8E00B97
free.LIBCMT ref: 00007FF7F8E00BA3
free.LIBCMT ref: 00007FF7F8E00BAF
free.LIBCMT ref: 00007FF7F8E00BBB
free.LIBCMT ref: 00007FF7F8E00BC7
free.LIBCMT ref: 00007FF7F8E00BD3
free.LIBCMT ref: 00007FF7F8E00BDF
free.LIBCMT ref: 00007FF7F8E00BEB
free.LIBCMT ref: 00007FF7F8E00BF7
free.LIBCMT ref: 00007FF7F8E00C03
free.LIBCMT ref: 00007FF7F8E00C0F
free.LIBCMT ref: 00007FF7F8E00C1B
free.LIBCMT ref: 00007FF7F8E00C27
free.LIBCMT ref: 00007FF7F8E00C33
free.LIBCMT ref: 00007FF7F8E00C3F
free.LIBCMT ref: 00007FF7F8E00C4B
free.LIBCMT ref: 00007FF7F8E00C57
free.LIBCMT ref: 00007FF7F8E00C63
free.LIBCMT ref: 00007FF7F8E00C6F
free.LIBCMT ref: 00007FF7F8E00C7B
free.LIBCMT ref: 00007FF7F8E00C87
free.LIBCMT ref: 00007FF7F8E00C93
free.LIBCMT ref: 00007FF7F8E00C9F
free.LIBCMT ref: 00007FF7F8E00CAB
free.LIBCMT ref: 00007FF7F8E00CB7
free.LIBCMT ref: 00007FF7F8E00CC3
free.LIBCMT ref: 00007FF7F8E00CCF
free.LIBCMT ref: 00007FF7F8E00CDB
free.LIBCMT ref: 00007FF7F8E00CE7
free.LIBCMT ref: 00007FF7F8E00CF3
free.LIBCMT ref: 00007FF7F8E00CFF
free.LIBCMT ref: 00007FF7F8E00D0B
free.LIBCMT ref: 00007FF7F8E00D17
free.LIBCMT ref: 00007FF7F8E00D23
free.LIBCMT ref: 00007FF7F8E00D2F
free.LIBCMT ref: 00007FF7F8E00D3B
free.LIBCMT ref: 00007FF7F8E00D47
free.LIBCMT ref: 00007FF7F8E00D53
free.LIBCMT ref: 00007FF7F8E00D5F
free.LIBCMT ref: 00007FF7F8E00D6B
free.LIBCMT ref: 00007FF7F8E00D77
free.LIBCMT ref: 00007FF7F8E00D83
free.LIBCMT ref: 00007FF7F8E00D8F
free.LIBCMT ref: 00007FF7F8E00D9B
free.LIBCMT ref: 00007FF7F8E00DA7
free.LIBCMT ref: 00007FF7F8E00DB3
free.LIBCMT ref: 00007FF7F8E00DBF
free.LIBCMT ref: 00007FF7F8E00DCB
free.LIBCMT ref: 00007FF7F8E00DD7
free.LIBCMT ref: 00007FF7F8E00DE3
free.LIBCMT ref: 00007FF7F8E00DEF
free.LIBCMT ref: 00007FF7F8E00DFB
free.LIBCMT ref: 00007FF7F8E00E07
free.LIBCMT ref: 00007FF7F8E00E13
free.LIBCMT ref: 00007FF7F8E00E1F
free.LIBCMT ref: 00007FF7F8E00E2B
free.LIBCMT ref: 00007FF7F8E00E37
free.LIBCMT ref: 00007FF7F8E00E43
free.LIBCMT ref: 00007FF7F8E00E4F
free.LIBCMT ref: 00007FF7F8E00E5B
free.LIBCMT ref: 00007FF7F8E00E67
free.LIBCMT ref: 00007FF7F8E00E73

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 60a7ffa4d2c1c72e481c1fc4b58fd09ff59adc118a18aaad8529e092a6129a8d
Instruction ID: 6044b3a48d590223308b588bb558741123ef71218747c8e178390e7ee4522bd0
Opcode Fuzzy Hash: 60a7ffa4d2c1c72e481c1fc4b58fd09ff59adc118a18aaad8529e092a6129a8d
Instruction Fuzzy Hash: CDA16621A2654191E751BB31C4A9BFD9330AF88B88FC44133D97D4A1EFCE15D48AE7E8

Function 02C4E1F7 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 280stringregistrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

RegOpenKeyExW.ADVAPI32 ref: 02C4E232
RegDeleteValueW.ADVAPI32 ref: 02C4E243
RegSetValueExW.ADVAPI32 ref: 02C4E26E
RegCloseKey.ADVAPI32 ref: 02C4E2D4
lstrlenW.KERNEL32 ref: 02C4E367
lstrlenW.KERNEL32 ref: 02C4E377
lstrlenW.KERNEL32 ref: 02C4E45D
lstrlenW.KERNEL32 ref: 02C4E46D

Part of subcall function 02C55378: _callnewh.LIBCMT ref: 02C55386
Part of subcall function 02C55378: std::exception::exception.LIBCMT ref: 02C553FF

Part of subcall function 02C55560: _errno.LIBCMT ref: 02C5557F
Part of subcall function 02C55560: _invalid_parameter_noinfo.LIBCMT ref: 02C5558B

lstrlenW.KERNEL32 ref: 02C4E54D
lstrlenW.KERNEL32 ref: 02C4E55D
RegCloseKey.ADVAPI32 ref: 02C4E60C
Sleep.KERNEL32 ref: 02C4E617

Strings

t3:, xrefs: 02C4E553, 02C4E58F
127.0.0.1, xrefs: 02C4E518
6666, xrefs: 02C4E34B
o1:, xrefs: 02C4E352
8.218.163.62, xrefs: 02C4E332
t2:, xrefs: 02C4E463, 02C4E49F
t1:, xrefs: 02C4E36D, 02C4E3AF
IpDate, xrefs: 02C4E23C, 02C4E259
p1:, xrefs: 02C4E339
p3:, xrefs: 02C4E51F
6666, xrefs: 02C4E441
o3:, xrefs: 02C4E538
Console, xrefs: 02C4E216
8.218.163.62, xrefs: 02C4E428
p2:, xrefs: 02C4E42F
o2:, xrefs: 02C4E448

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen$CloseValue$DeleteOpenSleep_callnewh_errno_invalid_parameter_noinfomallocstd::exception::exception
String ID: 127.0.0.1$6666$6666$8.218.163.62$8.218.163.62$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 2396878867-2138182752
Opcode ID: 0ba1c50f3f6f8bd47f20042370db24bb557a2b144f417de9e289bd57393602ee
Instruction ID: b591e7bedf3fe46411f47c400466196223d5fad395af98cfd28c4dc1c7c798e6
Opcode Fuzzy Hash: 0ba1c50f3f6f8bd47f20042370db24bb557a2b144f417de9e289bd57393602ee
Instruction Fuzzy Hash: 51B1F271705A9581FB24EF65E548BAE2772F788BC9F819016CE0E17B50EF78C28AD740

Function 00007FF7F8DFDC88 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDCCD
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDCE9
EncodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDCFB
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD12
EncodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD1B
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD32
EncodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD3B
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD52
EncodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD5B
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD7A
EncodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDD83
DecodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDDB6
DecodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDDC6
DecodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDE1C
DecodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDE3D
DecodePointer.KERNEL32(?,?,?,?,00007FF7F8DF10E2), ref: 00007FF7F8DFDE57

Strings

GetUserObjectInformationW, xrefs: 00007FF7F8DFDD41
MessageBoxW, xrefs: 00007FF7F8DFDCDF
GetActiveWindow, xrefs: 00007FF7F8DFDD01
GetProcessWindowStation, xrefs: 00007FF7F8DFDD70
ceil, xrefs: 00007FF7F8DFDC8D
GetLastActivePopup, xrefs: 00007FF7F8DFDD21
USER32.DLL, xrefs: 00007FF7F8DFDCC6

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL$ceil
API String ID: 2643518689-1731902841
Opcode ID: 3235768cab9551c74b9773b86dd77190edcad43fb14d3d9bf66f7ba374c6ba15
Instruction ID: e465a5083244651e4053ec4a048d8b9c255b18c8aa8a1f9db2fbcd3b3250eebe
Opcode Fuzzy Hash: 3235768cab9551c74b9773b86dd77190edcad43fb14d3d9bf66f7ba374c6ba15
Instruction Fuzzy Hash: 5651E720B1AB1291FB54BB51AC14174E3A16F49B91FC40835DC7E827E8EE3CE449B6E8

Function 02C66894 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 02C668D9
GetProcAddress.KERNEL32 ref: 02C668F5
EncodePointer.KERNEL32 ref: 02C66907
GetProcAddress.KERNEL32 ref: 02C6691E
EncodePointer.KERNEL32 ref: 02C66927
GetProcAddress.KERNEL32 ref: 02C6693E
EncodePointer.KERNEL32 ref: 02C66947
GetProcAddress.KERNEL32 ref: 02C6695E
EncodePointer.KERNEL32 ref: 02C66967
GetProcAddress.KERNEL32 ref: 02C66986
EncodePointer.KERNEL32 ref: 02C6698F
DecodePointer.KERNEL32 ref: 02C669C2
DecodePointer.KERNEL32 ref: 02C669D2
DecodePointer.KERNEL32 ref: 02C66A28
DecodePointer.KERNEL32 ref: 02C66A49
DecodePointer.KERNEL32 ref: 02C66A63

Strings

GetActiveWindow, xrefs: 02C6690D
GetUserObjectInformationW, xrefs: 02C6694D
GetProcessWindowStation, xrefs: 02C6697C
GetLastActivePopup, xrefs: 02C6692D
MessageBoxW, xrefs: 02C668EB
USER32.DLL, xrefs: 02C668D2

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 9b477d339a0cbf5d1fb3b709f53cc0189430c5bdffb326d61e63b17971d6259a
Instruction ID: fac487cc689e1084a56c74b3a25c8b999d7001615ff2dbe8e3484ba61ec25e8f
Opcode Fuzzy Hash: 9b477d339a0cbf5d1fb3b709f53cc0189430c5bdffb326d61e63b17971d6259a
Instruction Fuzzy Hash: 00513320216B5581FE25DB52B89CB2C63A4AB88FD5F999029CC1F47B24EF7DC685C300

Function 02C67754 Relevance: 32.0, APIs: 21, Instructions: 482COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C67785
_errno.LIBCMT ref: 02C6778E
__doserrno.LIBCMT ref: 02C677E8
_errno.LIBCMT ref: 02C677EF
_invalid_parameter_noinfo.LIBCMT ref: 02C67E5E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 83821fb44c2082aa68f38fc84eff16adcc4682b38c585996f4bedfbd64328b7c
Instruction ID: 36d89fda513429ac9b6c4c1cb0f6c1719b2ecd72d15e78b1236c19fd10a93cc1
Opcode Fuzzy Hash: 83821fb44c2082aa68f38fc84eff16adcc4682b38c585996f4bedfbd64328b7c
Instruction Fuzzy Hash: A61259623046C08AEB129F69D8CC3BCBBA2F785B5CF589A05CE5A07791DB39C549C705

Function 02C59714 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C57488: RtlLookupFunctionEntry.KERNEL32 ref: 02C574FC

__GetUnwindTryBlock.LIBCMT ref: 02C59778
__SetUnwindTryBlock.LIBCMT ref: 02C5979F

Part of subcall function 02C5733C: RaiseException.KERNEL32 ref: 02C573B7

__GetUnwindTryBlock.LIBCMT ref: 02C597A9
_getptd.LIBCMT ref: 02C597FF
_getptd.LIBCMT ref: 02C59812
_getptd.LIBCMT ref: 02C5981E
_SetThrowImageBase.LIBCMT ref: 02C59832
_getptd.LIBCMT ref: 02C59882
_getptd.LIBCMT ref: 02C59895
_getptd.LIBCMT ref: 02C598A1
type_info::operator==.LIBCMT ref: 02C59908
std::exception::exception.LIBCMT ref: 02C59941
_getptd.LIBCMT ref: 02C59B74
std::exception::exception.LIBCMT ref: 02C59BED

Strings

csm, xrefs: 02C597BF
csm, xrefs: 02C59966
bad exception, xrefs: 02C5992E
csm, xrefs: 02C5984D

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: d9cf7963ac656a204547f84c84e07c0a39f698d544cc56fb1fb8ee67f789732f
Instruction ID: 14233ac413ef66fef295b3ec7704723f50171e416bf264b54699b8c3f982edf5
Opcode Fuzzy Hash: d9cf7963ac656a204547f84c84e07c0a39f698d544cc56fb1fb8ee67f789732f
Instruction Fuzzy Hash: A4D1E232600B60CADF24DF66D4843AE77A2FB84BC8F444665DE4A57B04CB38C2D5DB99

Function 00007FF7F8E03C88 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F8E01988: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F8E019FC

__GetUnwindTryBlock.LIBCMT ref: 00007FF7F8E03CEC
__SetUnwindTryBlock.LIBCMT ref: 00007FF7F8E03D13

Part of subcall function 00007FF7F8DF9A88: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DF12E9), ref: 00007FF7F8DF9B03

__GetUnwindTryBlock.LIBCMT ref: 00007FF7F8E03D1D
_getptd.LIBCMT ref: 00007FF7F8E03D73
_getptd.LIBCMT ref: 00007FF7F8E03D86
_getptd.LIBCMT ref: 00007FF7F8E03D92
_SetThrowImageBase.LIBCMT ref: 00007FF7F8E03DA6
_getptd.LIBCMT ref: 00007FF7F8E03DF6
_getptd.LIBCMT ref: 00007FF7F8E03E09
_getptd.LIBCMT ref: 00007FF7F8E03E15
type_info::operator==.LIBCMT ref: 00007FF7F8E03E7C
std::exception::exception.LIBCMT ref: 00007FF7F8E03EB5
_getptd.LIBCMT ref: 00007FF7F8E040E8
std::exception::exception.LIBCMT ref: 00007FF7F8E04161

Strings

csm, xrefs: 00007FF7F8E03DC1
csm, xrefs: 00007FF7F8E03EDA
bad exception, xrefs: 00007FF7F8E03EA2
csm, xrefs: 00007FF7F8E03D33

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: fbe037284dd962ea214ae2f94636b38ee292e4416248e112e6b35bf23fd221be
Instruction ID: 274f59fd5bed66920c621bd22ca656592aeb25ae4a0a1dd5027c473040a4ce25
Opcode Fuzzy Hash: fbe037284dd962ea214ae2f94636b38ee292e4416248e112e6b35bf23fd221be
Instruction Fuzzy Hash: A8E1E332A0864286EB20BB6591402BDF7A0FF15788F844935DE7E17BC5CF38E455E3A9

Function 02B091E5 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 493COMMONLIBRARYCODE

Download Yara Rule

APIs

__GetUnwindTryBlock.LIBCMT ref: 02B09249
__SetUnwindTryBlock.LIBCMT ref: 02B09270
__GetUnwindTryBlock.LIBCMT ref: 02B0927A
_getptd.LIBCMT ref: 02B092D0
_getptd.LIBCMT ref: 02B092E3
_getptd.LIBCMT ref: 02B092EF
_SetThrowImageBase.LIBCMT ref: 02B09303
_getptd.LIBCMT ref: 02B09353
_getptd.LIBCMT ref: 02B09366
_getptd.LIBCMT ref: 02B09372
type_info::operator==.LIBCMT ref: 02B093D9
std::exception::exception.LIBCMT ref: 02B09412
_getptd.LIBCMT ref: 02B09645

Strings

csm, xrefs: 02B0931E
csm, xrefs: 02B09290
csm, xrefs: 02B09437

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BlockUnwind$BaseImageThrowstd::exception::exceptiontype_info::operator==
String ID: csm$csm$csm
API String ID: 597370258-393685449
Opcode ID: 22467ef495f7b2ae5b0c470f627a871a789aef46cd6af6b457b8833c2192b874
Instruction ID: 1e7f7f9f51b7c3891b5196bc912715083a296f501131eaa9a7021b4adf7dc4b1
Opcode Fuzzy Hash: 22467ef495f7b2ae5b0c470f627a871a789aef46cd6af6b457b8833c2192b874
Instruction Fuzzy Hash: 7EE1D930618F098FCB59AFA8C4C56ADBBE1FB58715F5442ADD84AC3292DF34E441CB82

Function 00007FF7F8DF8370 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF7F8DF8396
GetProcAddress.KERNEL32 ref: 00007FF7F8DF83BE
FreeLibrary.KERNEL32 ref: 00007FF7F8DF83CF

Strings

%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF7F8DF8451
DbgHelp.dll, xrefs: 00007FF7F8DF838F
!analyze -v, xrefs: 00007FF7F8DF844A
MiniDumpWriteDump, xrefs: 00007FF7F8DF83AC

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: !analyze -v$%s-%04d%02d%02d-%02d%02d%02d.dmp$DbgHelp.dll$MiniDumpWriteDump
API String ID: 145871493-3774911088
Opcode ID: 480089490ec144e7b2b2c8ce8f4cc6496139fd37b894703ea7d60b2fbab28df8
Instruction ID: 01edb2393f6cef09d28fd2cb875ba814f6770ec778f24f14938dad07ed648588
Opcode Fuzzy Hash: 480089490ec144e7b2b2c8ce8f4cc6496139fd37b894703ea7d60b2fbab28df8
Instruction Fuzzy Hash: 23416036618B9186E760AB11F84426EF3A0FF89755F800635DABE43B98DF3CD018EB54

Function 02C4D520 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 224stringsleepregistryCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02C4D568
wsprintfW.USER32 ref: 02C4D5B0

Part of subcall function 02C49830: lstrlenW.KERNEL32 ref: 02C49862
Part of subcall function 02C49830: lstrlenW.KERNEL32 ref: 02C4987C
Part of subcall function 02C49830: lstrlenW.KERNEL32 ref: 02C49888

lstrlenW.KERNEL32 ref: 02C4D61B
lstrlenW.KERNEL32 ref: 02C4D62E
CreateEventA.KERNEL32 ref: 02C4D79E
RegOpenKeyExW.ADVAPI32 ref: 02C4D808
CloseHandle.KERNEL32 ref: 02C4D850
Sleep.KERNEL32 ref: 02C4D86E
CloseHandle.KERNEL32 ref: 02C4D897
CloseHandle.KERNEL32 ref: 02C4D8B6

Strings

p1:, xrefs: 02C4D5F0
Console\1, xrefs: 02C4D7FA
o1:, xrefs: 02C4D609
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 02C4D5A2
t1:, xrefs: 02C4D624

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen$CloseHandle$CreateEventLocalOpenSleepTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$Console\1$o1:$p1:$t1:
API String ID: 441366266-1614091359
Opcode ID: 2c5e8d8077fca6d9efecd33f24c60deca68b6aa5d3bb0323bb46866befe63c5a
Instruction ID: e546ae04b8b17c26a85731ff188237deb48f96773150e936b80f3f24ac02b372
Opcode Fuzzy Hash: 2c5e8d8077fca6d9efecd33f24c60deca68b6aa5d3bb0323bb46866befe63c5a
Instruction Fuzzy Hash: CA918E72204B9186EB24AF26E944BAE77B5F785B84F405519DE8F07B68DF38C245CB40

Function 02C46FF0 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 02C47012

Strings

Metascan, xrefs: 02C470FA
Fiddler, xrefs: 02C47172
Sniff, xrefs: 02C471B6
CurrPorts, xrefs: 02C470CA
Wireshark, xrefs: 02C47112
Port, xrefs: 02C470E2
Process, xrefs: 02C471DE
TCPEye, xrefs: 02C4709A
TaskExplorer, xrefs: 02C470B2
ApateDNS, xrefs: 02C4706A
Capsa, xrefs: 02C471A2, 02C471CA
Malwarebytes, xrefs: 02C47082

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 9b8c77d6ced09ec049599edcb5e11aaf6237f5b26d3217c734fc7b2da4660954
Instruction ID: 53e4ee92971de7833b3dfc5e7ef54a7d9c50c48412df5b121549d3931f2fe1be
Opcode Fuzzy Hash: 9b8c77d6ced09ec049599edcb5e11aaf6237f5b26d3217c734fc7b2da4660954
Instruction Fuzzy Hash: 4F51703430675281FE69EB37F98472953629F8A7D4F88A4749C0E1B318EF7CC6849B04

Function 02C50EB0 Relevance: 24.3, APIs: 16, Instructions: 279COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02C50ED2
SetLastError.KERNEL32 ref: 02C50EF5

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 77dedc7f358742ff0399e8efbd8c3910799c15a7c59c220d042ca75b07eb62eb
Instruction ID: 422e13a55b4ce26cf7437d3868e92c5b3d7c610b8028bf721eab8545491a0578
Opcode Fuzzy Hash: 77dedc7f358742ff0399e8efbd8c3910799c15a7c59c220d042ca75b07eb62eb
Instruction Fuzzy Hash: 86B1C532311A608AEB14CF26E95876D33A5FB88BC8F484529CE4E87F44EF79D595C704

Function 02C441C0 Relevance: 21.1, APIs: 14, Instructions: 127networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 02C441FB
WSAIoctl.WS2_32 ref: 02C44250
setsockopt.WS2_32 ref: 02C44272
setsockopt.WS2_32 ref: 02C44294
WSACreateEvent.WS2_32 ref: 02C4429A
lstrlenW.KERNEL32 ref: 02C442A7
WideCharToMultiByte.KERNEL32 ref: 02C442CA
lstrlenW.KERNEL32 ref: 02C442E4
WideCharToMultiByte.KERNEL32 ref: 02C44307
gethostbyname.WS2_32 ref: 02C44314

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
String ID:
API String ID: 2536029566-0
Opcode ID: cf50b05f241690f5b75512f02c6d7ffb42373bcd321a6766e23d8fdfdd69b64a
Instruction ID: a16a3e404cdf182f0a1e4246f2674faf08c1a79eecdddc6f79b62d84e19cd2ff
Opcode Fuzzy Hash: cf50b05f241690f5b75512f02c6d7ffb42373bcd321a6766e23d8fdfdd69b64a
Instruction Fuzzy Hash: 1F514376218B5186E724CF65F44875EB7A5F788BA8F100219EE9A43FA8DF7CC145CB00

Function 00007FF7F8DF4220 Relevance: 21.1, APIs: 14, Instructions: 127networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF7F8DF425B
WSAIoctl.WS2_32 ref: 00007FF7F8DF42B0
setsockopt.WS2_32 ref: 00007FF7F8DF42D2
setsockopt.WS2_32 ref: 00007FF7F8DF42F4
WSACreateEvent.WS2_32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F8DF3FF5), ref: 00007FF7F8DF42FA
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F8DF3FF5), ref: 00007FF7F8DF4307
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F8DF3FF5), ref: 00007FF7F8DF432A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F8DF3FF5), ref: 00007FF7F8DF4344
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F8DF3FF5), ref: 00007FF7F8DF4367
gethostbyname.WS2_32 ref: 00007FF7F8DF4374

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
String ID:
API String ID: 2536029566-0
Opcode ID: dd1851911fdd76a705326ba549579fe627525648a2b6dfceec2b157348278301
Instruction ID: fc72f550ba4120ed8f44cddb57b25b55297fe1abbac108754e19092562bb6897
Opcode Fuzzy Hash: dd1851911fdd76a705326ba549579fe627525648a2b6dfceec2b157348278301
Instruction Fuzzy Hash: F8515132618B5186E7109F65F84026AF7A5FB88BA4F500635EABE43BD8CF3CD049DB54

Function 02C5F128 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 02C5F180

Part of subcall function 02C654AC: free.LIBCMT ref: 02C654CA
Part of subcall function 02C654AC: free.LIBCMT ref: 02C654DC
Part of subcall function 02C654AC: free.LIBCMT ref: 02C654EE
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65500
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65512
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65524
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65536
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65548
Part of subcall function 02C654AC: free.LIBCMT ref: 02C6555A
Part of subcall function 02C654AC: free.LIBCMT ref: 02C6556C
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65581
Part of subcall function 02C654AC: free.LIBCMT ref: 02C65596
Part of subcall function 02C654AC: free.LIBCMT ref: 02C655AB

free.LIBCMT ref: 02C5F174

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

free.LIBCMT ref: 02C5F196
__free_lconv_num.LIBCMT ref: 02C5F1A2
free.LIBCMT ref: 02C5F1AE
free.LIBCMT ref: 02C5F1BA
free.LIBCMT ref: 02C5F1DE
free.LIBCMT ref: 02C5F1F2
free.LIBCMT ref: 02C5F201
free.LIBCMT ref: 02C5F20D
free.LIBCMT ref: 02C5F23A
free.LIBCMT ref: 02C5F262
free.LIBCMT ref: 02C5F27C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 793502283a8cb49350656c0ec5e5d9694461158cf1e27e4be6b183f55cf5cd15
Instruction ID: 910f90020ea8b5cba34499a7f169140fae10864f8c8127f5cfa840c82f5954b3
Opcode Fuzzy Hash: 793502283a8cb49350656c0ec5e5d9694461158cf1e27e4be6b183f55cf5cd15
Instruction Fuzzy Hash: 43314D366026A488DF69DFA1CC503BD2321EBC5B98F880439CE0D4BA54CF38C1C1C799

Function 00007FF7F8DFF668 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 00007FF7F8DFF6C0

Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F0A
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F1C
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F2E
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F40
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F52
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F64
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F76
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F88
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00F9A
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00FAC
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00FC1
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00FD6
Part of subcall function 00007FF7F8E00EEC: free.LIBCMT ref: 00007FF7F8E00FEB

free.LIBCMT ref: 00007FF7F8DFF6B4

Part of subcall function 00007FF7F8DF9030: HeapFree.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9046
Part of subcall function 00007FF7F8DF9030: _errno.LIBCMT ref: 00007FF7F8DF9050
Part of subcall function 00007FF7F8DF9030: GetLastError.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9058

free.LIBCMT ref: 00007FF7F8DFF6D6
__free_lconv_num.LIBCMT ref: 00007FF7F8DFF6E2
free.LIBCMT ref: 00007FF7F8DFF6EE
free.LIBCMT ref: 00007FF7F8DFF6FA
free.LIBCMT ref: 00007FF7F8DFF71E
free.LIBCMT ref: 00007FF7F8DFF732
free.LIBCMT ref: 00007FF7F8DFF741
free.LIBCMT ref: 00007FF7F8DFF74D
free.LIBCMT ref: 00007FF7F8DFF77A
free.LIBCMT ref: 00007FF7F8DFF7A2
free.LIBCMT ref: 00007FF7F8DFF7BC

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 578f8deb9b1b94d1822c3a308d3ccdd43089e4846e4b09c0fbd9a79327202c1b
Instruction ID: 56e01ce191928652e272e21cfb5066fb29982059d362c74029f1390f05b2305a
Opcode Fuzzy Hash: 578f8deb9b1b94d1822c3a308d3ccdd43089e4846e4b09c0fbd9a79327202c1b
Instruction Fuzzy Hash: A5413532E1A98284EF65BF21C4547B8E360AF48B84F940431DA3D062DDCF6CA485F7B8

Function 02B16B45 Relevance: 18.2, APIs: 12, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02B16B79

Part of subcall function 02B12459: _errno.LIBCMT ref: 02B12462
Part of subcall function 02B12459: _invalid_parameter_noinfo.LIBCMT ref: 02B1246D

_fileno.LIBCMT ref: 02B16B94
_fileno.LIBCMT ref: 02B16BA1
_fileno.LIBCMT ref: 02B16BB0

Part of subcall function 02B0C109: _fileno.LIBCMT ref: 02B0C126
Part of subcall function 02B0C109: _errno.LIBCMT ref: 02B0C136

_fileno.LIBCMT ref: 02B16BDA
_fileno.LIBCMT ref: 02B16BE7
_fileno.LIBCMT ref: 02B16BF4
_fileno.LIBCMT ref: 02B16C03
_fileno.LIBCMT ref: 02B16C2D
_fileno.LIBCMT ref: 02B16C3A
_fileno.LIBCMT ref: 02B16C47
_fileno.LIBCMT ref: 02B16C56

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _fileno$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 482796045-0
Opcode ID: 870200666e5cc4ec4f42544dfeab9d8f82b4b13906aec3573b67f937372f4743
Instruction ID: a12afd6c989267c4ee61be722fbddbdcf7130f6a47782ad6e84ba97d17280677
Opcode Fuzzy Hash: 870200666e5cc4ec4f42544dfeab9d8f82b4b13906aec3573b67f937372f4743
Instruction Fuzzy Hash: 7C510B34228F4D4B8758AF6C84D127977D6FF86314BE807ADD5AAC32D0D72895528782

Function 02C67074 Relevance: 18.1, APIs: 12, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02C670A8

Part of subcall function 02C62988: _errno.LIBCMT ref: 02C62991
Part of subcall function 02C62988: _invalid_parameter_noinfo.LIBCMT ref: 02C6299C

_fileno.LIBCMT ref: 02C670C3
_fileno.LIBCMT ref: 02C670D0
_fileno.LIBCMT ref: 02C670DF

Part of subcall function 02C5C638: _fileno.LIBCMT ref: 02C5C655
Part of subcall function 02C5C638: _errno.LIBCMT ref: 02C5C665

_fileno.LIBCMT ref: 02C67109
_fileno.LIBCMT ref: 02C67116
_fileno.LIBCMT ref: 02C67123
_fileno.LIBCMT ref: 02C67132
_fileno.LIBCMT ref: 02C6715C
_fileno.LIBCMT ref: 02C67169
_fileno.LIBCMT ref: 02C67176
_fileno.LIBCMT ref: 02C67185

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _fileno$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 482796045-0
Opcode ID: c48717b30ae9b74f7ac66b91d84a3b4c92b1bb28475cd271dfa275c582b4941c
Instruction ID: 6797ed5e0e28e3acd71f666ec8e48e0276b82c43072c924fdefdfe872d5fe643
Opcode Fuzzy Hash: c48717b30ae9b74f7ac66b91d84a3b4c92b1bb28475cd271dfa275c582b4941c
Instruction Fuzzy Hash: 3051172221468585CB289F3A99D827DA352FBC2BECB584B02EF7A477D4CF2CC556C711

Function 02B08A21 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B08A51
_getptd.LIBCMT ref: 02B08A65
_getptd.LIBCMT ref: 02B08A9F
_getptd.LIBCMT ref: 02B08AAB
_getptd.LIBCMT ref: 02B08AB7
_CreateFrameInfo.LIBCMT ref: 02B08ACC

Part of subcall function 02B07405: _getptd.LIBCMT ref: 02B07411
Part of subcall function 02B07405: _getptd.LIBCMT ref: 02B0741F
Part of subcall function 02B07405: _getptd.LIBCMT ref: 02B07433

_getptd.LIBCMT ref: 02B08AEA
_getptd.LIBCMT ref: 02B08BF0
_getptd.LIBCMT ref: 02B08BFC

Strings

csm, xrefs: 02B08BB0

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 51c0dc7a84f5612c5cc78820bb2f6ad6632db51e04bb7ee6f91fee8f6b9fc100
Instruction ID: 10d6117d1a9055d7c1135c3dd601d0230a3ccd35e4effd798f5f802edb221407
Opcode Fuzzy Hash: 51c0dc7a84f5612c5cc78820bb2f6ad6632db51e04bb7ee6f91fee8f6b9fc100
Instruction Fuzzy Hash: C7418EB0518B098FC7B5EF6CC485B7ABBE1FB58311F5105AED08DC3692DB31A5428B86

Function 02C58F50 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C58F80

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_getptd.LIBCMT ref: 02C58F94
_getptd.LIBCMT ref: 02C58FCE
_getptd.LIBCMT ref: 02C58FDA
_getptd.LIBCMT ref: 02C58FE6
_CreateFrameInfo.LIBCMT ref: 02C58FFB

Part of subcall function 02C57934: _getptd.LIBCMT ref: 02C57940
Part of subcall function 02C57934: _getptd.LIBCMT ref: 02C5794E
Part of subcall function 02C57934: _getptd.LIBCMT ref: 02C57962

_getptd.LIBCMT ref: 02C59019
_getptd.LIBCMT ref: 02C5911F
_getptd.LIBCMT ref: 02C5912B

Strings

csm, xrefs: 02C590DF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: 28f5b8f5928c2bab68e4158101839e7a7904bf0c9a5fe69cd0b7fe63bdef1c08
Instruction ID: 1c37af8b9323734ef61ed7bbcf1f669701c391f341a5b005b5ba4fb6a7fd5215
Opcode Fuzzy Hash: 28f5b8f5928c2bab68e4158101839e7a7904bf0c9a5fe69cd0b7fe63bdef1c08
Instruction Fuzzy Hash: 23412E36204BA1D6CA309B16E44036BB7A5F788B94F044265EF9E07B54DF39C1E5DB44

Function 00007FF7F8E034C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8E034F4

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_getptd.LIBCMT ref: 00007FF7F8E03508
_getptd.LIBCMT ref: 00007FF7F8E03542
_getptd.LIBCMT ref: 00007FF7F8E0354E
_getptd.LIBCMT ref: 00007FF7F8E0355A
_CreateFrameInfo.LIBCMT ref: 00007FF7F8E0356F

Part of subcall function 00007FF7F8E01E34: _getptd.LIBCMT ref: 00007FF7F8E01E40
Part of subcall function 00007FF7F8E01E34: _getptd.LIBCMT ref: 00007FF7F8E01E4E
Part of subcall function 00007FF7F8E01E34: _getptd.LIBCMT ref: 00007FF7F8E01E62

_getptd.LIBCMT ref: 00007FF7F8E0358D
_getptd.LIBCMT ref: 00007FF7F8E03693
_getptd.LIBCMT ref: 00007FF7F8E0369F

Strings

csm, xrefs: 00007FF7F8E03653

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction ID: 9b9ef352d9c8f0d450b5bb9a3e5e933e14c0a2466aec6160f3c81632816c23a1
Opcode Fuzzy Hash: f7c0f49ba4beedef2b7976ee9fce1622404532abdfe6423b84f5cde918012730
Instruction Fuzzy Hash: 8041603690978282DB70EB12A4403AAF3A4FB48794F944535DEBE07BC5DF38D095EB54

Function 02C69054 Relevance: 16.8, APIs: 11, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C6907C
_invalid_parameter_noinfo.LIBCMT ref: 02C69087
__wtomb_environ.LIBCMT ref: 02C69169
_errno.LIBCMT ref: 02C69172
free.LIBCMT ref: 02C69263
SetEnvironmentVariableA.KERNEL32 ref: 02C69394
_errno.LIBCMT ref: 02C693A1
free.LIBCMT ref: 02C693AF
free.LIBCMT ref: 02C693BC
free.LIBCMT ref: 02C693E3

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID:
API String ID: 101574016-0
Opcode ID: c7ab4824c20248cd77d5d216f2600469411963f07d5dc115475ca10161a63df4
Instruction ID: 002e5edd9b38a8baa0b2f9d73da0aeaf0e1096a84255f7d90eea79230949a3d8
Opcode Fuzzy Hash: c7ab4824c20248cd77d5d216f2600469411963f07d5dc115475ca10161a63df4
Instruction Fuzzy Hash: F2910625302B5086EF25EB26AD8C33E7795FB81BD8F588625CE5A4B754EF38C146D700

Function 02C45F30 Relevance: 16.6, APIs: 11, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02C45F58
EnterCriticalSection.KERNEL32 ref: 02C45F7A
SetLastError.KERNEL32 ref: 02C45F8D
LeaveCriticalSection.KERNEL32 ref: 02C45F97

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 4efe19a53c5f1bbbb6770299ba61f7da19085229a5c567b4a8f2ec6ecf7074f0
Instruction ID: 0a37a0c376a1375d885d495c493da582dc949060a3d4db692772766856fa3e5b
Opcode Fuzzy Hash: 4efe19a53c5f1bbbb6770299ba61f7da19085229a5c567b4a8f2ec6ecf7074f0
Instruction Fuzzy Hash: 8C41D2322042848BE754AF35E84CB2F77A9FB89B91F45512ADA1B83B90DF38D484CB45

Function 00007FF7F8DF5F80 Relevance: 16.6, APIs: 11, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7F8DF5FA8
EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF5FCA
SetLastError.KERNEL32 ref: 00007FF7F8DF5FDD
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF5FE7

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 69df40eebe7a994a8abce202a6738ebc00c29fcc82c09fe2143204c8f9b5c241
Instruction ID: 612c112f2f75d5c9a7211d040635ab27e2f42c3e9e67991d1824897a9213f82b
Opcode Fuzzy Hash: 69df40eebe7a994a8abce202a6738ebc00c29fcc82c09fe2143204c8f9b5c241
Instruction Fuzzy Hash: D041A632A0829586E754AF20D80866AF368FF49751F904535D63F832D5DF3CE448E798

Function 02C46380 Relevance: 16.6, APIs: 11, Instructions: 98networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02C463C4
WSASetLastError.WS2_32 ref: 02C463D6
LeaveCriticalSection.KERNEL32 ref: 02C463E0

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 90b2d3d72562b85b932b95850fd759897480d03085588f29b6ae233e826b8c72
Instruction ID: c9a2dcb69fc34ee3d4eb5928f7ee3279fa7cf8a9e339c1aa0502f3dbcdfb44e7
Opcode Fuzzy Hash: 90b2d3d72562b85b932b95850fd759897480d03085588f29b6ae233e826b8c72
Instruction Fuzzy Hash: CC31902131464082EA149F26F90C72F7319F786BA5F546135CE2B87BA9DF29C495C700

Function 00007FF7F8DF63D0 Relevance: 16.6, APIs: 11, Instructions: 98networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF6414
WSASetLastError.WS2_32 ref: 00007FF7F8DF6426
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF6430

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: ce80470fa4deb6d6172187dcf98ae3ac5c2e22c2398dc0b25eb93d0e69b03d15
Instruction ID: e9bd53622e641f2e1d103e23d7dcbd2dafa87dcfe3442c15a2d5cee87f9d8ce3
Opcode Fuzzy Hash: ce80470fa4deb6d6172187dcf98ae3ac5c2e22c2398dc0b25eb93d0e69b03d15
Instruction Fuzzy Hash: C0315220B0865282F7147B15B81523AE255EF8AF91F945631D93F43BD9CF3CE489B3A8

Function 02C4FA10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C4FA61
RegDeleteValueW.ADVAPI32 ref: 02C4FA6F
RegCloseKey.ADVAPI32 ref: 02C4FA7A
RegCreateKeyW.ADVAPI32 ref: 02C4FA9A
lstrlenW.KERNEL32 ref: 02C4FAA7
RegSetValueExW.ADVAPI32 ref: 02C4FAC9
RegCloseKey.ADVAPI32 ref: 02C4FAD4

Strings

Network, xrefs: 02C4FA37
AppEvents, xrefs: 02C4FA3E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3197061591-3733486940
Opcode ID: df353acfe061e84203d7ac4a4d8559ebe72ca993a1af8a6bb5186c314d41c4c8
Instruction ID: f0168b34761cfb954f039e6cbdffe44e9e3ed7e9af0973dfb09dc175e661659e
Opcode Fuzzy Hash: df353acfe061e84203d7ac4a4d8559ebe72ca993a1af8a6bb5186c314d41c4c8
Instruction Fuzzy Hash: 0C115976318A8082EB109B12F84CB5EB3A1F794BE5F444125EE9A47F68CFBCC149CB44

Function 02C5A350 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 02C5A477

Part of subcall function 02C5E590: GetLastError.KERNEL32 ref: 02C5E5F4
Part of subcall function 02C5E590: free.LIBCMT ref: 02C5E672

free.LIBCMT ref: 02C5A63F
free.LIBCMT ref: 02C5A64F
free.LIBCMT ref: 02C5A65F
free.LIBCMT ref: 02C5A66B
free.LIBCMT ref: 02C5A6C0
free.LIBCMT ref: 02C5A6C8
free.LIBCMT ref: 02C5A6D0
free.LIBCMT ref: 02C5A6D8
free.LIBCMT ref: 02C5A6E2

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: b3486acb5be8b198c16fe08b771984a76368ce0ba2e95de7802cfff15c464e33
Instruction ID: 649757d56dc0bb2a91218a3ab255122a3d37a06a1e2fc91fcd0b6c7d1ebde014
Opcode Fuzzy Hash: b3486acb5be8b198c16fe08b771984a76368ce0ba2e95de7802cfff15c464e33
Instruction Fuzzy Hash: B9B1F2323057E08ADB15CF66E4547AE77A5F788B88F84822ADF8987754EF39C181CB44

Function 02C68B80 Relevance: 15.2, APIs: 10, Instructions: 250COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 02C68C73
MultiByteToWideChar.KERNEL32 ref: 02C68CF2
MultiByteToWideChar.KERNEL32 ref: 02C68D99
MultiByteToWideChar.KERNEL32 ref: 02C68DBF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 2d90b2b54ccd2e60352f476bd800f3d2100da5d7e85102e0396c8d6fc970bf6c
Instruction ID: 699d74440b92672e1f4ecfb8c3fda69d34f9840387fdaed15f9ace83e0d98aae
Opcode Fuzzy Hash: 2d90b2b54ccd2e60352f476bd800f3d2100da5d7e85102e0396c8d6fc970bf6c
Instruction Fuzzy Hash: E9910772706BC05ADB318F25988877A7B93F785BE8F484715DE6957784DB38C688C310

Function 02C59E30 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 02C59ECA
malloc.LIBCMT ref: 02C59F33
MultiByteToWideChar.KERNEL32 ref: 02C59F67
LCMapStringW.KERNEL32 ref: 02C59F8E
LCMapStringW.KERNEL32 ref: 02C59FD6
malloc.LIBCMT ref: 02C5A033

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

LCMapStringW.KERNEL32 ref: 02C5A068
WideCharToMultiByte.KERNEL32 ref: 02C5A0A8
free.LIBCMT ref: 02C5A0BC
free.LIBCMT ref: 02C5A0CD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 212a4c3b0deda1fbab8d7a46e28323f5a226f924b4e173925b22eeaff756e0a3
Instruction ID: 3716079dbe42fe7e9fdaf4f44694f4c651d95d2c4b09706a1cc702e77736026c
Opcode Fuzzy Hash: 212a4c3b0deda1fbab8d7a46e28323f5a226f924b4e173925b22eeaff756e0a3
Instruction Fuzzy Hash: 5E71F7323147908ADB248F26D84475977A5FBC8BE8F444729EE5E47B94DB39C280C748

Function 00007FF7F8E0054C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E005E6
malloc.LIBCMT ref: 00007FF7F8E0064F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E00683
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E006AA
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E006F2
malloc.LIBCMT ref: 00007FF7F8E0074F

Part of subcall function 00007FF7F8DF9070: _FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF90A0
Part of subcall function 00007FF7F8DF9070: HeapAlloc.KERNEL32(?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DF90C5
Part of subcall function 00007FF7F8DF9070: _callnewh.LIBCMT ref: 00007FF7F8DF90DE
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90E9
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90F4

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E00784
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F8E00889), ref: 00007FF7F8E007C4
free.LIBCMT ref: 00007FF7F8E007D8
free.LIBCMT ref: 00007FF7F8E007E9

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 8864ca2f36b3b28a6e37dacfbbe885c608440c4a788fc07bea0ef3c91e2c5cf3
Instruction ID: c52f28983bac98480dda496d48eac7271beee4032ca1b8e84b5b6bc1b3276447
Opcode Fuzzy Hash: 8864ca2f36b3b28a6e37dacfbbe885c608440c4a788fc07bea0ef3c91e2c5cf3
Instruction Fuzzy Hash: E881D532B0878246EF24AF259440569E7A1FF48BA4F840A35DE7E53BD9DF3CD4009798

Function 02C66C00 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C66C47
_invalid_parameter_noinfo.LIBCMT ref: 02C66C53
_errno.LIBCMT ref: 02C66C9D
_errno.LIBCMT ref: 02C66CA8
_errno.LIBCMT ref: 02C66CDA
_invalid_parameter_noinfo.LIBCMT ref: 02C66CE4
WideCharToMultiByte.KERNEL32 ref: 02C66D56
GetLastError.KERNEL32 ref: 02C66D73
_errno.LIBCMT ref: 02C66D99
_invalid_parameter_noinfo.LIBCMT ref: 02C66DA5

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: 1d646d828de0aace6474db1b56eecb5c83fbf8c445fe68ef6d6efd0ca843a860
Instruction ID: ee2fc4be55448a3be1874783d46cdf5ef8cd3ea5c12a3610d364bbb506030e47
Opcode Fuzzy Hash: 1d646d828de0aace6474db1b56eecb5c83fbf8c445fe68ef6d6efd0ca843a860
Instruction Fuzzy Hash: 3641FB72601F909AEB219F26C4C83BC7A66F7807ACF344625CE591BB94DB3CC181C755

Function 00007FF7F8DFF95C Relevance: 15.1, APIs: 10, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8DFF9A3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFF9AF
_errno.LIBCMT ref: 00007FF7F8DFF9F9
_errno.LIBCMT ref: 00007FF7F8DFFA04
_errno.LIBCMT ref: 00007FF7F8DFFA36
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFFA40
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00007FF7F8DFFB2F), ref: 00007FF7F8DFFAB2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00007FF7F8DFFB2F), ref: 00007FF7F8DFFACF
_errno.LIBCMT ref: 00007FF7F8DFFAF5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFFB01

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: bd3480430a4880f8b9bfe9aab1841d67a6c611096bbe8aa784dae63e06954dd0
Instruction ID: dbd3b66ff9e8b28e4376566015355152daef6f26f72c9e3813312fac93b989f1
Opcode Fuzzy Hash: bd3480430a4880f8b9bfe9aab1841d67a6c611096bbe8aa784dae63e06954dd0
Instruction Fuzzy Hash: B451EA22E0868259FB61BF65C4443BCF6A0AF4C758F948131DA7D06ACDCF3C9449B7A8

Function 02C61C70 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 02C61C91

Part of subcall function 02C5A860: Sleep.KERNEL32 ref: 02C5A8A5

GetFileType.KERNEL32 ref: 02C61DFC
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02C61E3A

Strings

@, xrefs: 02C61EF5

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: ab5030fe6963260d57b7d113dea0ca27346005c31587775712d3cdfdcbca818d
Instruction ID: 6eb8207d88fd917e44108c433d6da262ac39cc01285f3a094e91a6bd368a3c55
Opcode Fuzzy Hash: ab5030fe6963260d57b7d113dea0ca27346005c31587775712d3cdfdcbca818d
Instruction Fuzzy Hash: D0817A62200B8486EB148F25D88C72D77A5FB85B79F588329CA7E437E4EBB8C159D314

Function 00007FF7F8DFA0F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7F8DFA119

Part of subcall function 00007FF7F8DFD9D8: _amsg_exit.LIBCMT ref: 00007FF7F8DFDA02

DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,00007FF7F8DFA2DD,?,?,00000000,00007FF7F8DFDA07,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DFA14C
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,00007FF7F8DFA2DD,?,?,00000000,00007FF7F8DFDA07,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DFA16A
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,00007FF7F8DFA2DD,?,?,00000000,00007FF7F8DFDA07,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DFA1AA
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,00007FF7F8DFA2DD,?,?,00000000,00007FF7F8DFDA07,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DFA1C4
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,00007FF7F8DFA2DD,?,?,00000000,00007FF7F8DFDA07,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DFA1D4
ExitProcess.KERNEL32 ref: 00007FF7F8DFA260

Strings

ceil, xrefs: 00007FF7F8DFA100

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID: ceil
API String ID: 3411037476-3069211559
Opcode ID: 9a183ae1f03644b8a62f51de8d9c4146bcd30d60da9bb7abc91cae87c8d0ceca
Instruction ID: 9a9eb49043f91c09e52b575f2fbab3330455fd932cb08c6bfe7196577b3f7b90
Opcode Fuzzy Hash: 9a183ae1f03644b8a62f51de8d9c4146bcd30d60da9bb7abc91cae87c8d0ceca
Instruction Fuzzy Hash: 6E417021A1AA5281E754BB01EC40139E294FF88798FC41035ED7E47BD9DF3CE459E7A8

Function 02C4A550 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 02C4A55D
GetProcAddress.KERNEL32 ref: 02C4A575
GetProcAddress.KERNEL32 ref: 02C4A58C
GetProcAddress.KERNEL32 ref: 02C4A5A3

Strings

ZwQuerySystemInformation, xrefs: 02C4A592
ZwQueryInformationProcess, xrefs: 02C4A56B
ZwQueryObject, xrefs: 02C4A57B
ntdll.dll, xrefs: 02C4A556

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ZwQueryInformationProcess$ZwQueryObject$ZwQuerySystemInformation$ntdll.dll
API String ID: 667068680-3590752221
Opcode ID: 7eda7db14e39e4496a90eac640427b40b534a2017adf1ab763c42458caa272a6
Instruction ID: 6319fdb0983819fa2917ee8730c68f59b8c3f22d505ff3447f107419fc3f052e
Opcode Fuzzy Hash: 7eda7db14e39e4496a90eac640427b40b534a2017adf1ab763c42458caa272a6
Instruction Fuzzy Hash: 8E11D660686B4581FF149B11F86CB5D23E0FB48794F89902AC84A46361EFBD86D9CB80

Function 02B17949 Relevance: 13.6, APIs: 9, Instructions: 111COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B17972
_errno.LIBCMT ref: 02B1797B
__doserrno.LIBCMT ref: 02B179D9
_errno.LIBCMT ref: 02B179E0
_invalid_parameter_noinfo.LIBCMT ref: 02B17A44

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 848fe9144c0ebe6d5704ff2d6dfc4fbfde9db1d0d9278778837188ee504204a3
Instruction ID: 1ce50761a9042fcbd30d1fadb7f6858e0b18100c921e09a4c4891ee05f631fbf
Opcode Fuzzy Hash: 848fe9144c0ebe6d5704ff2d6dfc4fbfde9db1d0d9278778837188ee504204a3
Instruction Fuzzy Hash: 4C31E2302186054FD31A6F6C9C82239BBD1FB46320B9616E9D453872E2EF75AD429FD2

Function 02C461F0 Relevance: 13.6, APIs: 9, Instructions: 101timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02C4625A
timeGetTime.WINMM ref: 02C46288
WSASetLastError.WS2_32 ref: 02C462A9
LeaveCriticalSection.KERNEL32 ref: 02C462B3
timeGetTime.WINMM ref: 02C462CA
SetEvent.KERNEL32 ref: 02C46304
LeaveCriticalSection.KERNEL32 ref: 02C46316
LeaveCriticalSection.KERNEL32 ref: 02C46345
WSASetLastError.WS2_32 ref: 02C4636E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 9243fe9860c2d7fa6fe3e49f17d1100e496bc96adbcf19a71ea8e46669bffbd9
Instruction ID: eaf6e9198fb56e7b3467df495a795bdc69692eb370607785e17be06e4afd195a
Opcode Fuzzy Hash: 9243fe9860c2d7fa6fe3e49f17d1100e496bc96adbcf19a71ea8e46669bffbd9
Instruction Fuzzy Hash: C6414C722046808BEB309F26E44432FB765F789B58F640119DB9A83F68DF7CE695CB00

Function 00007FF7F8DF6240 Relevance: 13.6, APIs: 9, Instructions: 101timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF62AA
timeGetTime.WINMM ref: 00007FF7F8DF62D8
WSASetLastError.WS2_32 ref: 00007FF7F8DF62F9
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF6303
timeGetTime.WINMM ref: 00007FF7F8DF631A
SetEvent.KERNEL32 ref: 00007FF7F8DF6354
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF6366
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF6395
WSASetLastError.WS2_32 ref: 00007FF7F8DF63BE

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 1cc5bff3dd2912bbf840fa48739d8834fcdebc8cdae61fe5ead118e36bb8da40
Instruction ID: 1e7d96eb800a56fff2ac95c4b4d0daf6f5c290153cff650792606f617bfb77ea
Opcode Fuzzy Hash: 1cc5bff3dd2912bbf840fa48739d8834fcdebc8cdae61fe5ead118e36bb8da40
Instruction Fuzzy Hash: 77412122A0864187E770AB21E44013EF3A5FB98750F944535D7BE43AD9CF3CF489A798

Function 02C67E78 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C67EA1
_errno.LIBCMT ref: 02C67EAA
__doserrno.LIBCMT ref: 02C67F08
_errno.LIBCMT ref: 02C67F0F
_invalid_parameter_noinfo.LIBCMT ref: 02C67F73

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 5f53cfc1179e25de2a7bc686976dccc490792cdf04e3233ada5533c2cb284a6f
Instruction ID: e74eaa1ef48f74f8846ad6f1f1b4d24fa4ccd2df05c4ca93493b0b259521f290
Opcode Fuzzy Hash: 5f53cfc1179e25de2a7bc686976dccc490792cdf04e3233ada5533c2cb284a6f
Instruction Fuzzy Hash: B221FB723106D089D702AF65ACC873DB692EB80BA8F864915DE250B7D0CF79C489DB15

Function 02C460D0 Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02C460EA
TryEnterCriticalSection.KERNEL32 ref: 02C4610B
TryEnterCriticalSection.KERNEL32 ref: 02C4611D
SetLastError.KERNEL32 ref: 02C46136
LeaveCriticalSection.KERNEL32 ref: 02C46140
LeaveCriticalSection.KERNEL32 ref: 02C4614A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 48dac4b21eb6e7b5e3d8e5b91d253a18b64a32894f61ad1e43b8c3cea6ed7d97
Instruction ID: a597ed52bb9f1f3c7a23143935af27fa14e5e45dd24c4fac74d0b4d8fa0a2ba1
Opcode Fuzzy Hash: 48dac4b21eb6e7b5e3d8e5b91d253a18b64a32894f61ad1e43b8c3cea6ed7d97
Instruction Fuzzy Hash: 1E314F32A14640C7EB50DF39E84876E37A9FB85F4CF640025DA0B86A69DF39C98AC700

Function 00007FF7F8DF6120 Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7F8DF613A
TryEnterCriticalSection.KERNEL32 ref: 00007FF7F8DF615B
TryEnterCriticalSection.KERNEL32 ref: 00007FF7F8DF616D
SetLastError.KERNEL32 ref: 00007FF7F8DF6186
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF6190
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF619A

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 3a839ef8a6bf8d7d73b88de66420fd037dbe664b26c5089cd47badf1e2dfdb2a
Instruction ID: 210965376eda8d265dca7c492cfe8b4af41f7a15ca7f0032bf8a4ef3596ac979
Opcode Fuzzy Hash: 3a839ef8a6bf8d7d73b88de66420fd037dbe664b26c5089cd47badf1e2dfdb2a
Instruction Fuzzy Hash: 78317231A18502C6E750AF24E84416DF7A4FF49B48F904431DA3E866E9DF3DE84AE7A4

Function 02C4F3D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 02C4F44D
WriteFile.KERNEL32 ref: 02C4F47E
CloseHandle.KERNEL32 ref: 02C4F48B
lstrlenW.KERNEL32 ref: 02C4F496
wsprintfW.USER32 ref: 02C4F4BC

Strings

%s %s, xrefs: 02C4F4B5

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrlenwsprintf
String ID: %s %s
API String ID: 2369136734-2939940506
Opcode ID: 5ea41a88a58f2c7f305451d4300e81fe3f17e369e3a8f1804c932f848bbce38b
Instruction ID: 4e9154372e2e49658d62b26f8dcd0f957b8619973a670c7bdc357c8d1956fce0
Opcode Fuzzy Hash: 5ea41a88a58f2c7f305451d4300e81fe3f17e369e3a8f1804c932f848bbce38b
Instruction Fuzzy Hash: 83317C3220898596FB30CF21F858B9BB361F7C47A8F8451199A5E47EA8DF7CC649CB00

Function 02B166D1 Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B16718
_invalid_parameter_noinfo.LIBCMT ref: 02B16724
_errno.LIBCMT ref: 02B1676E
_errno.LIBCMT ref: 02B16779
_errno.LIBCMT ref: 02B167AB
_invalid_parameter_noinfo.LIBCMT ref: 02B167B5
_errno.LIBCMT ref: 02B1686A
_invalid_parameter_noinfo.LIBCMT ref: 02B16876

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 185926cb2a2ef340d032c909d3dd190048f826ac508436160d532d0de34cde17
Instruction ID: f9d6c52836014d4944b05e2a8ce9fe110887c2567a2054b4d9b56f03d0349b86
Opcode Fuzzy Hash: 185926cb2a2ef340d032c909d3dd190048f826ac508436160d532d0de34cde17
Instruction Fuzzy Hash: D551C230910A0A8FDB269F58C8847AE7BA5FF45329FA446EDD85AC7191DF34C481CB92

Function 02B12305 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B1231C
_invalid_parameter_noinfo.LIBCMT ref: 02B12327

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 90d7559ce3c1ba1b893ff1d7ffa023aeba0d0dc54084b470172c972e3218c3c4
Instruction ID: 969042abdec33a281d582d268e0608749298a91ee0470efc38c0c53a8fadf5ff
Opcode Fuzzy Hash: 90d7559ce3c1ba1b893ff1d7ffa023aeba0d0dc54084b470172c972e3218c3c4
Instruction Fuzzy Hash: 52410430614A5A4FDB18DF28D49232877E1FB4A318BA80799DD99C3591D724D482CBC2

Function 02C44A70 Relevance: 12.1, APIs: 8, Instructions: 120memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 02C44C70: EnterCriticalSection.KERNEL32 ref: 02C44C9E
Part of subcall function 02C44C70: LeaveCriticalSection.KERNEL32 ref: 02C44CF2

send.WS2_32 ref: 02C44AC3
EnterCriticalSection.KERNEL32 ref: 02C44AD7
LeaveCriticalSection.KERNEL32 ref: 02C44AEB
HeapFree.KERNEL32 ref: 02C44B67
WSAGetLastError.WS2_32 ref: 02C44BB4
EnterCriticalSection.KERNEL32 ref: 02C44BC8
LeaveCriticalSection.KERNEL32 ref: 02C44C16
HeapFree.KERNEL32 ref: 02C44C54

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: b90c38a7879365d68958e5b8cc995af9841d5b1ff57e083cd5719233021dd6a7
Instruction ID: 6dd69ca6714eff0c87afc167d032513ccfb29df263effaeccd9426badc3f2168
Opcode Fuzzy Hash: b90c38a7879365d68958e5b8cc995af9841d5b1ff57e083cd5719233021dd6a7
Instruction Fuzzy Hash: C3518D36204B808AE778CF26E4547AE77A1F788B98F644029CB4A47F54DF38D6A5C740

Function 00007FF7F8DF4AD0 Relevance: 12.1, APIs: 8, Instructions: 120memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DF4CD0: EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF4CFE
Part of subcall function 00007FF7F8DF4CD0: LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF4D52

send.WS2_32 ref: 00007FF7F8DF4B23
EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF4B37
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF4B4B
HeapFree.KERNEL32 ref: 00007FF7F8DF4BC7
WSAGetLastError.WS2_32 ref: 00007FF7F8DF4C14
EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF4C28
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF4C76
HeapFree.KERNEL32 ref: 00007FF7F8DF4CB4

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: c1be7f863ec74c84b7929cd5dfa0ec5487756cd30b1768cbd88e9af37da90106
Instruction ID: ae1dd436ee01482fa2b775f7688a5a585150fd7caa09ae57a85051cbdfa438ed
Opcode Fuzzy Hash: c1be7f863ec74c84b7929cd5dfa0ec5487756cd30b1768cbd88e9af37da90106
Instruction Fuzzy Hash: 33518032608A4186E764EF26D4403ADF3A1FF48B84F805035DB2E47B98DF38E599E394

Function 02C43F10 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 02C43F72

Part of subcall function 02C41370: free.LIBCMT ref: 02C41390
Part of subcall function 02C41370: malloc.LIBCMT ref: 02C413BC

setsockopt.WS2_32 ref: 02C4400D
setsockopt.WS2_32 ref: 02C44037
ResetEvent.KERNEL32 ref: 02C44085
SetLastError.KERNEL32 ref: 02C440B0
GetLastError.KERNEL32 ref: 02C440C8

Part of subcall function 02C44D20: GetCurrentThreadId.KERNEL32 ref: 02C44D2D

SetLastError.KERNEL32 ref: 02C440DA

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateCurrentEventResetThreadTimerWaitablefreemalloc
String ID:
API String ID: 3356772049-0
Opcode ID: 0c4811832e00cbba20dc30ab256636ffacc8145d99394b55781261f507fde945
Instruction ID: 782f7993c8039685c38c0cae2a2f30815dfa443d2752eb585270f1470b5580da
Opcode Fuzzy Hash: 0c4811832e00cbba20dc30ab256636ffacc8145d99394b55781261f507fde945
Instruction Fuzzy Hash: 04415872204B809BE714CF2AE94875E77A1F788788F244129DB8987B90CF7ED169CF40

Function 02C62834 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C6284B
_invalid_parameter_noinfo.LIBCMT ref: 02C62856

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ddf155117954088a0bb4e70bdf1f4365ac3464c973803e0f49b68c972f192fe3
Instruction ID: 67177008a52eb363ba2b1448761419d1d425d0c5db628896316136824b491626
Opcode Fuzzy Hash: ddf155117954088a0bb4e70bdf1f4365ac3464c973803e0f49b68c972f192fe3
Instruction Fuzzy Hash: 59312B3261464186DB248F3AD6CC37C37A0F7C5798F244615DFA987B90CB38C5A2DB46

Function 02C45400 Relevance: 12.1, APIs: 8, Instructions: 82networksleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 02C45430
timeGetTime.WINMM ref: 02C45456
GetCurrentThreadId.KERNEL32 ref: 02C45479
send.WS2_32 ref: 02C454BC
SetEvent.KERNEL32 ref: 02C454DA
WSACloseEvent.WS2_32 ref: 02C454F0
shutdown.WS2_32 ref: 02C45509
closesocket.WS2_32 ref: 02C45513

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Event$CloseCurrentSleepThreadTimeclosesocketsendshutdowntime
String ID:
API String ID: 929257074-0
Opcode ID: 6c1e56b6404b1df93eb3e627f74c895b445532c7761a8052013e281b186b1800
Instruction ID: cb10b5d7d4387ba55fc6b1702df666d854ae52022f73c96a5ba0916155b2732b
Opcode Fuzzy Hash: 6c1e56b6404b1df93eb3e627f74c895b445532c7761a8052013e281b186b1800
Instruction Fuzzy Hash: 8F31823261065087E7259F35F84872E7372F794FE9F981225EA6A4BA98CF34C885CB40

Function 00007FF7F8DF5460 Relevance: 12.1, APIs: 8, Instructions: 82networksleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF7F8DF5490
timeGetTime.WINMM ref: 00007FF7F8DF54B6
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF54D9
send.WS2_32 ref: 00007FF7F8DF551C
SetEvent.KERNEL32 ref: 00007FF7F8DF553A
WSACloseEvent.WS2_32 ref: 00007FF7F8DF5550
shutdown.WS2_32 ref: 00007FF7F8DF5569
closesocket.WS2_32 ref: 00007FF7F8DF5573

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Event$CloseCurrentSleepThreadTimeclosesocketsendshutdowntime
String ID:
API String ID: 929257074-0
Opcode ID: e6689e71db0ff1669b26d14558efafb386105a6056d856fa6fa8066e84783edc
Instruction ID: a1f27d17d222e102ac8c2827a3ebff01eae65736a559b63d5c2c121ac190aa4f
Opcode Fuzzy Hash: e6689e71db0ff1669b26d14558efafb386105a6056d856fa6fa8066e84783edc
Instruction Fuzzy Hash: 5B314D32A14A5686E710AF25E84012CF372FF88F65F944231DA7E466D8CF3CD849E7A4

Function 02C44F40 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 02C44F67
MsgWaitForMultipleObjects.USER32 ref: 02C44F98
PeekMessageW.USER32 ref: 02C44FB4
TranslateMessage.USER32 ref: 02C44FC5
DispatchMessageW.USER32 ref: 02C44FD0
PeekMessageW.USER32 ref: 02C44FEB
SetLastError.KERNEL32 ref: 02C45017
CloseHandle.KERNEL32 ref: 02C4502C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: d3b14ee8f2ed008a71182c7c102088909806aed2bf3454968681f8c368bda903
Instruction ID: ad954e182a867e67365b5d445f141253b5d852a84308e7b5224dcb98a56ced65
Opcode Fuzzy Hash: d3b14ee8f2ed008a71182c7c102088909806aed2bf3454968681f8c368bda903
Instruction Fuzzy Hash: DD216D36610A4183F7208F34E45CB2E73A1FBD4B48FA45629EB5A869B4DF39C549CB50

Function 00007FF7F8DF4E60 Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4E85
ResetEvent.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4E92
ResetEvent.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4E9F
ResetEvent.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4EAC
HeapFree.KERNEL32 ref: 00007FF7F8DF4F0F
HeapDestroy.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4F2F
HeapCreate.KERNEL32(?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF4F49
SetEvent.KERNEL32 ref: 00007FF7F8DF4F7D

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection
String ID:
API String ID: 1658878062-0
Opcode ID: b8e90da5e81a1c5bd4b7ea335600b5e9df7185687b6b9f4d8d1a246453650ad8
Instruction ID: aeae14fadf4f7b8edf6ad2594a63a27ed9170a8c9344f94717c706de83ab05b5
Opcode Fuzzy Hash: b8e90da5e81a1c5bd4b7ea335600b5e9df7185687b6b9f4d8d1a246453650ad8
Instruction Fuzzy Hash: 5131F932604A91E2E748EB21D9402ADF364FF48B80F904536DB7E43695CF38A5B9E794

Function 00007FF7F8DF4FA0 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF7F8DF4FC7
MsgWaitForMultipleObjects.USER32 ref: 00007FF7F8DF4FF8
PeekMessageW.USER32 ref: 00007FF7F8DF5014
TranslateMessage.USER32 ref: 00007FF7F8DF5025
DispatchMessageW.USER32 ref: 00007FF7F8DF5030
PeekMessageW.USER32 ref: 00007FF7F8DF504B
SetLastError.KERNEL32 ref: 00007FF7F8DF5077
CloseHandle.KERNEL32 ref: 00007FF7F8DF508C

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: 446e21ef8d1e23cb48fe62aa3044cfdae947c01fbde446d7c73040613798d1b3
Instruction ID: f31a6746855c1beb494e4427a58f9819f6c27ba461ce647b3ce390eafebfe1be
Opcode Fuzzy Hash: 446e21ef8d1e23cb48fe62aa3044cfdae947c01fbde446d7c73040613798d1b3
Instruction Fuzzy Hash: 4A21C531B1495282F750AF34E854B39F2A0FF88704F905535DA7E425E8DF3CD849E698

Function 02C62BD4 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 02C62BFB

Part of subcall function 02C5C13C: _set_error_mode.LIBCMT ref: 02C5C145
Part of subcall function 02C5C13C: _set_error_mode.LIBCMT ref: 02C5C154

Part of subcall function 02C5BEDC: _set_error_mode.LIBCMT ref: 02C5BF21
Part of subcall function 02C5BEDC: _set_error_mode.LIBCMT ref: 02C5BF32
Part of subcall function 02C5BEDC: GetModuleFileNameW.KERNEL32 ref: 02C5BF94

Part of subcall function 02C5BB48: ExitProcess.KERNEL32 ref: 02C5BB57

Part of subcall function 02C5A7E0: malloc.LIBCMT ref: 02C5A80B
Part of subcall function 02C5A7E0: Sleep.KERNEL32 ref: 02C5A81E

_errno.LIBCMT ref: 02C62C3D
_lock.LIBCMT ref: 02C62C51
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 02C62C67
free.LIBCMT ref: 02C62C74
_errno.LIBCMT ref: 02C62C79
LeaveCriticalSection.KERNEL32 ref: 02C62C9C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: 33667054d2d382180aecc97be551a92e30174e25f3312452b72f7abc52412f6f
Instruction ID: fa5184404295c2d8f62c76f16f60dcb68e05379bfbe4249bbc9f051dd4d5861c
Opcode Fuzzy Hash: 33667054d2d382180aecc97be551a92e30174e25f3312452b72f7abc52412f6f
Instruction Fuzzy Hash: A5217C31615A9096F725AB61E89C73E6367FB857C4F444528CE4B4BB84CF7CC880DB16

Function 00007FF7F8DFD8F0 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7F8DFD917

Part of subcall function 00007FF7F8DFA56C: _set_error_mode.LIBCMT ref: 00007FF7F8DFA575
Part of subcall function 00007FF7F8DFA56C: _set_error_mode.LIBCMT ref: 00007FF7F8DFA584

Part of subcall function 00007FF7F8DFA30C: _set_error_mode.LIBCMT ref: 00007FF7F8DFA351
Part of subcall function 00007FF7F8DFA30C: _set_error_mode.LIBCMT ref: 00007FF7F8DFA362
Part of subcall function 00007FF7F8DFA30C: GetModuleFileNameW.KERNEL32 ref: 00007FF7F8DFA3C4

Part of subcall function 00007FF7F8DF9F5C: ExitProcess.KERNEL32 ref: 00007FF7F8DF9F6B

Part of subcall function 00007FF7F8DFC020: malloc.LIBCMT ref: 00007FF7F8DFC04B
Part of subcall function 00007FF7F8DFC020: Sleep.KERNEL32(?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951,?,?,00000000,00007FF7F8DFBA08), ref: 00007FF7F8DFC05E

_errno.LIBCMT ref: 00007FF7F8DFD959
_lock.LIBCMT ref: 00007FF7F8DFD96D
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951,?,?,00000000,00007FF7F8DFBA08,?,?,?,00007FF7F8DF938D), ref: 00007FF7F8DFD983
free.LIBCMT ref: 00007FF7F8DFD990
_errno.LIBCMT ref: 00007FF7F8DFD995
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951,?,?,00000000,00007FF7F8DFBA08,?,?,?,00007FF7F8DF938D), ref: 00007FF7F8DFD9B8

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: 1cf7f058a8983c64bfdf0fb23590526f2e0664be90d8ed4957796866281ab8dc
Instruction ID: 0026f92163886604212553210f6062e19e6a876d6189917a5fc2090abe0dc7d2
Opcode Fuzzy Hash: 1cf7f058a8983c64bfdf0fb23590526f2e0664be90d8ed4957796866281ab8dc
Instruction Fuzzy Hash: AB214121E1D64281F754BB90A40477EE260AF88758F844434E5BE866CECF3CE448B7E9

Function 02B09E21 Relevance: 11.6, APIs: 9, Instructions: 379COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02B0A110
free.LIBCMT ref: 02B0A120
free.LIBCMT ref: 02B0A130
free.LIBCMT ref: 02B0A13C
free.LIBCMT ref: 02B0A191
free.LIBCMT ref: 02B0A199
free.LIBCMT ref: 02B0A1A1
free.LIBCMT ref: 02B0A1A9
free.LIBCMT ref: 02B0A1B3

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b5fb49aade42dab13695008c08efaa2d362d7f19c4323bfb84cd0e511f7debe0
Instruction ID: bf5d35686146695de2fca20bc9eeb8ef9c9740b77e8bab9c829571745fc97c15
Opcode Fuzzy Hash: b5fb49aade42dab13695008c08efaa2d362d7f19c4323bfb84cd0e511f7debe0
Instruction Fuzzy Hash: 31C1D330618B488FC71ADF28D4947A9BBE1FB59304F5046AEE59AC72D2DF35D881CB81

Function 02C42360 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C42576
malloc.LIBCMT ref: 02C4265D

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

Strings

input probe, xrefs: 02C426D5
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 02C425D1
input wins: %lu, xrefs: 02C426FE
input psh: sn=%lu ts=%lu, xrefs: 02C4260E
[RI] %d bytes, xrefs: 02C4239A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 750ebd41106a62b2082671337faf29e5c6b948eda958e7ceff3e7b47e59073a6
Instruction ID: fa0b99a7b4a44f2b2d8625b59ee243fe94623d8614d098d6d1773612d4f2b57b
Opcode Fuzzy Hash: 750ebd41106a62b2082671337faf29e5c6b948eda958e7ceff3e7b47e59073a6
Instruction Fuzzy Hash: 09D1AF72A046808BD734CF29E451B6FBBA1F784B88F188015EF9A83B54DF78D581CB52

Function 00007FF7F8DF2390 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F8DF25A6
malloc.LIBCMT ref: 00007FF7F8DF268D

Part of subcall function 00007FF7F8DF9070: _FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF90A0
Part of subcall function 00007FF7F8DF9070: HeapAlloc.KERNEL32(?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DF90C5
Part of subcall function 00007FF7F8DF9070: _callnewh.LIBCMT ref: 00007FF7F8DF90DE
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90E9
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90F4

Strings

input psh: sn=%lu ts=%lu, xrefs: 00007FF7F8DF263E
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 00007FF7F8DF2601
[RI] %d bytes, xrefs: 00007FF7F8DF23CA
input probe, xrefs: 00007FF7F8DF2705
input wins: %lu, xrefs: 00007FF7F8DF272E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: dda5b54ef822ff448da02969afc54e1d0890a7d0193f906d4744a84604512da3
Instruction ID: 83256429ec3996357a0fc28d70d137da1a193816e809c13ddea4da69db365b59
Opcode Fuzzy Hash: dda5b54ef822ff448da02969afc54e1d0890a7d0193f906d4744a84604512da3
Instruction Fuzzy Hash: 26E1BA72A086824AE7749B25E41066AFBA1FF48744F944031DBBD437C9DF3CE845EBA4

Function 02C655B8 Relevance: 10.8, APIs: 7, Instructions: 305COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C6563C
free.LIBCMT ref: 02C65661
free.LIBCMT ref: 02C65A26
free.LIBCMT ref: 02C65A32

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2545b9cca8e253d8dc5762f349c41804750cab19d6113a61705cd40064087c66
Instruction ID: 4a555bb186704567a04891cbaabe318ea61b4f52810b1e602733e438e11fe601
Opcode Fuzzy Hash: 2545b9cca8e253d8dc5762f349c41804750cab19d6113a61705cd40064087c66
Instruction Fuzzy Hash: 66C14032704B5189DB20DF62E484AEE77A5F799788F804926DE8D87B14EF78C246CB44

Function 00007FF7F8DFD3CC Relevance: 10.7, APIs: 7, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF7F8DFD3ED

Part of subcall function 00007FF7F8DFC0A0: Sleep.KERNEL32(?,?,ceil,00007FF7F8DFB9E3,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DFC0E5

GetFileType.KERNEL32 ref: 00007FF7F8DFD558
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7F8DFD596

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID:
API String ID: 3473179607-0
Opcode ID: eff7a9d518b47b5a0bc449bc8e70df270870fd33741806fcd9b591f6a57ce8e5
Instruction ID: ea69d1bce20c6f3604a067958b8492dfad2419468d73f04a63205da82e19290a
Opcode Fuzzy Hash: eff7a9d518b47b5a0bc449bc8e70df270870fd33741806fcd9b591f6a57ce8e5
Instruction Fuzzy Hash: 6081B222A09A8685EB14AF14D444328F360EF09B78F944334DA7E873D4DF3CE459E3A8

Function 02C443D0 Relevance: 10.7, APIs: 7, Instructions: 154threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02C44400
SetWaitableTimer.KERNEL32 ref: 02C44442
WSAWaitForMultipleEvents.WS2_32 ref: 02C444EC
SetLastError.KERNEL32 ref: 02C44597
GetLastError.KERNEL32 ref: 02C4459D
WSAGetLastError.WS2_32 ref: 02C445CA
GetCurrentThreadId.KERNEL32 ref: 02C445FF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: beb139878c52618ef897b8691ffbca13a1492810dcd6d59fbe55f6b96b8c9a26
Instruction ID: 6a8c93679b09f8678b249f9d716d308e0061743d8afe01c815574714e8f6a3ae
Opcode Fuzzy Hash: beb139878c52618ef897b8691ffbca13a1492810dcd6d59fbe55f6b96b8c9a26
Instruction Fuzzy Hash: 7E517E32200B8086EB389F35E85476E33A5F788B98F685626DF5A87B98DF35C540C710

Function 02B180D1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02B180EC

Part of subcall function 02B12459: _errno.LIBCMT ref: 02B12462
Part of subcall function 02B12459: _invalid_parameter_noinfo.LIBCMT ref: 02B1246D

_errno.LIBCMT ref: 02B180FC
_errno.LIBCMT ref: 02B1811A
_isatty.LIBCMT ref: 02B1817B
_getbuf.LIBCMT ref: 02B18187

Strings

, xrefs: 02B18107

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-3916222277
Opcode ID: 9cfdfbc458954deeb4a0b404a564ae95b52451a34d067603e47cbed6cac4525b
Instruction ID: 037c74d29e1def5e8f42638bb6f1ab1cfd291219ab8025aa78a49e7605550b1e
Opcode Fuzzy Hash: 9cfdfbc458954deeb4a0b404a564ae95b52451a34d067603e47cbed6cac4525b
Instruction Fuzzy Hash: 2D411331114A088FEB19EF2CC8C236A77E1FB49314BA846D9D856CB295D774C8A2CBC1

Function 02C4DC1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

Part of subcall function 02C55378: _callnewh.LIBCMT ref: 02C55386
Part of subcall function 02C55378: std::exception::exception.LIBCMT ref: 02C553FF

RegCreateKeyW.ADVAPI32 ref: 02C4DD64
RegDeleteValueW.ADVAPI32 ref: 02C4DDA8
RegSetValueExW.ADVAPI32 ref: 02C4DDC8
RegCloseKey.ADVAPI32 ref: 02C4DDDF
CloseHandle.KERNEL32 ref: 02C4E673

Strings

Console\1, xrefs: 02C4DD56

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseValue$CreateDeleteHandle_callnewhmallocstd::exception::exception
String ID: Console\1
API String ID: 2917754286-1035756066
Opcode ID: 2219b0c576fd3e4d0e08784fb7636a5387038700b04224bb1bd2999f53d07214
Instruction ID: f351130ce9af246e3b131741d9024cd65d1a135b94cb9d66f1097bdf088729a9
Opcode Fuzzy Hash: 2219b0c576fd3e4d0e08784fb7636a5387038700b04224bb1bd2999f53d07214
Instruction Fuzzy Hash: 13519C36305B9086EB58DF22F858BAE73A9F789B94F4101299E4E47B54DF38C190CB49

Function 02C68600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02C6861B

Part of subcall function 02C62988: _errno.LIBCMT ref: 02C62991
Part of subcall function 02C62988: _invalid_parameter_noinfo.LIBCMT ref: 02C6299C

_errno.LIBCMT ref: 02C6862B
_errno.LIBCMT ref: 02C68649
_isatty.LIBCMT ref: 02C686AA
_getbuf.LIBCMT ref: 02C686B6

Strings

, xrefs: 02C68636

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-3916222277
Opcode ID: e332a1d343aa96d4712a9f575034e96bbd1a86f49911222e96935b0e9a9d528d
Instruction ID: f2a02f9fa93e7da4dabe6e95ac9027f7f8c6748f3be44ff6269e55dd5aac41f8
Opcode Fuzzy Hash: e332a1d343aa96d4712a9f575034e96bbd1a86f49911222e96935b0e9a9d528d
Instruction Fuzzy Hash: 6A41D272600B4086DB289F29D4C933D77A1EBC4FA8F144325DB69473D8EB79C599CB81

Function 02B07871 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B07898
_invalid_parameter_noinfo.LIBCMT ref: 02B078A3
_fileno.LIBCMT ref: 02B078C6
_errno.LIBCMT ref: 02B07936
_invalid_parameter_noinfo.LIBCMT ref: 02B07941

Strings

@, xrefs: 02B078B9

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: 6f8e169bf0c238c0896c732fd30432087507e8190a6d38f4576da17dd70d7c1e
Instruction ID: aeec9fab672e0b9a0c04191ed2dd69b158fa81df7f02f1b906c165eaeee7a0f1
Opcode Fuzzy Hash: 6f8e169bf0c238c0896c732fd30432087507e8190a6d38f4576da17dd70d7c1e
Instruction Fuzzy Hash: B6312530614E494F976ADB2C8CC4335FA92FB8933476847EDD52AC31E5CF34A8429781

Function 02B0776D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B0778D
_invalid_parameter_noinfo.LIBCMT ref: 02B07798
_fileno.LIBCMT ref: 02B077B8
_errno.LIBCMT ref: 02B07828
_invalid_parameter_noinfo.LIBCMT ref: 02B07833

Strings

@, xrefs: 02B077AB

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: 0171350d7c42b833be816d31522f34c7348a87f46c9bfcf9d0117abcfaf58286
Instruction ID: 230e52eb59d29c851232edd9b7aca40150e3845e874eed569edc0d2ab68f8b24
Opcode Fuzzy Hash: 0171350d7c42b833be816d31522f34c7348a87f46c9bfcf9d0117abcfaf58286
Instruction Fuzzy Hash: 8C21F130210E490EDB2AAB288CD4379BA91EB8533975407EDC82AC61E1DF78B442D685

Function 02C5BCDC Relevance: 10.6, APIs: 7, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 02C5BD05

Part of subcall function 02C62CBC: _amsg_exit.LIBCMT ref: 02C62CE6

DecodePointer.KERNEL32 ref: 02C5BD38
DecodePointer.KERNEL32 ref: 02C5BD56
DecodePointer.KERNEL32 ref: 02C5BD96
DecodePointer.KERNEL32 ref: 02C5BDB0
DecodePointer.KERNEL32 ref: 02C5BDC0
ExitProcess.KERNEL32 ref: 02C5BE4C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 996cd0f5924440a7e34d656a764d071a0c653d38d32bb3c9cf5966984726c4a8
Instruction ID: eaad4379fc4c2c0200dd5ed6a4555afe0b1094b223f4aaba98970e5cd98a3900
Opcode Fuzzy Hash: 996cd0f5924440a7e34d656a764d071a0c653d38d32bb3c9cf5966984726c4a8
Instruction Fuzzy Hash: 6C319E31216B6182E714DF12F88871DBAA5F788BC8F145029EE8E43B28EF78C895C705

Function 00007FF7F8DF3EF0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DF40A0: CreateWaitableTimerW.KERNEL32(?,?,?,00007FF7F8DF3F50), ref: 00007FF7F8DF40B9
Part of subcall function 00007FF7F8DF40A0: free.LIBCMT ref: 00007FF7F8DF40F6
Part of subcall function 00007FF7F8DF40A0: malloc.LIBCMT ref: 00007FF7F8DF4131

setsockopt.WS2_32 ref: 00007FF7F8DF3FB6
setsockopt.WS2_32 ref: 00007FF7F8DF3FE0
ResetEvent.KERNEL32 ref: 00007FF7F8DF402E
SetLastError.KERNEL32 ref: 00007FF7F8DF4059
GetLastError.KERNEL32 ref: 00007FF7F8DF4071

Part of subcall function 00007FF7F8DF4D80: GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF4D8D

SetLastError.KERNEL32 ref: 00007FF7F8DF4083

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateCurrentEventResetThreadTimerWaitablefreemalloc
String ID:
API String ID: 3356772049-0
Opcode ID: 73a169a4cf32f37848a49fcc32154ae59d27d63d7761706b7a505c6040b8b509
Instruction ID: 4d1f477ea56542a97c68b6cff422934d3289c653fa06f03bb09fd960bc65252a
Opcode Fuzzy Hash: 73a169a4cf32f37848a49fcc32154ae59d27d63d7761706b7a505c6040b8b509
Instruction Fuzzy Hash: 68419D32A08A4287E710AF15E904369F7A0FF48748F504035DBAD47BD4CF7EE069AB98

Function 02C5708C Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02C5BA94: HeapCreate.KERNEL32 ref: 02C5BAAA
Part of subcall function 02C5BA94: GetVersion.KERNEL32 ref: 02C5BABC
Part of subcall function 02C5BA94: HeapSetInformation.KERNEL32 ref: 02C5BADA

_RTC_Initialize.LIBCMT ref: 02C570BE
GetCommandLineA.KERNEL32 ref: 02C570C3

Part of subcall function 02C623B0: GetEnvironmentStringsW.KERNEL32 ref: 02C623C9
Part of subcall function 02C623B0: WideCharToMultiByte.KERNEL32 ref: 02C62420
Part of subcall function 02C623B0: WideCharToMultiByte.KERNEL32 ref: 02C6245B
Part of subcall function 02C623B0: free.LIBCMT ref: 02C62468
Part of subcall function 02C623B0: FreeEnvironmentStringsW.KERNEL32 ref: 02C62473

Part of subcall function 02C61C70: GetStartupInfoW.KERNEL32 ref: 02C61C91

__setargv.LIBCMT ref: 02C570EC
_cinit.LIBCMT ref: 02C57100

Part of subcall function 02C5DE2C: FlsFree.KERNEL32 ref: 02C5DE3B
Part of subcall function 02C5DE2C: DeleteCriticalSection.KERNEL32 ref: 02C62B67
Part of subcall function 02C5DE2C: free.LIBCMT ref: 02C62B70
Part of subcall function 02C5DE2C: DeleteCriticalSection.KERNEL32 ref: 02C62B97

Part of subcall function 02C61F44: free.LIBCMT ref: 02C61F95

Part of subcall function 02C5A860: Sleep.KERNEL32 ref: 02C5A8A5

FlsSetValue.KERNEL32 ref: 02C5719A
GetCurrentThreadId.KERNEL32 ref: 02C571AE
free.LIBCMT ref: 02C571BD

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 125979975-0
Opcode ID: 1b780d2af2d2b08c57e81dbe5f9cf27f7226efad3fa970d95da47f5686e96d3e
Instruction ID: aeb347f5d99fe3d88d5002f29964268b400bdd4ee49447156ead0f92aa23d35b
Opcode Fuzzy Hash: 1b780d2af2d2b08c57e81dbe5f9cf27f7226efad3fa970d95da47f5686e96d3e
Instruction Fuzzy Hash: B531C13020062389FF287B725D4873FA1979FD0799F148179CC1A85288FF78C1C9AA6E

Function 02B13505 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B13528
_errno.LIBCMT ref: 02B13530

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b5d223d6e4ffccfbcd201f7a0761cd938b5c4eca7635fc9e2c5005e5e5a0520b
Instruction ID: 8cade2cd1d613bd534436d61505cb28323abbbebf3d79c2ef459e82793bc880f
Opcode Fuzzy Hash: b5d223d6e4ffccfbcd201f7a0761cd938b5c4eca7635fc9e2c5005e5e5a0520b
Instruction Fuzzy Hash: D1213A70218B044FE3296F58DCC277D77C2FB45321F9602C9D406872E6EBA85C418FA2

Function 02B12F31 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B12F54
_errno.LIBCMT ref: 02B12F5C

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c2676e3cf64facfb2aa860a723b5514dfb9e7683b0f68bc71060f84faa0d350e
Instruction ID: 44cb770c59d2cfd5736e19077e2a0906cc8f31cbb22f92291e8e79e830f7a78a
Opcode Fuzzy Hash: c2676e3cf64facfb2aa860a723b5514dfb9e7683b0f68bc71060f84faa0d350e
Instruction Fuzzy Hash: 4C2129316087044FE31A6F58ECC677D7BC1EB45320F9202DDD846872E1DBA85C828BA2

Function 02C57DA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C57DC7
_invalid_parameter_noinfo.LIBCMT ref: 02C57DD2
_fileno.LIBCMT ref: 02C57DF5
_errno.LIBCMT ref: 02C57E65
_invalid_parameter_noinfo.LIBCMT ref: 02C57E70

Strings

@, xrefs: 02C57DE8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: af564db91ba97d0b77235dee38384f54ac06b36b1a5ed8721de6b5247343fed1
Instruction ID: eb64a57a2d21c4cbd45841bc36131ff24fc377962995d80f97f4a1641af3a324
Opcode Fuzzy Hash: af564db91ba97d0b77235dee38384f54ac06b36b1a5ed8721de6b5247343fed1
Instruction Fuzzy Hash: 84214BA2200BD145DF198B399C4433CA252ABD5BA4F945612CE398B3D4DF7CC9C9C308

Function 02C4FAF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 02C4FB00
GetFileAttributesW.KERNEL32 ref: 02C4FB8A
GetLastError.KERNEL32 ref: 02C4FB95
CreateProcessW.KERNEL32 ref: 02C4FBFA

Strings

h, xrefs: 02C4FBF2
WinSta0\Default, xrefs: 02C4FBB0

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 32a352b419bde3d174141e61f84ad47ef660ce78bc64c5ffb13d4ce8ad96e1b3
Instruction ID: 2f97d4c989afe0bd057825e5375ba5748a0e5fe6eaef19ba6fc84f654dbc96bd
Opcode Fuzzy Hash: 32a352b419bde3d174141e61f84ad47ef660ce78bc64c5ffb13d4ce8ad96e1b3
Instruction Fuzzy Hash: 2F31A031604A8186DB709B25F90436EA3A2EB887E4F444235DE6A87F98EF3CC1958B00

Function 02C57C9C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C57CBC
_invalid_parameter_noinfo.LIBCMT ref: 02C57CC7
_fileno.LIBCMT ref: 02C57CE7
_errno.LIBCMT ref: 02C57D57
_invalid_parameter_noinfo.LIBCMT ref: 02C57D62

Strings

@, xrefs: 02C57CDA

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno
String ID: @
API String ID: 3947385824-2766056989
Opcode ID: a29fee2f15fe2de611211933ed3ced769d455d1257d9a970644a691804d751dc
Instruction ID: 9dba7ebe7e4e83957018f59eb95247b7cbb12ee338eaa99f5c9720cb6ea40c1f
Opcode Fuzzy Hash: a29fee2f15fe2de611211933ed3ced769d455d1257d9a970644a691804d751dc
Instruction Fuzzy Hash: 70214862200A5541DF199B79DC9433CA251ABC0BB8F655722CE3E872E4DF3CC1CAC709

Function 02B0C299 Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B0C2BD
_errno.LIBCMT ref: 02B0C2D6
write_char.LIBCMT ref: 02B0C2EB
_errno.LIBCMT ref: 02B0C2F8
write_char.LIBCMT ref: 02B0C30A
_errno.LIBCMT ref: 02B0C313
_errno.LIBCMT ref: 02B0C31D

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 960bcc47fac011a08067f3ad3f34acb8a7cf011e8191a2933aabe902673afc03
Instruction ID: e5d294afef902cf820e2b5111f170d10eba1565025c0d2e754d87182aa2156a7
Opcode Fuzzy Hash: 960bcc47fac011a08067f3ad3f34acb8a7cf011e8191a2933aabe902673afc03
Instruction Fuzzy Hash: B8119031518B488FDBA2AF5884817293FE1FB5D315F218ADAE499C72A1D370D881CFC6

Function 02B10955 Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B10979
_errno.LIBCMT ref: 02B10992
write_char.LIBCMT ref: 02B109A8
_errno.LIBCMT ref: 02B109B6
write_char.LIBCMT ref: 02B109CB
_errno.LIBCMT ref: 02B109D4
_errno.LIBCMT ref: 02B109DE

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 6f4c3c135e9c5e38bb5c812a90604d286b4a055adc1bb04f68a66392661a6eb9
Instruction ID: 2694548468e5ee7d41c612106891ba7b09c9d3a16dfcb5130aad5f29127573ab
Opcode Fuzzy Hash: 6f4c3c135e9c5e38bb5c812a90604d286b4a055adc1bb04f68a66392661a6eb9
Instruction Fuzzy Hash: A1119D30508A188FEB61BB5C848172937E0FB68364F9048DAD949C72A9E77498C1CB82

Function 02C4A220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C4A274
std::exception::exception.LIBCMT ref: 02C4A2C0
std::exception::exception.LIBCMT ref: 02C4A308

Part of subcall function 02C5733C: RaiseException.KERNEL32 ref: 02C573B7

Strings

ios_base::failbit set, xrefs: 02C4A2B5
ios_base::badbit set, xrefs: 02C4A269
ios_base::eofbit set, xrefs: 02C4A2FD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: std::exception::exception$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 127205192-1866435925
Opcode ID: d53289f82b987d99488ffd486f5e8e9424002f469d181d04e2350c7ea1fe77c1
Instruction ID: e485f81edd9cf9380882d9afd89f6cc0b4417f6e61df45fc69ce5e2970278df6
Opcode Fuzzy Hash: d53289f82b987d99488ffd486f5e8e9424002f469d181d04e2350c7ea1fe77c1
Instruction Fuzzy Hash: 3F31F532A01B2599EB14DBA0E8947DD33B5F744348FA4092ADE5E57A28EF70C25AC780

Function 02B136A5 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B136BE
_errno.LIBCMT ref: 02B136C6
_close_nolock.LIBCMT ref: 02B1371D

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 7d441f806a54c2e3723683bbf3a3878f772776a14d6aadf4dddf8fd5452c1492
Instruction ID: b59859dc66567812ffe9d6b66add7326659d936146ea53e1baf27a05a4556693
Opcode Fuzzy Hash: 7d441f806a54c2e3723683bbf3a3878f772776a14d6aadf4dddf8fd5452c1492
Instruction Fuzzy Hash: 9D112671209A404FD3197F64D8D172DBAD2FF45325FA20AECD05A872E1EFB888408F52

Function 02C63460 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C63483
_errno.LIBCMT ref: 02C6348B

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 18e84dbfee4e45401bde94adaa049da0b512f4016e2074da3143f09c66c3302d
Instruction ID: 45b0395880b7686bd7301e2f8596cc2b6ac8ce9b855e52d6ecad3c96f0f1eb6e
Opcode Fuzzy Hash: 18e84dbfee4e45401bde94adaa049da0b512f4016e2074da3143f09c66c3302d
Instruction Fuzzy Hash: A511D3723106D046D7066F25DC8C73DBA52AB81FA6F8A4245DE250B7D0CF78C881DB29

Function 00007FF7F8DFE920 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7F8DFE943
_errno.LIBCMT ref: 00007FF7F8DFE94B

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 5a090e99aeee2951a657be0a8c4efb463e857be8daee4d60eaed3aa4b73c4070
Instruction ID: 036fdbe7eedff73ebe94e28be705e21401fb86de5017159de56c6ea6d67dc44e
Opcode Fuzzy Hash: 5a090e99aeee2951a657be0a8c4efb463e857be8daee4d60eaed3aa4b73c4070
Instruction Fuzzy Hash: B3212222E1854241F7517BA598493BDE5516FC8769F8A4135EA3C0B3CACE7CA444B3F8

Function 00007FF7F8DFE0DC Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7F8DFE0FF
_errno.LIBCMT ref: 00007FF7F8DFE107

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f4454937c5e5bbaa0e9d0a0c22758e5a6eeff2523f96aab8d469512271315ee2
Instruction ID: 5598e59bf876ef87e6534c18f66620812ca3c242837aa8c87596ffd93d0ee003
Opcode Fuzzy Hash: f4454937c5e5bbaa0e9d0a0c22758e5a6eeff2523f96aab8d469512271315ee2
Instruction Fuzzy Hash: 5221C132B1854241FB457B6698052BDE5515FC8BB9F8A4335EA3D0B3DACE3CA444B3B8

Function 02C63A34 Relevance: 10.6, APIs: 7, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C63A57
_errno.LIBCMT ref: 02C63A5F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 86a5edae899ae3c1e95562a3141e97825a2d4e34b8035855c9b3c82b72936b35
Instruction ID: 24a653b759be57305971f2e1f9454c9345a9d2d7f905d3d8f3f717920f45d837
Opcode Fuzzy Hash: 86a5edae899ae3c1e95562a3141e97825a2d4e34b8035855c9b3c82b72936b35
Instruction Fuzzy Hash: 7411B4623106D045D6066F969D9833D7652AB80FB6F4A4749CE390B3D1CB7DC882EB28

Function 02C63540 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C63559
FlushFileBuffers.KERNEL32 ref: 02C635BC
GetLastError.KERNEL32 ref: 02C635C6
__doserrno.LIBCMT ref: 02C635D6
_errno.LIBCMT ref: 02C635DD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: 6cb1097625330db8c14f65dc00d311e544f89a42f5e59361ee9e46fa344e60e4
Instruction ID: 5caaf3ca2141d2a75cbb0c4a441fb28071a169a815c734caee0c90b2c19aada2
Opcode Fuzzy Hash: 6cb1097625330db8c14f65dc00d311e544f89a42f5e59361ee9e46fa344e60e4
Instruction Fuzzy Hash: 7D1108717047C046DB066F69ADCC73D6652ABC0F91F494669DE160B7D1DF78C481CB18

Function 00007FF7F8E013CC Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8E013E5
FlushFileBuffers.KERNEL32(?,00000000,00000000,00007FF7F8E00446,?,?,00000001,00007FF7F8E004EF,?,?,?,?,?,00007FF7F8DFEBA5), ref: 00007FF7F8E01448
GetLastError.KERNEL32(?,00000000,00000000,00007FF7F8E00446,?,?,00000001,00007FF7F8E004EF,?,?,?,?,?,00007FF7F8DFEBA5), ref: 00007FF7F8E01452
__doserrno.LIBCMT ref: 00007FF7F8E01462
_errno.LIBCMT ref: 00007FF7F8E01469

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: 17d30c8fc9599290ce3f70905f1a86dc7465141df05744b8eccb52f7b4e97e35
Instruction ID: 440be1e7543a8d49cac48928c10b46eaa80181156f8f6c94a6e34822449a6bbf
Opcode Fuzzy Hash: 17d30c8fc9599290ce3f70905f1a86dc7465141df05744b8eccb52f7b4e97e35
Instruction Fuzzy Hash: 8C21C521F0864285FB117FA5988427DE550AF80754F954538D63F0E2E6CE7CA844E3B8

Function 02C51EC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02C51EEF
GetWindowTextW.USER32 ref: 02C51F0C
lstrlenW.KERNEL32 ref: 02C51F46
GetLocalTime.KERNEL32 ref: 02C51F55
wsprintfW.USER32 ref: 02C51FA5

Part of subcall function 02C51E00: WaitForSingleObject.KERNEL32 ref: 02C51E17
Part of subcall function 02C51E00: CreateFileW.KERNEL32 ref: 02C51E49
Part of subcall function 02C51E00: SetFilePointer.KERNEL32 ref: 02C51E6E
Part of subcall function 02C51E00: lstrlenW.KERNEL32 ref: 02C51E77
Part of subcall function 02C51E00: WriteFile.KERNEL32 ref: 02C51E95
Part of subcall function 02C51E00: CloseHandle.KERNEL32 ref: 02C51E9E
Part of subcall function 02C51E00: ReleaseMutex.KERNEL32 ref: 02C51EAB

Strings

[, xrefs: 02C51F9E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: File$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 3163932117-4056885943
Opcode ID: bd11379160462120774f09f7b187f9a014c50a8c89d2790cda105e9129980a75
Instruction ID: 4bdc8986435c0d3837db2832f945bfeab7ac1d918eec5df6c382a805f9b006ee
Opcode Fuzzy Hash: bd11379160462120774f09f7b187f9a014c50a8c89d2790cda105e9129980a75
Instruction Fuzzy Hash: 53317C71218A51C2F710DF22F858B6EF3A5F784744F50802AE98E42A68EF7CC599CF90

Function 02C63BD4 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C63BED
_errno.LIBCMT ref: 02C63BF5
_close_nolock.LIBCMT ref: 02C63C4C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 338a92123b176fe84b8433c97561ad7ed6b063f42bea373834fe5852735bb2e8
Instruction ID: c9a7d59efe3a8286ae646ec277fae46d9931c28d1184d9e3487ab1935bf6f3b6
Opcode Fuzzy Hash: 338a92123b176fe84b8433c97561ad7ed6b063f42bea373834fe5852735bb2e8
Instruction Fuzzy Hash: B111E732710AC056D7056F269DCC33C6A53A781FA1F5A5769EA2A0B7D4CB78C8C1CB28

Function 00007FF7F8E01560 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7F8E01579
_errno.LIBCMT ref: 00007FF7F8E01581
_close_nolock.LIBCMT ref: 00007FF7F8E015D8

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: bda87b43c9d570eecaee3d7bd9474c424701c106e53aae398468428abc392862
Instruction ID: 802fed0c4fa3055a49f3d8f58e8705b7ddbf3ef15f1a7472d1c0502f08ed45c9
Opcode Fuzzy Hash: bda87b43c9d570eecaee3d7bd9474c424701c106e53aae398468428abc392862
Instruction Fuzzy Hash: 2C11D522E0858241F7057B65988927CE650AF84765FD94938E53F0F2CACE7CA440A3B8

Function 02C60E84 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C60EA8
_errno.LIBCMT ref: 02C60EC1
write_char.LIBCMT ref: 02C60ED7
_errno.LIBCMT ref: 02C60EE5
write_char.LIBCMT ref: 02C60EFA
_errno.LIBCMT ref: 02C60F03
_errno.LIBCMT ref: 02C60F0D

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 871f355d671030dc6432d9a23ab7b6e38f30107320b972de84d7d94d25281080
Instruction ID: 01f861e1eb8e57e93e667816a25392fa042406df735ed5f9acc1fbec4aa619c6
Opcode Fuzzy Hash: 871f355d671030dc6432d9a23ab7b6e38f30107320b972de84d7d94d25281080
Instruction Fuzzy Hash: 4B119A72520BE0CADB206F92948833976A1F794FD0F884025DF941B785CB78C581CB55

Function 02C5C7C8 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C5C7EC
_errno.LIBCMT ref: 02C5C805
write_char.LIBCMT ref: 02C5C81A
_errno.LIBCMT ref: 02C5C827
write_char.LIBCMT ref: 02C5C839
_errno.LIBCMT ref: 02C5C842
_errno.LIBCMT ref: 02C5C84C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 4e5a875947b43d510ab27010ab14576f87d5b69a94ba14807e221e2687d3d606
Instruction ID: b27578be5fdcc7d13d8b41b6962616a85d0e168c44a7f93841c898119dfbb885
Opcode Fuzzy Hash: 4e5a875947b43d510ab27010ab14576f87d5b69a94ba14807e221e2687d3d606
Instruction Fuzzy Hash: 9B119732410BA08AC7206B62D40032936A0FB98FD4F999016CFA40B745CB3CC6C1DB69

Function 00007FF7F8DFAC9C Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8DFACC0
_errno.LIBCMT ref: 00007FF7F8DFACD9
write_char.LIBCMT ref: 00007FF7F8DFACEE
_errno.LIBCMT ref: 00007FF7F8DFACFB
write_char.LIBCMT ref: 00007FF7F8DFAD0D
_errno.LIBCMT ref: 00007FF7F8DFAD16
_errno.LIBCMT ref: 00007FF7F8DFAD20

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: c1d3ccc9aad43bc67af73f482cb02ec735a242584822cbb9a96a93b359dba97b
Instruction ID: d40da5b1859e87c15ad4d93403d033c900a2d35f0364dfc7ca029d916d74ae12
Opcode Fuzzy Hash: c1d3ccc9aad43bc67af73f482cb02ec735a242584822cbb9a96a93b359dba97b
Instruction Fuzzy Hash: C5118426C0878186E7147B61940536DF6A0BFD8B98F958030DB78077CADE3CE855F7A5

Function 02C48BE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 02C48C0B
GetCommandLineW.KERNEL32 ref: 02C48C11
GetStartupInfoW.KERNEL32 ref: 02C48C1F
CreateProcessW.KERNEL32 ref: 02C48C62
ExitProcess.KERNEL32 ref: 02C48C6B

Strings

, xrefs: 02C48C56

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: ee7650ada655a41ad3d8abafd2266b15cab2f850138d348df1a1cd45a91815c4
Instruction ID: 106aa7c3fb548dcdf33109a510c9377ef5f6ab7dc6d395e32528a2077167c8c1
Opcode Fuzzy Hash: ee7650ada655a41ad3d8abafd2266b15cab2f850138d348df1a1cd45a91815c4
Instruction Fuzzy Hash: 2701EC32218B8582EB608B64F89DB4EB7A4F784794F50552AE68E43F68DF7CC1498B00

Function 02C51E00 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 02C51E17
CreateFileW.KERNEL32 ref: 02C51E49
SetFilePointer.KERNEL32 ref: 02C51E6E
lstrlenW.KERNEL32 ref: 02C51E77
WriteFile.KERNEL32 ref: 02C51E95
CloseHandle.KERNEL32 ref: 02C51E9E
ReleaseMutex.KERNEL32 ref: 02C51EAB

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: e7892ef0c60a8620ab59d393f68777d807ece2b1662eb29eea33fc2896f8ec93
Instruction ID: 7d3c84da43799379a48f270b5e812027e08d63130e2337ccbd20c94cdf21d0d4
Opcode Fuzzy Hash: e7892ef0c60a8620ab59d393f68777d807ece2b1662eb29eea33fc2896f8ec93
Instruction Fuzzy Hash: 0A11F772218A4082F7108B62F95CB6E7760F788BB8F544214DA6A43FA4CFBCC5498B00

Function 02C4E67F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C4E6A6
RegDeleteValueW.ADVAPI32 ref: 02C4E6B7
RegSetValueExW.ADVAPI32 ref: 02C4E6DE
RegCloseKey.ADVAPI32 ref: 02C4E6E8

Strings

IpDatespecial, xrefs: 02C4E6B0, 02C4E6C1
Console, xrefs: 02C4E68A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 1998c3c541e6b13509c0f1d0a8d7f92d98846318bf4c898897b1f07a1e6dd135
Instruction ID: 1bace6f2951a6460ce24f8b618d8bb28d798938640f0e7dd2067df0421dea9d5
Opcode Fuzzy Hash: 1998c3c541e6b13509c0f1d0a8d7f92d98846318bf4c898897b1f07a1e6dd135
Instruction Fuzzy Hash: AB012C7631AA40C6FB61CB25F858B9D3774F785BA8F405116CE9E03A94CF38C189CB44

Function 02B086E9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B08708

Part of subcall function 02B121C9: _getptd.LIBCMT ref: 02B121CD

_getptd.LIBCMT ref: 02B0871A
_getptd.LIBCMT ref: 02B08728

Strings

MOC, xrefs: 02B086F8
RCC, xrefs: 02B086F0
csm, xrefs: 02B08700

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: c0c4974f66a59b65bac263467e6f357672968b2de2412f4b3a6b23e22f229d42
Instruction ID: 01139a159f199b143787d4667b621675abf3a1fe285c7b979d4eb823a9522fdb
Opcode Fuzzy Hash: c0c4974f66a59b65bac263467e6f357672968b2de2412f4b3a6b23e22f229d42
Instruction Fuzzy Hash: ACE01A34514206CEEB277BB980883A43EA1FF1830AF8A60E185548B2F4D7BC56D08E63

Function 02C58C18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C58C37

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

Part of subcall function 02C626F8: _getptd.LIBCMT ref: 02C626FC

_getptd.LIBCMT ref: 02C58C49
_getptd.LIBCMT ref: 02C58C57

Strings

RCC, xrefs: 02C58C1F
csm, xrefs: 02C58C2F
MOC, xrefs: 02C58C27

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: e672e4323665b16ea60b3fb528af4179eb2c0c48703903788b3e2e50e937f095
Instruction ID: 6681058e4568344d3cd62666df817e1605df3d5e84e7995e7bdf673bc9f5a87e
Opcode Fuzzy Hash: e672e4323665b16ea60b3fb528af4179eb2c0c48703903788b3e2e50e937f095
Instruction Fuzzy Hash: 71E01A36912624CEC7292B6580443AC36A2F7D8B0AF86E6B58A454A324C7BDD6C49F16

Function 00007FF7F8E031A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8E031C7

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

Part of subcall function 00007FF7F8DFDA94: _getptd.LIBCMT ref: 00007FF7F8DFDA98

_getptd.LIBCMT ref: 00007FF7F8E031D9
_getptd.LIBCMT ref: 00007FF7F8E031E7

Strings

RCC, xrefs: 00007FF7F8E031AF
MOC, xrefs: 00007FF7F8E031B7
csm, xrefs: 00007FF7F8E031BF

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction ID: 66fe3faa8aa634e28b8fbe637d6ec92f0a0b51348eeaa44ca88805a6087e74ba
Opcode Fuzzy Hash: d0c629851adb83669a1057044e1c73a61abea7eb16c4708499e842e3cc9a1464
Instruction Fuzzy Hash: 4DF0303990910289E7553B1580063B8F190EFAC707FC99974C6B9423C28FBD68C5AAAA

Function 02B0E8C1 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B0E8E0

Part of subcall function 02B0E4FD: _getptd.LIBCMT ref: 02B0E507

Part of subcall function 02B0A2B1: malloc.LIBCMT ref: 02B0A2DC

free.LIBCMT ref: 02B0E96B

Part of subcall function 02B04D51: _errno.LIBCMT ref: 02B04D71

_lock.LIBCMT ref: 02B0E99B
free.LIBCMT ref: 02B0EA3E
free.LIBCMT ref: 02B0EA6A
_errno.LIBCMT ref: 02B0EA6F

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno_getptd$_lockmalloc
String ID:
API String ID: 1369581901-0
Opcode ID: 52e10ac28cf1521ad55669061b4910638148c623c9a1a3d4419c5e910fa0e778
Instruction ID: 2ae8e1aa9c4c5724beb703bfd21b1d800f57e665c20f57c76aba141498a8798d
Opcode Fuzzy Hash: 52e10ac28cf1521ad55669061b4910638148c623c9a1a3d4419c5e910fa0e778
Instruction Fuzzy Hash: 7151D430A18A044FDB56EF6894C07697BE2FB9C314F1449EDC89AC72D2DB34D842CB82

Function 00007FF7F8DF55B0 Relevance: 9.2, APIs: 6, Instructions: 155memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF55D3
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF5660
VirtualFree.KERNEL32 ref: 00007FF7F8DF56A2
VirtualAlloc.KERNEL32 ref: 00007FF7F8DF572F
VirtualFree.KERNEL32 ref: 00007FF7F8DF5771
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF5833

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocCurrentFreeThread
String ID:
API String ID: 1155560630-0
Opcode ID: cd68a7855d9bff61e79928e65f9b1f850c339330868a212f2d92ce5f7b1a21b2
Instruction ID: 1726210e6cc23208d87a3d7f4b1ec38237a9a0171c42b8179d15dfb6f7995e7b
Opcode Fuzzy Hash: cd68a7855d9bff61e79928e65f9b1f850c339330868a212f2d92ce5f7b1a21b2
Instruction Fuzzy Hash: 3A719B32718A8197E75DAB25E540369F3A4FB48B80F804134EB7E87688DF38F165E794

Function 02AF1261 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02AF1296
malloc.LIBCMT ref: 02AF1302

Part of subcall function 02B04D91: _FF_MSGBANNER.LIBCMT ref: 02B04DC1
Part of subcall function 02B04D91: _callnewh.LIBCMT ref: 02B04DFF
Part of subcall function 02B04D91: _errno.LIBCMT ref: 02B04E0A
Part of subcall function 02B04D91: _errno.LIBCMT ref: 02B04E15

free.LIBCMT ref: 02AF132B

Part of subcall function 02B04D51: _errno.LIBCMT ref: 02B04D71

Strings

d, xrefs: 02AF13D6
d, xrefs: 02AF13A2
d, xrefs: 02AF13AC

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$malloc$_callnewhfree
String ID: d$d$d
API String ID: 1789327305-1898527202
Opcode ID: 70b3e7089cd65712a9534c09ee8e6c2d3456621b9bb361a7b1ae5f1627f20bce
Instruction ID: 8ff3793feff5287dfc3e917a8e113632915e57d95365f0c214492b0fdd684185
Opcode Fuzzy Hash: 70b3e7089cd65712a9534c09ee8e6c2d3456621b9bb361a7b1ae5f1627f20bce
Instruction Fuzzy Hash: 1451C3B0414A59CFDBD1DF58D088B957BE4FB18704F5542EAA90CCB26ADB74C884CFA1

Function 02C5EDF0 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5EE0F

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

Part of subcall function 02C5EA2C: _getptd.LIBCMT ref: 02C5EA36
Part of subcall function 02C5EA2C: _amsg_exit.LIBCMT ref: 02C5EAD3

Part of subcall function 02C5EAE8: GetOEMCP.KERNEL32 ref: 02C5EB12

Part of subcall function 02C5A7E0: malloc.LIBCMT ref: 02C5A80B
Part of subcall function 02C5A7E0: Sleep.KERNEL32 ref: 02C5A81E

free.LIBCMT ref: 02C5EE9A

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

_lock.LIBCMT ref: 02C5EECA
free.LIBCMT ref: 02C5EF6D
free.LIBCMT ref: 02C5EF99
_errno.LIBCMT ref: 02C5EF9E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: 2854a5756f7ba83f048a3981276ffac91aab162a3a0ca66450eb40d5492f030e
Instruction ID: b63a50c389be50d9e90e02b6e6bdba697dbf50c08f09918f47b144069b145010
Opcode Fuzzy Hash: 2854a5756f7ba83f048a3981276ffac91aab162a3a0ca66450eb40d5492f030e
Instruction Fuzzy Hash: AD412636200AA086E714DF25E44036EBBA6F7C4B98F544216DE9A47398CF7DC6C2CB48

Function 00007FF7F8DFF330 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8DFF34F

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

Part of subcall function 00007FF7F8DFEF6C: _getptd.LIBCMT ref: 00007FF7F8DFEF76
Part of subcall function 00007FF7F8DFEF6C: _amsg_exit.LIBCMT ref: 00007FF7F8DFF013

Part of subcall function 00007FF7F8DFF028: GetOEMCP.KERNEL32 ref: 00007FF7F8DFF052

Part of subcall function 00007FF7F8DFC020: malloc.LIBCMT ref: 00007FF7F8DFC04B
Part of subcall function 00007FF7F8DFC020: Sleep.KERNEL32(?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951,?,?,00000000,00007FF7F8DFBA08), ref: 00007FF7F8DFC05E

free.LIBCMT ref: 00007FF7F8DFF3DA

Part of subcall function 00007FF7F8DF9030: HeapFree.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9046
Part of subcall function 00007FF7F8DF9030: _errno.LIBCMT ref: 00007FF7F8DF9050
Part of subcall function 00007FF7F8DF9030: GetLastError.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9058

_lock.LIBCMT ref: 00007FF7F8DFF40A
free.LIBCMT ref: 00007FF7F8DFF4AD
free.LIBCMT ref: 00007FF7F8DFF4D9
_errno.LIBCMT ref: 00007FF7F8DFF4DE

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: de94af9eb20aff71365a2e79f7747a0a6ec5dd64a421ced7859fa65583d8f430
Instruction ID: 9d244d9cf3f3bf4fa15db17863086d993858848f6268082260a6be5450434769
Opcode Fuzzy Hash: de94af9eb20aff71365a2e79f7747a0a6ec5dd64a421ced7859fa65583d8f430
Instruction Fuzzy Hash: 1D51B522A0868241E754BB25944027DF7A1BF88B44F944136D97E573DECF3CE445F7A8

Function 02C41790 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02C417C5
malloc.LIBCMT ref: 02C41831

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

free.LIBCMT ref: 02C4185A

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

Strings

d, xrefs: 02C418DB
d, xrefs: 02C418D1
d, xrefs: 02C41904

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocErrorFreeLast_callnewhfree
String ID: d$d$d
API String ID: 161857241-1898527202
Opcode ID: cfde20c8cbbf88260583b06dcbb63c88aa0b5bb1562ef053c57e5ef22d106b36
Instruction ID: 38121dfd1170cfcddec0be9d7ca82c892d6013c409fc93f6d7dacfb48685ee9e
Opcode Fuzzy Hash: cfde20c8cbbf88260583b06dcbb63c88aa0b5bb1562ef053c57e5ef22d106b36
Instruction Fuzzy Hash: AF41C472111B90C9E7418F65E94438E3BA9F748F88F59813ADB8C47758EFB9C494CB60

Function 00007FF7F8DF17C0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF7F8DF17F5
malloc.LIBCMT ref: 00007FF7F8DF1861

Part of subcall function 00007FF7F8DF9070: _FF_MSGBANNER.LIBCMT ref: 00007FF7F8DF90A0
Part of subcall function 00007FF7F8DF9070: HeapAlloc.KERNEL32(?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951,?,?,?,00007FF7F8DFD9FB,?,?,00000000,00007FF7F8DFB951), ref: 00007FF7F8DF90C5
Part of subcall function 00007FF7F8DF9070: _callnewh.LIBCMT ref: 00007FF7F8DF90DE
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90E9
Part of subcall function 00007FF7F8DF9070: _errno.LIBCMT ref: 00007FF7F8DF90F4

free.LIBCMT ref: 00007FF7F8DF188A

Part of subcall function 00007FF7F8DF9030: HeapFree.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9046
Part of subcall function 00007FF7F8DF9030: _errno.LIBCMT ref: 00007FF7F8DF9050
Part of subcall function 00007FF7F8DF9030: GetLastError.KERNEL32(?,?,00000000,00007FF7F8DFBA1C,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DF9058

Strings

d, xrefs: 00007FF7F8DF1901
d, xrefs: 00007FF7F8DF1934
d, xrefs: 00007FF7F8DF190B

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocErrorFreeLast_callnewhfree
String ID: d$d$d
API String ID: 161857241-1898527202
Opcode ID: e9053c7a343c0b83d9d295b64127538e78e5f548f8b7e2bc9a1aaa569d59c23e
Instruction ID: f2b5ad29e2e4f5aac6a226148f48f5c20aa4e0dbeb3a8b201bf9bd3539dac5f0
Opcode Fuzzy Hash: e9053c7a343c0b83d9d295b64127538e78e5f548f8b7e2bc9a1aaa569d59c23e
Instruction Fuzzy Hash: D4414832515B91C5E7819F20E400399BBE8FB48F98F49813ADAAC07788DF78C458DBA4

Function 02B126A5 Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 02B126CC

Part of subcall function 02B0BC0D: _set_error_mode.LIBCMT ref: 02B0BC16
Part of subcall function 02B0BC0D: _set_error_mode.LIBCMT ref: 02B0BC25

Part of subcall function 02B0B9AD: _set_error_mode.LIBCMT ref: 02B0B9F2
Part of subcall function 02B0B9AD: _set_error_mode.LIBCMT ref: 02B0BA03

Part of subcall function 02B0A2B1: malloc.LIBCMT ref: 02B0A2DC

_errno.LIBCMT ref: 02B1270E
_lock.LIBCMT ref: 02B12722
free.LIBCMT ref: 02B12745
_errno.LIBCMT ref: 02B1274A

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _set_error_mode$_errno$_lockfreemalloc
String ID:
API String ID: 360200360-0
Opcode ID: 28551705450076a4a106e3a2148232d355b3dfe6427a5f876cea8b9f49252f81
Instruction ID: 189f9636b53e88d43c8e698786571ad5668b0388c354632b5af90b9abd6301da
Opcode Fuzzy Hash: 28551705450076a4a106e3a2148232d355b3dfe6427a5f876cea8b9f49252f81
Instruction Fuzzy Hash: 8C219330619A198FEB65BFA4D49476A77E1FF88314F9045B8980AC31E0DF789C41CF82

Function 02C623B0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 02C623C9
WideCharToMultiByte.KERNEL32 ref: 02C62420
WideCharToMultiByte.KERNEL32 ref: 02C6245B
free.LIBCMT ref: 02C62468
FreeEnvironmentStringsW.KERNEL32 ref: 02C62473
FreeEnvironmentStringsW.KERNEL32 ref: 02C62481

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 5115370a6637f46d455a6b6ed31cd9b9a6bc26a856794a30b061c6b7729e81b1
Instruction ID: f689e453431b008f542f847a3687be4ce13b4abf4d755fb91f34b7d95b1eb268
Opcode Fuzzy Hash: 5115370a6637f46d455a6b6ed31cd9b9a6bc26a856794a30b061c6b7729e81b1
Instruction Fuzzy Hash: BA215C72609B8086DB249F62B48876EB7A5F788BC4F4C4028DE8A07F18EF38D151C745

Function 02C452F0 Relevance: 9.1, APIs: 6, Instructions: 66synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 02C4530C
ResetEvent.KERNEL32 ref: 02C45319
timeGetTime.WINMM ref: 02C4531F
WaitForSingleObject.KERNEL32 ref: 02C45373
ResetEvent.KERNEL32 ref: 02C45390

Part of subcall function 02C44D20: GetCurrentThreadId.KERNEL32 ref: 02C44D2D

ResetEvent.KERNEL32 ref: 02C453B7

Part of subcall function 02C5576C: _errno.LIBCMT ref: 02C55797
Part of subcall function 02C5576C: _invalid_parameter_noinfo.LIBCMT ref: 02C557A2

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EventReset$CurrentObjectSingleThreadTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2543248268-0
Opcode ID: 492e06cf4619c2e6ba0829753654616a12db9333c9bbbb47ed89defe3f5a3c1e
Instruction ID: 2ffcfd8c1a9247152cc4f7beca2ed7467710d5fa79bf8cb7d89877c500b57fb9
Opcode Fuzzy Hash: 492e06cf4619c2e6ba0829753654616a12db9333c9bbbb47ed89defe3f5a3c1e
Instruction Fuzzy Hash: 5D212876204A9086EB51CF35F84836EB3A4FB88F98F585525DE4E97B68DF38C582C740

Function 00007FF7F8DF5350 Relevance: 9.1, APIs: 6, Instructions: 66synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF7F8DF536C
ResetEvent.KERNEL32 ref: 00007FF7F8DF5379
timeGetTime.WINMM ref: 00007FF7F8DF537F
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF53D3
ResetEvent.KERNEL32 ref: 00007FF7F8DF53F0

Part of subcall function 00007FF7F8DF4D80: GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF4D8D

ResetEvent.KERNEL32 ref: 00007FF7F8DF5417

Part of subcall function 00007FF7F8DF94DC: _errno.LIBCMT ref: 00007FF7F8DF9507
Part of subcall function 00007FF7F8DF94DC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DF9512

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: EventReset$CurrentObjectSingleThreadTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2543248268-0
Opcode ID: c78a28b176580af9311e331f57aa8b083a8a6ec56fce78c484d13ed2a8b23dc4
Instruction ID: 13621b32d43d538188eaa1bbebad17f4fba83064f7a5d0daf05ab7d27b7665e8
Opcode Fuzzy Hash: c78a28b176580af9311e331f57aa8b083a8a6ec56fce78c484d13ed2a8b23dc4
Instruction Fuzzy Hash: 03217F36608A9186E740DF25EC4016DF3A4FF49B94F584531DE6D877A8CF38C485D7A4

Function 02C44D20 Relevance: 9.1, APIs: 6, Instructions: 57networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02C44D2D

Part of subcall function 02C44100: SwitchToThread.KERNEL32 ref: 02C4413E
Part of subcall function 02C44100: SetLastError.KERNEL32 ref: 02C44185

send.WS2_32 ref: 02C44D79
SetEvent.KERNEL32 ref: 02C44D97
WSACloseEvent.WS2_32 ref: 02C44DAB
shutdown.WS2_32 ref: 02C44DC4
closesocket.WS2_32 ref: 02C44DCE

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 779811758-0
Opcode ID: b4979450ec0c19de12122228c918dce67c8ffdc185b34bad9865e685935668f6
Instruction ID: 77fc770a3e1441d6f37327acb004ac71ec2b857fe09e6e83e995c281b3c622aa
Opcode Fuzzy Hash: b4979450ec0c19de12122228c918dce67c8ffdc185b34bad9865e685935668f6
Instruction Fuzzy Hash: C321063260064186EB249F39F85872E7361FBC4FA8F545325DE3A47A98DF34C485C740

Function 00007FF7F8DF4D80 Relevance: 9.1, APIs: 6, Instructions: 57networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF4D8D

Part of subcall function 00007FF7F8DF4160: SwitchToThread.KERNEL32(?,?,00000000,00007FF7F8DF4D9D), ref: 00007FF7F8DF419E
Part of subcall function 00007FF7F8DF4160: SetLastError.KERNEL32(?,?,00000000,00007FF7F8DF4D9D), ref: 00007FF7F8DF41E5

send.WS2_32 ref: 00007FF7F8DF4DD9
SetEvent.KERNEL32 ref: 00007FF7F8DF4DF7
WSACloseEvent.WS2_32 ref: 00007FF7F8DF4E0B
shutdown.WS2_32 ref: 00007FF7F8DF4E24
closesocket.WS2_32 ref: 00007FF7F8DF4E2E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 779811758-0
Opcode ID: 2fa192ee69b06f1eeb25edd6ab0f4da1fe6a6614d325027052db3e123256aa8b
Instruction ID: 11da27fc881071a099b98ac9a266675e80e4e6433ce1760b63ce42265ae357d3
Opcode Fuzzy Hash: 2fa192ee69b06f1eeb25edd6ab0f4da1fe6a6614d325027052db3e123256aa8b
Instruction Fuzzy Hash: 29210331A0464282EB54BF25E850129F362FF88B64F944231DA3E476D9DE3CD889A7A4

Function 02C5DF0C Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02C5DF16
FlsGetValue.KERNEL32 ref: 02C5DF24
SetLastError.KERNEL32 ref: 02C5DF7C

Part of subcall function 02C5A860: Sleep.KERNEL32 ref: 02C5A8A5

FlsSetValue.KERNEL32 ref: 02C5DF50
free.LIBCMT ref: 02C5DF73

Part of subcall function 02C5DE54: _lock.LIBCMT ref: 02C5DEA8
Part of subcall function 02C5DE54: _lock.LIBCMT ref: 02C5DEC7

GetCurrentThreadId.KERNEL32 ref: 02C5DF64

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: ad1fb755669453110f52bd1be8a0bd03a16cf7015427440e3a7436090f7943d3
Instruction ID: 7928cae498c3ca831fcd4a1ab09db3c9fb8b608ed483a7dc94dd1756ca7b0777
Opcode Fuzzy Hash: ad1fb755669453110f52bd1be8a0bd03a16cf7015427440e3a7436090f7943d3
Instruction Fuzzy Hash: 1501672120470286FB059FA5E45C76C72A1BB88BA4F088338CD2703B94EF3CC445C624

Function 00007FF7F8DFB9B0 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9BA
FlsGetValue.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9C8
SetLastError.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFBA20

Part of subcall function 00007FF7F8DFC0A0: Sleep.KERNEL32(?,?,ceil,00007FF7F8DFB9E3,?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE), ref: 00007FF7F8DFC0E5

FlsSetValue.KERNEL32(?,?,?,00007FF7F8DF938D,?,?,?,?,00007FF7F8E04BEE,?,?,?,?,00007FF7F8E02ED1), ref: 00007FF7F8DFB9F4
free.LIBCMT ref: 00007FF7F8DFBA17

Part of subcall function 00007FF7F8DFB8F8: _lock.LIBCMT ref: 00007FF7F8DFB94C
Part of subcall function 00007FF7F8DFB8F8: _lock.LIBCMT ref: 00007FF7F8DFB96B

GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DFBA08

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 4213d91c3c88d15f51b7cb7809fe6c775b8414f6b8c9181202556ccbea47a494
Instruction ID: 38cb537b8113429278d919e4e20d0dec5c2886ce8a47fa6448d252c1a4a25db5
Opcode Fuzzy Hash: 4213d91c3c88d15f51b7cb7809fe6c775b8414f6b8c9181202556ccbea47a494
Instruction Fuzzy Hash: 99017520B09B4382FB547B76A845538E251AF8C750F984634C97E063D9EE3CE449B668

Function 02AF1411 Relevance: 9.0, APIs: 7, Instructions: 259COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02AF1480
free.LIBCMT ref: 02AF14D0
free.LIBCMT ref: 02AF1520
free.LIBCMT ref: 02AF1570
free.LIBCMT ref: 02AF159B
free.LIBCMT ref: 02AF15BC

Part of subcall function 02B04D51: _errno.LIBCMT ref: 02B04D71

free.LIBCMT ref: 02AF15FA

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 2bb762fc8d6a2aa6e0dae91371418eab7fad8568fe1f05a2c8ea6e1ff1f75f6a
Instruction ID: f9783bdd21d11fc4b55b41fb78d0499f60a162e0b48aed1e9d41502e598a6d95
Opcode Fuzzy Hash: 2bb762fc8d6a2aa6e0dae91371418eab7fad8568fe1f05a2c8ea6e1ff1f75f6a
Instruction Fuzzy Hash: CF914AB1506A49CFCB99EFACC0D4B29BBE0FF59304B14459DE14EDB222CB75A841CB51

Function 02B08FAD Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B08FDE
_getptd.LIBCMT ref: 02B08FFC
_CallSETranslator.LIBCMT ref: 02B09044

Part of subcall function 02B07285: _getptd.LIBCMT ref: 02B072AC

Strings

RCC, xrefs: 02B0901A
MOC, xrefs: 02B09012

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC$RCC
API String ID: 3569367362-2084237596
Opcode ID: 06f64b386012e0fa286528623832c74f46424b3a0b49e4bb78a2cd9779033b58
Instruction ID: 5e7a0e6db1dc3a7b84acfcafafe9c48bf534cfd793f8f8b501319441795bbc6a
Opcode Fuzzy Hash: 06f64b386012e0fa286528623832c74f46424b3a0b49e4bb78a2cd9779033b58
Instruction Fuzzy Hash: 5561D230118F0A9FD765FF58C484BA6B7E1FB80714F604AAEC049C3596EBB4A591CB82

Function 00007FF7F8DF1970 Relevance: 8.9, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F8DF19DF
free.LIBCMT ref: 00007FF7F8DF1A2F
free.LIBCMT ref: 00007FF7F8DF1A7F
free.LIBCMT ref: 00007FF7F8DF1ACF
free.LIBCMT ref: 00007FF7F8DF1AFA
free.LIBCMT ref: 00007FF7F8DF1B1B
free.LIBCMT ref: 00007FF7F8DF1B59

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 39caf3c37a47655031c94e0de5774d4aa99865a29994b72ed535d303bf2608d5
Instruction ID: 000ab779071b2089ae49d05de2cf80be4944d5dee6decbb9a660eef711ae6f40
Opcode Fuzzy Hash: 39caf3c37a47655031c94e0de5774d4aa99865a29994b72ed535d303bf2608d5
Instruction Fuzzy Hash: 53713F72606B8181DB55AF69E0506ADF7A4EF58B80F989035CB6E03349CF38E455E368

Function 02C594DC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5950D

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_getptd.LIBCMT ref: 02C5952B
_CallSETranslator.LIBCMT ref: 02C59573

Part of subcall function 02C577B4: _getptd.LIBCMT ref: 02C577DB

Strings

MOC, xrefs: 02C59541
RCC, xrefs: 02C59549

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: af59dbc463a79ad219f14499a5ba5a340a132d3c24739908f5f8128250e8645e
Instruction ID: 0726801acec97c8d2b092fffbcb8a095236626700e9bf624d49c24919bfb406e
Opcode Fuzzy Hash: af59dbc463a79ad219f14499a5ba5a340a132d3c24739908f5f8128250e8645e
Instruction Fuzzy Hash: E5519D72604AE0D5CF20DB15E0907ADB3A1FBC1B88F494666DF9E47618DF78C299CB44

Function 00007FF7F8E03A50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8E03A81

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_getptd.LIBCMT ref: 00007FF7F8E03A9F
_CallSETranslator.LIBCMT ref: 00007FF7F8E03AE7

Part of subcall function 00007FF7F8E01CB4: _getptd.LIBCMT ref: 00007FF7F8E01CDB

Strings

MOC, xrefs: 00007FF7F8E03AB5
RCC, xrefs: 00007FF7F8E03ABD

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
Instruction ID: dd27df37af83cb61966684dee5a4306002c5d29fe094a444afd47272ecd80b14
Opcode Fuzzy Hash: 71d4d7f3723b5425788edb4ff7159e0c2d35ca9445fe2397f069a4d9efb0fa2f
Instruction Fuzzy Hash: A6618D32A08A8295DB20EB05D4803A9F3A0FB94B88F844A36DB6E47699DF7CD151D764

Function 02C41940 Relevance: 8.9, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C419AF
free.LIBCMT ref: 02C419FF
free.LIBCMT ref: 02C41A4F
free.LIBCMT ref: 02C41A9F
free.LIBCMT ref: 02C41ACA
free.LIBCMT ref: 02C41AEB
free.LIBCMT ref: 02C41B29

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b55e574dcef07286ea42fa4fc00e6fe334b5dcd76448c2a0d4ff0b76fb3ee2ea
Instruction ID: f2741a11ccad39090a0c619fd1495cfbdcb673d768605cc63f393975db4e2153
Opcode Fuzzy Hash: b55e574dcef07286ea42fa4fc00e6fe334b5dcd76448c2a0d4ff0b76fb3ee2ea
Instruction Fuzzy Hash: EA510336242B8485CB54DF5AE9803AEB365F758BC4F5C9012CB8E47710DF78E5A1C328

Function 02B07989 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02B079A5

Part of subcall function 02B12459: _errno.LIBCMT ref: 02B12462
Part of subcall function 02B12459: _invalid_parameter_noinfo.LIBCMT ref: 02B1246D

_errno.LIBCMT ref: 02B07A0E
_invalid_parameter_noinfo.LIBCMT ref: 02B07A19
_getbuf.LIBCMT ref: 02B07A4D

Strings

@, xrefs: 02B07A6A

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_getbuf
String ID: @
API String ID: 3036866907-2766056989
Opcode ID: a62dc664b4561913de13bcb02bd6d15c63cfabe7648b8378b28b5a7a84a82d76
Instruction ID: ad06b589da12697acad0ca3dfbd5e77b948c45c69336b99722debd29fb810f5c
Opcode Fuzzy Hash: a62dc664b4561913de13bcb02bd6d15c63cfabe7648b8378b28b5a7a84a82d76
Instruction Fuzzy Hash: 1A31B830128A484EDB1E9F2D88C9334FA91FB45329F7816D8DC76CA1E6DB34D586D680

Function 02C57EB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02C57ED4

Part of subcall function 02C62988: _errno.LIBCMT ref: 02C62991
Part of subcall function 02C62988: _invalid_parameter_noinfo.LIBCMT ref: 02C6299C

_errno.LIBCMT ref: 02C57F3D
_invalid_parameter_noinfo.LIBCMT ref: 02C57F48
_getbuf.LIBCMT ref: 02C57F7C

Strings

@, xrefs: 02C57F99

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_getbuf
String ID: @
API String ID: 3036866907-2766056989
Opcode ID: 92bb1f8a3983eb5cf48ea023ccb70438d663d5b0186222f9965649d0791287cf
Instruction ID: c7ebc37d6458296ebc39aab03cfc20028d9544acc11f8bdaabf1927d54d88352
Opcode Fuzzy Hash: 92bb1f8a3983eb5cf48ea023ccb70438d663d5b0186222f9965649d0791287cf
Instruction Fuzzy Hash: 3D31D863210B6485CF29CF38D484328B651E791BACF585305DE6A063E5CB79C6D9C399

Function 02C59055 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 02C590A8
_getptd.LIBCMT ref: 02C5905D

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_getptd.LIBCMT ref: 02C5911F
_getptd.LIBCMT ref: 02C5912B

Strings

csm, xrefs: 02C590DF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: 553b0e037f61d14c01cc02cf9b2f8149e3dae0138a7a1939c678450fe90a323b
Instruction ID: d290296363ebff59fdb7379d7d2250f1e0006fe71bac21539dd8fd37a8072d6b
Opcode Fuzzy Hash: 553b0e037f61d14c01cc02cf9b2f8149e3dae0138a7a1939c678450fe90a323b
Instruction Fuzzy Hash: BA217A362046A1C7CB30DF12E44875EB361F788BA9F044226DF9A07B54CB3AD5C6DB98

Function 00007FF7F8E035C9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7F8E0361C
_getptd.LIBCMT ref: 00007FF7F8E035D1

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_getptd.LIBCMT ref: 00007FF7F8E03693
_getptd.LIBCMT ref: 00007FF7F8E0369F

Strings

csm, xrefs: 00007FF7F8E03653

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: 9353493ea25706b6dc90e2ff27a29bc00a94e76970d53f38476d2ffead27e1f6
Instruction ID: 27edc80167fc9f32b92255eb4c7304d33c707432405b24effb6d3eb7be187d00
Opcode Fuzzy Hash: 9353493ea25706b6dc90e2ff27a29bc00a94e76970d53f38476d2ffead27e1f6
Instruction Fuzzy Hash: FF317C3690864182E770EB11A00426EF361FB98761F840636DEBE07BC5CF3DE886DB94

Function 02C4E6F1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 02C4E714
RegDeleteValueW.ADVAPI32 ref: 02C4E725
RegCloseKey.ADVAPI32 ref: 02C4E72F

Strings

IpDatespecial, xrefs: 02C4E71E
Console, xrefs: 02C4E6F8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: fe9ff08b8168959544f01ab8a0301821abe9536671df0fbfa079717db41a1f95
Instruction ID: 6ac58b361892e54530fd82614f56dfd696fbc305cd05089bedc164eee2294523
Opcode Fuzzy Hash: fe9ff08b8168959544f01ab8a0301821abe9536671df0fbfa079717db41a1f95
Instruction Fuzzy Hash: 1BF03A36719941C6FB609B65F808B8DB334F780BA8F000111CE5D13A58DF38C189C740

Function 02C65244 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C652D7
__free_lconv_num.LIBCMT ref: 02C653AB
free.LIBCMT ref: 02C653B7
free.LIBCMT ref: 02C65466
free.LIBCMT ref: 02C65472

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$__free_lconv_num
String ID:
API String ID: 1547021563-0
Opcode ID: 3af7023e6504110db29df3efcdcc5bcf3b4445538e5297c523f39fa9476b72f6
Instruction ID: 6c627e4e8edc87b1cd3b267b03f7f941263cc815d7568fcd06c12652c1bcaf63
Opcode Fuzzy Hash: 3af7023e6504110db29df3efcdcc5bcf3b4445538e5297c523f39fa9476b72f6
Instruction Fuzzy Hash: 2D51A136305B848ADB64DF66E4847AA77A1F788BC4FA44526DF8E47714DF78C142CB40

Function 02B0B0C1 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B0B0E7
_invalid_parameter_noinfo.LIBCMT ref: 02B0B0F2
_getptd.LIBCMT ref: 02B0B0FE
_lock.LIBCMT ref: 02B0B137
_lock.LIBCMT ref: 02B0B1CA

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: cb3401b7405edd736d784c14bb35cdc20514f24c2d99efe4cf03950fa75836cc
Instruction ID: af101a5f3c0e3669eb3453653c422f5775f39c77c9b9b94901b3b979cef5652a
Opcode Fuzzy Hash: cb3401b7405edd736d784c14bb35cdc20514f24c2d99efe4cf03950fa75836cc
Instruction Fuzzy Hash: 8141D630618A098FE75AFF2898C1B7A3BD2FB98304F1445ADCC4EC72D5DF2498428B95

Function 02B0C109 Relevance: 7.6, APIs: 5, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02B0C126

Part of subcall function 02B12459: _errno.LIBCMT ref: 02B12462
Part of subcall function 02B12459: _invalid_parameter_noinfo.LIBCMT ref: 02B1246D

_errno.LIBCMT ref: 02B0C136
_errno.LIBCMT ref: 02B0C152
_isatty.LIBCMT ref: 02B0C1B3
_getbuf.LIBCMT ref: 02B0C1BF

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: b0bc0c9142d5973b4dcc80f3b9ad44c2a45490a3144f2f0b8ff6434852647ff4
Instruction ID: 12a221545888de2adf2197eb17014ce7fd900b4739a56f5ba3520a91f5b0bd00
Opcode Fuzzy Hash: b0bc0c9142d5973b4dcc80f3b9ad44c2a45490a3144f2f0b8ff6434852647ff4
Instruction Fuzzy Hash: 7141BB30214A088FCB5AAF6CC4D176A7FA1FB59310B5447DAD86ACB2DAD734C981CBC1

Function 02C5C638 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 02C5C655

Part of subcall function 02C62988: _errno.LIBCMT ref: 02C62991
Part of subcall function 02C62988: _invalid_parameter_noinfo.LIBCMT ref: 02C6299C

_errno.LIBCMT ref: 02C5C665
_errno.LIBCMT ref: 02C5C681
_isatty.LIBCMT ref: 02C5C6E2
_getbuf.LIBCMT ref: 02C5C6EE

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 954e8c99a8900c331c29789858b1bedd508e20dff7a8ac605596c6e7a6fc1fdf
Instruction ID: 539b6ee711e62d690dc4ed513276f04d06e836268e69eed8a0cfeb73b1f8e566
Opcode Fuzzy Hash: 954e8c99a8900c331c29789858b1bedd508e20dff7a8ac605596c6e7a6fc1fdf
Instruction Fuzzy Hash: 8E41CF72610B648ADB189F39C49032D76A0E7C4FA8F145216CE6A477D8EF78C7D1CB84

Function 00007FF7F8DFAA68 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 00007FF7F8DFAA85

Part of subcall function 00007FF7F8DFECC8: _errno.LIBCMT ref: 00007FF7F8DFECD1
Part of subcall function 00007FF7F8DFECC8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFECDC

_errno.LIBCMT ref: 00007FF7F8DFAA95
_errno.LIBCMT ref: 00007FF7F8DFAAB1
_isatty.LIBCMT ref: 00007FF7F8DFAB12
_getbuf.LIBCMT ref: 00007FF7F8DFAB1E

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 4f60cfe29fde747d4f6edf3b98704d3458481cfd96a237e93bfce69436bb82ae
Instruction ID: e21934b03af3069a22f7f2bd58eda9a55664198bb479098176f21a1333e9c34f
Opcode Fuzzy Hash: 4f60cfe29fde747d4f6edf3b98704d3458481cfd96a237e93bfce69436bb82ae
Instruction Fuzzy Hash: 7541D672A0860645E718AF29C042238F391EF88B98F944235DA7D073C9DE3CE859B7E4

Function 02C512F0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 02C5131F
SetLastError.KERNEL32 ref: 02C513B2

Strings

Main, xrefs: 02C51302

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: b2a94ced38afb3e22c07dba05b3cc46be14585edf82a77f9e8eff251cf469d4b
Instruction ID: 44efd2830f00aec93b4372f6332082881cd39e535aff7fa5091b8bab4dacc6e5
Opcode Fuzzy Hash: b2a94ced38afb3e22c07dba05b3cc46be14585edf82a77f9e8eff251cf469d4b
Instruction Fuzzy Hash: A0415B76704A60CBDB14CF15E45872D73A1F788B88F494129DF8D47B48DBB8E592CB48

Function 02C50CC0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 02C50CFC
realloc.LIBCMT ref: 02C50D63

Part of subcall function 02C56FB8: malloc.LIBCMT ref: 02C56FD5

IsBadReadPtr.KERNEL32 ref: 02C50DE9
SetLastError.KERNEL32 ref: 02C50E0A
SetLastError.KERNEL32 ref: 02C50E28

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLastRead$mallocrealloc
String ID:
API String ID: 3638135368-0
Opcode ID: 10d6ceea749d552203bf34d92a345c17516fdb6c7073bfd954073bc12734bd9a
Instruction ID: 7d75235427d8099b4fa2e1fac196e05ace1efabf728fcba365ce4d9f9a9465df
Opcode Fuzzy Hash: 10d6ceea749d552203bf34d92a345c17516fdb6c7073bfd954073bc12734bd9a
Instruction Fuzzy Hash: 0A415D36205B94C7DB24CF16F8547AAB7A0FB88B98F484429DF8A47B14DF78E185C704

Function 02C5B5F0 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C5B616
_invalid_parameter_noinfo.LIBCMT ref: 02C5B621
_getptd.LIBCMT ref: 02C5B62D
_lock.LIBCMT ref: 02C5B666
_lock.LIBCMT ref: 02C5B6F9

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _lock$_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808128820-0
Opcode ID: 87a3bca82977cd9d54f1f39a71e6bafcd63422e4aa423f7f8be8756c9ddb47b7
Instruction ID: d776d72d9535efab67774a0c599331fe16cb698b0a460ea6033721046dcf103d
Opcode Fuzzy Hash: 87a3bca82977cd9d54f1f39a71e6bafcd63422e4aa423f7f8be8756c9ddb47b7
Instruction Fuzzy Hash: 2441C535205BA585FB08EB22D944B7E7792FB85BC8F044129CE4E07798DF78C581CB59

Function 02C63ED8 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 02C63F32
malloc.LIBCMT ref: 02C63F96
MultiByteToWideChar.KERNEL32 ref: 02C63FDE
GetStringTypeW.KERNEL32 ref: 02C63FF5
free.LIBCMT ref: 02C64009

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 82f0262a8cecbef224ca61b156e5a0f0d612a4380812b26c100bd67c1e5a9d7b
Instruction ID: abfe908f429489859bfdd645a01ca4cb7df15540ab1c40e0755598ce13519fca
Opcode Fuzzy Hash: 82f0262a8cecbef224ca61b156e5a0f0d612a4380812b26c100bd67c1e5a9d7b
Instruction Fuzzy Hash: 0031A272300B808ADB209F26D84476973A5FB88FF8F584266EE2D47BD4DF39C1418740

Function 00007FF7F8E008B0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F8E00A6B), ref: 00007FF7F8E0090A
malloc.LIBCMT ref: 00007FF7F8E0096E
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7F8E00A6B), ref: 00007FF7F8E009B6
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,00007FF7F8E00A6B), ref: 00007FF7F8E009CD
free.LIBCMT ref: 00007FF7F8E009E1

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: e70f9f49b4bf10f7c9a397bbad2514da52a9a5bda9101d0c48d23cf0e55f0220
Instruction ID: 036ee910853bc08b93459291cf0127cfdf8d31c1c8eba368dcf37a0934fea711
Opcode Fuzzy Hash: e70f9f49b4bf10f7c9a397bbad2514da52a9a5bda9101d0c48d23cf0e55f0220
Instruction Fuzzy Hash: 95418622B04B8185FF10AF6598005A9E395FF84BA8F984635EE7E477D9DF3CD4019394

Function 02C4C6D0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02C4C703

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

free.LIBCMT ref: 02C4C72B
CreateDIBSection.GDI32 ref: 02C4C797
free.LIBCMT ref: 02C4C7B6

Part of subcall function 02C4D020: GetObjectW.GDI32 ref: 02C4D052

free.LIBCMT ref: 02C4C7F6

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno$AllocCreateHeapObjectSection_callnewhmalloc
String ID:
API String ID: 2034203143-0
Opcode ID: 909639d14f8662df755ceb05cb6a705d2a69ecb05bda05ce9b7b934898073f82
Instruction ID: 8cc7586a2617f70e6037f4d565ef5d0a9a52c2f79f7649771954602e3579b2c5
Opcode Fuzzy Hash: 909639d14f8662df755ceb05cb6a705d2a69ecb05bda05ce9b7b934898073f82
Instruction Fuzzy Hash: D331543230579087DB259F22D44076BB6A5FB88BC8F4C8426DF4957B25EF78D251CB44

Function 02C448F0 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 02C44924
SetLastError.KERNEL32 ref: 02C4495E
WSAGetLastError.WS2_32 ref: 02C449B2
WSASetLastError.WS2_32 ref: 02C44A08
GetLastError.KERNEL32 ref: 02C44A17

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: be8605be28e57c5448ca43f127e085b1cff2f5d855780fd9c761576df26d9ebe
Instruction ID: 26906d4966a3caf024df32c1d5cc2f28011b7763c7483575ffdfb59866cfa4c8
Opcode Fuzzy Hash: be8605be28e57c5448ca43f127e085b1cff2f5d855780fd9c761576df26d9ebe
Instruction Fuzzy Hash: 7A31A372304A80C6EB349F39E44835E37A5F789B98F645526CF1987B98DF39C584DB01

Function 00007FF7F8DF4950 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF7F8DF4984
SetLastError.KERNEL32 ref: 00007FF7F8DF49BE
WSAGetLastError.WS2_32 ref: 00007FF7F8DF4A12
WSASetLastError.WS2_32 ref: 00007FF7F8DF4A68
GetLastError.KERNEL32 ref: 00007FF7F8DF4A77

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: e4f8957da8d65f30d38b13d09da8badb50e03e5984e11ac3259b2f877bd45eac
Instruction ID: 7639d7b5f127766544803782d7e2fc2e77acc218b91b180ee0950f2d85d137fc
Opcode Fuzzy Hash: e4f8957da8d65f30d38b13d09da8badb50e03e5984e11ac3259b2f877bd45eac
Instruction Fuzzy Hash: 3841B432B08A4185E750AF29E44436DF3A1EF49B98F944535CA3D836DCDF3DD488A7A8

Function 02C6CBF0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 02C6CC31
_exception_enabled.LIBCMT ref: 02C6CC54

Part of subcall function 02C6CB34: _set_statfp.LIBCMT ref: 02C6CB5B
Part of subcall function 02C6CB34: _set_statfp.LIBCMT ref: 02C6CBCE

_raise_exc.LIBCMT ref: 02C6CCA0
_ctrlfp.LIBCMT ref: 02C6CCE0
_ctrlfp.LIBCMT ref: 02C6CD11

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: 6d0b5b3ad2c709662f382e20db8cab413169064652d1349d93ce4c8a5f060bc7
Instruction ID: d404a26b2e712276ea566c94f1e15c744067b1d933cc3d3a353604c5637c3866
Opcode Fuzzy Hash: 6d0b5b3ad2c709662f382e20db8cab413169064652d1349d93ce4c8a5f060bc7
Instruction Fuzzy Hash: 1B318032614E848AD711DF25E88876FB772FBC9398F001216EE8A1BA18DF38C546DB00

Function 00007FF7F8E02DB8 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 00007FF7F8E02DF9
_exception_enabled.LIBCMT ref: 00007FF7F8E02E1C

Part of subcall function 00007FF7F8E02CFC: _set_statfp.LIBCMT ref: 00007FF7F8E02D23
Part of subcall function 00007FF7F8E02CFC: _set_statfp.LIBCMT ref: 00007FF7F8E02D96

_raise_exc.LIBCMT ref: 00007FF7F8E02E68
_ctrlfp.LIBCMT ref: 00007FF7F8E02EA8
_ctrlfp.LIBCMT ref: 00007FF7F8E02ED9

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: ec85eac3057d4a959c5fd9faad8141c4a2bc6fb97e23b1e6474f11119bd41e60
Instruction ID: 6f2e83bbeefa02f0341dd32f91aead8ac0f2154fff16b71a143de1fc28cc7855
Opcode Fuzzy Hash: ec85eac3057d4a959c5fd9faad8141c4a2bc6fb97e23b1e6474f11119bd41e60
Instruction Fuzzy Hash: 3631C732A18A8586E751EF24E4402ABF7B1FB85388F400635FE6E46A98DF3CD446DB44

Function 02C564A4 Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 02C564F6
GetSystemInfo.KERNEL32 ref: 02C5650D
SetThreadStackGuarantee.KERNEL32 ref: 02C5651F
VirtualAlloc.KERNEL32 ref: 02C56572
VirtualProtect.KERNEL32 ref: 02C5658C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: 1024e802668d761e8f9f1b2b79f1ec6faa9c774cb7cb2bbf6b7d463fff73795d
Instruction ID: 4d7f738fbcb070e3f3e24a5591176f1c334efc0a453db5be0556920d56220498
Opcode Fuzzy Hash: 1024e802668d761e8f9f1b2b79f1ec6faa9c774cb7cb2bbf6b7d463fff73795d
Instruction Fuzzy Hash: F7314D36350A959AEB24CF31E8547D933A8F748B88F98512ADE4A87B48DF38D685C740

Function 02B13011 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B1302A
__doserrno.LIBCMT ref: 02B130A7
_errno.LIBCMT ref: 02B130AE

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$__doserrno
String ID:
API String ID: 2614100947-0
Opcode ID: 3d5f5cb3f3e87b5f5a4fe1073c9aff760d558992757afad4ef30a6b939e44645
Instruction ID: d35338e321c7870ae8322c2697c1982b31ba7f3037eae2a724cb18eddee5269e
Opcode Fuzzy Hash: 3d5f5cb3f3e87b5f5a4fe1073c9aff760d558992757afad4ef30a6b939e44645
Instruction Fuzzy Hash: 2C21E730A086448FD725AF68E8D932D7AD1EB85314F9506DDD516C72D1EFB88880CB96

Function 02C558E4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 02C5590D
DecodePointer.KERNEL32 ref: 02C5591D
EncodePointer.KERNEL32 ref: 02C5599B

Part of subcall function 02C5A8E4: realloc.LIBCMT ref: 02C5A90F
Part of subcall function 02C5A8E4: Sleep.KERNEL32 ref: 02C5A92B

EncodePointer.KERNEL32 ref: 02C559AB
EncodePointer.KERNEL32 ref: 02C559B8

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleeprealloc
String ID:
API String ID: 1601076685-0
Opcode ID: 41bb2ee92579e29bb048e88261e2f5d15513c2e40ba12b19a60fef79da225d25
Instruction ID: 31839853e9185e8a4b5bc5ddeeff0a4ba394f2dbc7b6375a165e59660cbaa173
Opcode Fuzzy Hash: 41bb2ee92579e29bb048e88261e2f5d15513c2e40ba12b19a60fef79da225d25
Instruction Fuzzy Hash: 0421A125302B6481EA109F62F94835DB3A1F789BD5F84582ADE5E47B28EF7CC4C6C309

Function 00007FF7F8DF961C Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DF9645
DecodePointer.KERNEL32(?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DF9655

Part of subcall function 00007FF7F8DFC1B4: _errno.LIBCMT ref: 00007FF7F8DFC1BD
Part of subcall function 00007FF7F8DFC1B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFC1C8

EncodePointer.KERNEL32(?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DF96D3

Part of subcall function 00007FF7F8DFC124: realloc.LIBCMT ref: 00007FF7F8DFC14F
Part of subcall function 00007FF7F8DFC124: Sleep.KERNEL32(?,?,00000000,00007FF7F8DF96C3,?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DFC16B

EncodePointer.KERNEL32(?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DF96E3
EncodePointer.KERNEL32(?,?,00000000,00007FF7F8DF9731,?,?,?,?,00007FF7F8DF91A3), ref: 00007FF7F8DF96F0

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: ecada074d5a0a7123039d1954c0b31d342863ec9009fb92d5d2dea83d0352a09
Instruction ID: 08def028f106934c16faf148dab220e5760a27e7805ae01180af40114934d05f
Opcode Fuzzy Hash: ecada074d5a0a7123039d1954c0b31d342863ec9009fb92d5d2dea83d0352a09
Instruction Fuzzy Hash: F0217E21B09B5291EB00BB11E948079E291BF48BD5F844835D93E077ECEF3CE099E398

Function 02C4CF50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 02C4CF98
SelectObject.GDI32 ref: 02C4CFA9
SetDIBColorTable.GDI32 ref: 02C4CFBF
SelectObject.GDI32 ref: 02C4CFD2
DeleteDC.GDI32 ref: 02C4CFF4

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
String ID:
API String ID: 3899591553-0
Opcode ID: 25bca2b50bd8d51f8858a6c8eb88d856bb50887b8d04bad872bb72e688f53c5b
Instruction ID: 87f149b1661b3fac09b33a10f5b75ab9b9fc358bb11eae64af9373d5b9529cd6
Opcode Fuzzy Hash: 25bca2b50bd8d51f8858a6c8eb88d856bb50887b8d04bad872bb72e688f53c5b
Instruction Fuzzy Hash: E0119D35205A00C9EB14CF25F498B1E3364FB98F98F10A12ADE4B53B18CF3AC585C380

Function 02C4A740 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 02C4A762
malloc.LIBCMT ref: 02C4A770

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

GetCurrentProcessId.KERNEL32 ref: 02C4A7A7
free.LIBCMT ref: 02C4A7C3
CloseHandle.KERNEL32 ref: 02C4A7CB

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process_errno$AllocCloseCurrentHandleHeapOpen_callnewhfreemalloc
String ID:
API String ID: 1715275611-0
Opcode ID: 6199685c681e89abc964dfd2cc35e6f96c4d0bea44aa1d2d8b5656ebf405cfb4
Instruction ID: de26cf84b3ef28f7d8f68aaa3cbd2b5defcf5e43083306020cf51291a936ed9b
Opcode Fuzzy Hash: 6199685c681e89abc964dfd2cc35e6f96c4d0bea44aa1d2d8b5656ebf405cfb4
Instruction Fuzzy Hash: 11116D32744A4086EB609B16F824B5EB771F788BC4F884125DF9A07B59CF38D5818B40

Function 02B08495 Relevance: 7.5, APIs: 5, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B084AA
_invalid_parameter_noinfo.LIBCMT ref: 02B084B5
_freebuf.LIBCMT ref: 02B084CE
_fileno.LIBCMT ref: 02B084D6

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_fileno_freebuf_invalid_parameter_noinfo
String ID:
API String ID: 228234209-0
Opcode ID: f43d49cfcced33ca48b0956694c389fd8da178487179c29bcf048a6776a6e2be
Instruction ID: 3d4cb7b7e251ccd7a74491fd92ecca4405f55878adc45ac9f9a7301e5c59f9ee
Opcode Fuzzy Hash: f43d49cfcced33ca48b0956694c389fd8da178487179c29bcf048a6776a6e2be
Instruction Fuzzy Hash: D2018630614A094BDF5AAB7D44D433D29D2FB98339F5807EC8855C71D6DE78C941CB85

Function 02C45DC0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02C45DE5
EnterCriticalSection.KERNEL32 ref: 02C45DEF
LeaveCriticalSection.KERNEL32 ref: 02C45DFF
LeaveCriticalSection.KERNEL32 ref: 02C45E09

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 44c292e90eb37e2d7492bf557040c1a2ec22a7d7a39af7b405922077d069d486
Instruction ID: 9a36e372e5b3bebadaab67018081604826825f4f043f9fd3e84ab3216e936b6a
Opcode Fuzzy Hash: 44c292e90eb37e2d7492bf557040c1a2ec22a7d7a39af7b405922077d069d486
Instruction Fuzzy Hash: A9111C32624A8483EB649B62F8987AE7360F798795F841025DBDB43E60DF3CD5CAC700

Function 00007FF7F8DF5E10 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7F8DF4E7E,?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF5E35
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7F8DF4E7E,?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF5E3F
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7F8DF4E7E,?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF5E4F
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7F8DF4E7E,?,?,00000000,00007FF7F8DF4E44), ref: 00007FF7F8DF5E59

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d0535108d2faffde62c4ad6e510cb9d391b63625fe126b8c96127d7e5368dc19
Instruction ID: 453c65e679cdfd378e335090ab884cd29339d48022adabf2aa5daf25b342eb42
Opcode Fuzzy Hash: d0535108d2faffde62c4ad6e510cb9d391b63625fe126b8c96127d7e5368dc19
Instruction Fuzzy Hash: C0116632A2495183EB90AB21F8443AAE360FF44750F845031DBAF42A94CF3CE88AD744

Function 02B17B6D Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02B17B76
_errno.LIBCMT ref: 02B17B7E

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e08fed2e94f443f408e55be9e8533d4e9701da3b5c4c3ef9c418aa34cc1ee15c
Instruction ID: 0c974154e0ab6e44354353fb403a4369dd5adc7646a60ed74249257bc755d472
Opcode Fuzzy Hash: e08fed2e94f443f408e55be9e8533d4e9701da3b5c4c3ef9c418aa34cc1ee15c
Instruction Fuzzy Hash: C6F062301249094FD72AAB64CCA476ABA91FF1532AFD686D8D00AC75E1DF784480CF61

Function 02C62514 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 02C6254B
GetCurrentProcessId.KERNEL32 ref: 02C62556
GetCurrentThreadId.KERNEL32 ref: 02C62562
GetTickCount.KERNEL32 ref: 02C6256E
QueryPerformanceCounter.KERNEL32 ref: 02C6257F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 97ad835b81cb6df91117922e019d69de1d0eaff2d601c02b2c415f9bb153aa1b
Instruction ID: 62db2287d5e965d06955d51e27abcddd659844e24de4b5bbb918ea23a162a6b8
Opcode Fuzzy Hash: 97ad835b81cb6df91117922e019d69de1d0eaff2d601c02b2c415f9bb153aa1b
Instruction Fuzzy Hash: 2401B121269B0582FB50CF21F89D7597360F749BA2F443625EE6F47BA0DB3CC9858700

Function 00007FF7F8DFD710 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F8DFD747
GetCurrentProcessId.KERNEL32 ref: 00007FF7F8DFD752
GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DFD75E
GetTickCount.KERNEL32 ref: 00007FF7F8DFD76A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F8DFD77B

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 98e16b1ec0ad293c89ca25142769c411a4e3d743e8d3f271fefc4cf6040d5f50
Instruction ID: b913d7345579e604113fb012c07696de111fb566f37c8d1fca941aa522a2b76f
Opcode Fuzzy Hash: 98e16b1ec0ad293c89ca25142769c411a4e3d743e8d3f271fefc4cf6040d5f50
Instruction Fuzzy Hash: A1016521718E0281E7809F21F840265E360FB49B91F842A30EEBF477E4DF3CD99593A4

Function 02C4C630 Relevance: 7.5, APIs: 5, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 02C4C66A
EnterCriticalSection.KERNEL32 ref: 02C4C677
EnterCriticalSection.KERNEL32 ref: 02C4C68C
GdiplusShutdown.GDIPLUS ref: 02C4C69E
LeaveCriticalSection.KERNEL32 ref: 02C4C6B2

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: d4542beb37d90f8ad3c0edd15d75e9a44333cb729b96ee7ae577a21e01d114c8
Instruction ID: 7ae568c0a2d456d1b09c402d476a6e886724884613e6a52397eb0d9ed61f2f86
Opcode Fuzzy Hash: d4542beb37d90f8ad3c0edd15d75e9a44333cb729b96ee7ae577a21e01d114c8
Instruction Fuzzy Hash: 1E11C931201B06C1FA289F65F85CBAD3374FB68B28F649219C56E43AB0DF39C196C750

Function 02C6809C Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 02C680A5
_errno.LIBCMT ref: 02C680AD

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b090733ce00a7d6ef75ad3e43b7a98ae415e30c3fad73d63844ff4cd7894af6a
Instruction ID: 39092df20750b88ae13bf2b39eaf83d3b80cd4602fc7b0b4b972cb84b3998433
Opcode Fuzzy Hash: b090733ce00a7d6ef75ad3e43b7a98ae415e30c3fad73d63844ff4cd7894af6a
Instruction Fuzzy Hash: DDF0BBB2611A9485DE056B55CCCC33C76A29BA0B76F92C742CA3D0B3D0DF7D848ADB25

Function 00007FF7F8E000DC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF7F8E000E5
_errno.LIBCMT ref: 00007FF7F8E000ED

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b2568e6a52513f616cc9bf7babecad4815ad7cdb92447009d9c431ea0fd75076
Instruction ID: 96ed88e81491e8b063f31edc9c6028c3d8afc8c0aed5759a9f7bcaeeaa852246
Opcode Fuzzy Hash: b2568e6a52513f616cc9bf7babecad4815ad7cdb92447009d9c431ea0fd75076
Instruction Fuzzy Hash: CC01AD62E0864684EF043B64888537CE1A19F94B3AFD24735D53E063DACF3C6445B2B8

Function 00007FF7F8DF59B0 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF59C0
WaitForSingleObject.KERNEL32 ref: 00007FF7F8DF59D0
Sleep.KERNEL32 ref: 00007FF7F8DF59DB
CloseHandle.KERNEL32 ref: 00007FF7F8DF59FA
CloseHandle.KERNEL32 ref: 00007FF7F8DF5A07

Part of subcall function 00007FF7F8DF4D80: GetCurrentThreadId.KERNEL32 ref: 00007FF7F8DF4D8D

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CurrentSleepThread
String ID:
API String ID: 570250148-0
Opcode ID: 892c36502c9aa2b1c275c7a3c19491e1c66a3c365f8122baa1cd80770b25c1c6
Instruction ID: 2139c6b82a22bc41b8db3bd590d659b34374f1a767f473b3b6cbd0b069aaf3a9
Opcode Fuzzy Hash: 892c36502c9aa2b1c275c7a3c19491e1c66a3c365f8122baa1cd80770b25c1c6
Instruction Fuzzy Hash: F0F03126A0498582F745AF31EC14138B320FB89F65F584630CD3F462D4CF389885A3A4

Function 02C44640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 02C44678
WSAGetLastError.WS2_32 ref: 02C44686
WSAResetEvent.WS2_32 ref: 02C446C3

Strings

, xrefs: 02C4478C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: de254dcb7ccf77805dc610188d48849fc80be153bc30c80741740ae0a985eb5d
Instruction ID: 74524796b37da2379caef81cf3834331fc0e2636a84d5fe961f9b850fe86a5c4
Opcode Fuzzy Hash: de254dcb7ccf77805dc610188d48849fc80be153bc30c80741740ae0a985eb5d
Instruction Fuzzy Hash: BF414A7210478486E7388F2AD408B5E7BE2F7C5B9CF250119DE5987758EFB9CA46CB40

Function 00007FF7F8DF46A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF7F8DF46D8
WSAGetLastError.WS2_32(?,?,?,00007FF7F8DF455E), ref: 00007FF7F8DF46E6
WSAResetEvent.WS2_32(?,?,?,00007FF7F8DF455E), ref: 00007FF7F8DF4723

Strings

, xrefs: 00007FF7F8DF47EC

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: 828e8a55efaf8f4e93ed5acb76a083e09fbb0b5487182bc448ae793a037f2d46
Instruction ID: 85df59e7b82b2bf0b78dd382ce9afcf86d83bc784b2895d947961918f9ab278f
Opcode Fuzzy Hash: 828e8a55efaf8f4e93ed5acb76a083e09fbb0b5487182bc448ae793a037f2d46
Instruction Fuzzy Hash: 2451B33290868286E7209F25D404329F3E2EF88B58F950135DA7D472CCEF7DE848AB94

Function 02B08B26 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B08B2E
_getptd.LIBCMT ref: 02B08BF0
_getptd.LIBCMT ref: 02B08BFC

Strings

csm, xrefs: 02B08BB0

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: f99e8c1cb84ec6d509ec4885998de6e49d4c04b99b6fcfd991d807847ab0c01c
Instruction ID: ff9af11a40ca9cf450fe20078de1282c05e354e54f7f1ea84e931d880c54d316
Opcode Fuzzy Hash: f99e8c1cb84ec6d509ec4885998de6e49d4c04b99b6fcfd991d807847ab0c01c
Instruction Fuzzy Hash: 23314F70118B048FCB39EF58D49176ABBE1FB58310F54069DD48A83692DB31F942CB86

Function 02C6A2F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 02C6A32B
_errno.LIBCMT ref: 02C6A335
_invalid_parameter_noinfo.LIBCMT ref: 02C6A33C

Strings

-, xrefs: 02C6A357

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 02bff1a59af1fa515b6cbdd793a19a9d5db4cd0daae80a934fe287ecd89124cf
Instruction ID: 2926b0ade76a852391941cd2f5f80c4cbc8feb181480e2d4dfe685169e121683
Opcode Fuzzy Hash: 02bff1a59af1fa515b6cbdd793a19a9d5db4cd0daae80a934fe287ecd89124cf
Instruction Fuzzy Hash: 9731092230468085DB219F26B88876EB761EB85BE4F144222DF8D17B94DF3DC545CB00

Function 00007FF7F8E02B0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 00007FF7F8E02B47
_errno.LIBCMT ref: 00007FF7F8E02B51
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E02B58

Strings

-, xrefs: 00007FF7F8E02B73

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 618538ce884b31deba6e1646cd0d9800068b1e888b6e4428242c9665014ee262
Instruction ID: ed52d8be4102d4d756322d16fc3f5be65be66eb7dffa0f09ee4e7d95a3b21f8f
Opcode Fuzzy Hash: 618538ce884b31deba6e1646cd0d9800068b1e888b6e4428242c9665014ee262
Instruction Fuzzy Hash: 02313B2270868241EB22AF21A44036AFBE0EF857D4F944531DEBE47BC9DE3CD405DB64

Function 02C6A708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C6A721
_invalid_parameter_noinfo.LIBCMT ref: 02C6A72D
_errno.LIBCMT ref: 02C6A754

Strings

1, xrefs: 02C6A7A3

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: 6b53c2dcc294edf9728eab1c0bef983e4baecdb5bea7ed18be76febd96b6e3f9
Instruction ID: 3df3675905682841d7b2504871a65a0faca01acb6d2d07c8caef5223c5384ef8
Opcode Fuzzy Hash: 6b53c2dcc294edf9728eab1c0bef983e4baecdb5bea7ed18be76febd96b6e3f9
Instruction Fuzzy Hash: 641129622197D096EB178F3994FC33C6A75EB95B84F89D061CB461B312DB2ECA81CB11

Function 00007FF7F8E0464C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8E04665
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E04671
_errno.LIBCMT ref: 00007FF7F8E04698

Strings

1, xrefs: 00007FF7F8E046E7

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: c24aa144a5a2c35a8fdb484c0746f0b94e6cfc09c221b34de806f61d68da000b
Instruction ID: bfda50c9db8c5f5202587e9a01ab95fea073673e61547a7ac9f52f45e46af454
Opcode Fuzzy Hash: c24aa144a5a2c35a8fdb484c0746f0b94e6cfc09c221b34de806f61d68da000b
Instruction Fuzzy Hash: 8321F412D1D2C285F716BB24A21423CDA909F4474CFC98831C67B062C7EE3EA808E7B4

Function 02C55378 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 02C55386
malloc.LIBCMT ref: 02C55392

Part of subcall function 02C552C0: _FF_MSGBANNER.LIBCMT ref: 02C552F0
Part of subcall function 02C552C0: HeapAlloc.KERNEL32 ref: 02C55315
Part of subcall function 02C552C0: _callnewh.LIBCMT ref: 02C5532E
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55339
Part of subcall function 02C552C0: _errno.LIBCMT ref: 02C55344

std::exception::exception.LIBCMT ref: 02C553FF

Strings

bad allocation, xrefs: 02C553CF

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 2789b863962101d94b643c399cf47e2269a7bf3f296a5f660e329cf77ed2a842
Instruction ID: c15d287d37bf6057934e8c8abdd24c434b23e8ac26b601478cb84e7af61bb0a6
Opcode Fuzzy Hash: 2789b863962101d94b643c399cf47e2269a7bf3f296a5f660e329cf77ed2a842
Instruction Fuzzy Hash: 33017C61215B2691FF24EF20F884B9D2365FB843C4FC844269D8E47A60EF7CC288DB04

Function 02C5BB0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 02C5BB1B
GetProcAddress.KERNEL32 ref: 02C5BB30

Strings

mscoree.dll, xrefs: 02C5BB14
CorExitProcess, xrefs: 02C5BB26

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 825098e7262f08d60cb7bdb3c3f67da28a0895d5aeadfa1fb81c8a544a304b7a
Instruction ID: 517c1aa02d1d9339b48516a57021fb431f1bd32b308607e0ecd3906e4a96e0a6
Opcode Fuzzy Hash: 825098e7262f08d60cb7bdb3c3f67da28a0895d5aeadfa1fb81c8a544a304b7a
Instruction Fuzzy Hash: B7D01710706A0082FE199BA0B88CB2C13505F88758F48102D881F06354EF68CBCA8700

Function 00007FF7F8DF9F20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF7F8DF9F69,?,?,00000028,00007FF7F8DF90B9,?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951), ref: 00007FF7F8DF9F2F
GetProcAddress.KERNEL32(?,?,000000FF,00007FF7F8DF9F69,?,?,00000028,00007FF7F8DF90B9,?,?,0001939100000000,00007FF7F8DFC050,?,?,ceil,00007FF7F8DFD951), ref: 00007FF7F8DF9F44

Strings

mscoree.dll, xrefs: 00007FF7F8DF9F28
CorExitProcess, xrefs: 00007FF7F8DF9F3A

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8532fc609fad59ffe6e62cafeae73a037ed505a12b62afac9e0faec1dfd416e1
Instruction ID: fd0993e474bf30bd73b052e09afbd1fc64187a4a94210ad382e8461f088d60b4
Opcode Fuzzy Hash: 8532fc609fad59ffe6e62cafeae73a037ed505a12b62afac9e0faec1dfd416e1
Instruction Fuzzy Hash: 58E01210F29A12D2FF197B90AC58234E3906F4C711BC85839C43F463D5EE7CA948A3A8

Function 02C5ACA4 Relevance: 6.4, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 02C5A7E0: malloc.LIBCMT ref: 02C5A80B
Part of subcall function 02C5A7E0: Sleep.KERNEL32 ref: 02C5A81E

free.LIBCMT ref: 02C5ADD0
free.LIBCMT ref: 02C5ADEC

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$Sleepmalloc
String ID:
API String ID: 1995388493-0
Opcode ID: 937ab413b08246a84f5eda74101b413cfd46f5463a50d76eaf4660d41468c8d6
Instruction ID: 2003471786483bb1456f7d86a514a1ce4a9e91b05a402f0508d1b6a2f3f4031a
Opcode Fuzzy Hash: 937ab413b08246a84f5eda74101b413cfd46f5463a50d76eaf4660d41468c8d6
Instruction Fuzzy Hash: 3A417832301B9497DB15DF66E99035A33A4F788B94F844225DF8D47B10DF38E6A2CB48

Function 02C514A0 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C514E5
free.LIBCMT ref: 02C51525
free.LIBCMT ref: 02C51578
GetProcessHeap.KERNEL32 ref: 02C51585
HeapFree.KERNEL32 ref: 02C51593

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$Heap$FreeProcess
String ID:
API String ID: 3493288988-0
Opcode ID: 6c013b565ca14f6815c43c194a3a20116d2b7f974b210a047db512b5b65b0d71
Instruction ID: 4b194ed59f21dcd611c6cf407b271e62b5a92de917291a1bf5cf19805d0d15ac
Opcode Fuzzy Hash: 6c013b565ca14f6815c43c194a3a20116d2b7f974b210a047db512b5b65b0d71
Instruction Fuzzy Hash: 1A317626711A6087DB28DB66E54876D6360FB88FC4F889025DF4A03F04CF38D1A2CB44

Function 02B067A9 Relevance: 6.2, APIs: 4, Instructions: 220COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B067D8
_invalid_parameter_noinfo.LIBCMT ref: 02B067E3
iswctype.LIBCMT ref: 02B0681C
_errno.LIBCMT ref: 02B06946

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 48b5d1fb032df118254534afb501ea6332d357762480b1233715014adb78efda
Instruction ID: 549529b5866b91fa3b6a1d9de61836c3de87b0b664da620a25d0145760bc6fec
Opcode Fuzzy Hash: 48b5d1fb032df118254534afb501ea6332d357762480b1233715014adb78efda
Instruction Fuzzy Hash: 5B514971C047294AEB3E1A5998C13763BCDFB45364F2402EBDE92C75C0FB60E4624A9A

Function 02C56CD8 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C56D07
_invalid_parameter_noinfo.LIBCMT ref: 02C56D12
iswctype.LIBCMT ref: 02C56D4B
_errno.LIBCMT ref: 02C56E75

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 600b5e1a0884fd86083a6c40ec30f50f7914204e96c09ac3a2eb1a49d6991a14
Instruction ID: 7d6acd4c5ea56fcc84870f99d4a4494b951025d2b5555af222933cd7d33d9826
Opcode Fuzzy Hash: 600b5e1a0884fd86083a6c40ec30f50f7914204e96c09ac3a2eb1a49d6991a14
Instruction Fuzzy Hash: FB415863A015B044EF345A2BD84537F619EBBC0BA8FF54912CE9247280EBB9D6C1C31E

Function 00007FF7F8DFCD38 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8DFCD67
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DFCD72
iswctype.LIBCMT ref: 00007FF7F8DFCDAB
_errno.LIBCMT ref: 00007FF7F8DFCED5

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 94b972fa06678f78d860e6f5b723ba573def77772fbd1e0a4943df1ed3bb4a81
Instruction ID: dc2ae492185648e2f0099e2eae421ec7049f90fafbd591e42c6b7a237f70e9e5
Opcode Fuzzy Hash: 94b972fa06678f78d860e6f5b723ba573def77772fbd1e0a4943df1ed3bb4a81
Instruction Fuzzy Hash: 6451DF22D0817345FB743729A80137EE0C1AF48BE4F954131DE79424C9EE2CA8ADB6A9

Function 02C5C404 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C5C452
_invalid_parameter_noinfo.LIBCMT ref: 02C5C45D
DecodePointer.KERNEL32 ref: 02C5C50C
_lock.LIBCMT ref: 02C5C537

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 7363268150c92f0dc87d915cd02ac402206b057223f311218893b197a08f2757
Instruction ID: 7bf8142e4772ee3e6bf5dba17811afbc482763c7972b81ce72b9163c12e53ed9
Opcode Fuzzy Hash: 7363268150c92f0dc87d915cd02ac402206b057223f311218893b197a08f2757
Instruction Fuzzy Hash: E351D072204B6086EB29CF65A88473A6762F7C4788F98811BDE9B43714CF78C7C1C609

Function 02B0873D Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02B07045: _getptd.LIBCMT ref: 02B07049

_getptd.LIBCMT ref: 02B0877C
_SetImageBase.LIBCMT ref: 02B0884F
_getptd.LIBCMT ref: 02B0887D
_getptd.LIBCMT ref: 02B0888B

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 66b23e2ea7d051c300e668afda3cb2caa1ce51f53109746541cc28e20bde209e
Instruction ID: b521f144b828cf602069ff5a81ee6a57ee08249478aae9f438ab9652a4db968b
Opcode Fuzzy Hash: 66b23e2ea7d051c300e668afda3cb2caa1ce51f53109746541cc28e20bde209e
Instruction Fuzzy Hash: 55412B71114B044FD31ABB7CD8859B87AD2FB84314F6486EEC056C32E5EB34F9828A45

Function 02C6A080 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C55AD8: _getptd.LIBCMT ref: 02C55AEA

_errno.LIBCMT ref: 02C6A0BE
_invalid_parameter_noinfo.LIBCMT ref: 02C6A0C8
_errno.LIBCMT ref: 02C6A0EC
_invalid_parameter_noinfo.LIBCMT ref: 02C6A0F6

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: a1b2e992952563b09da4c9b68e1145a5c931054a8e89e35b43f293698d4bcdd3
Instruction ID: e7cba933d47de105a49fa7acdcf084c0290bc7f83c74726d7a58459404570bc2
Opcode Fuzzy Hash: a1b2e992952563b09da4c9b68e1145a5c931054a8e89e35b43f293698d4bcdd3
Instruction Fuzzy Hash: 8C41CF22218B90C6DB21DF25D9D827E7BA1F784BD0F548122DF8A57B64DB38C586CB04

Function 02B17FA9 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B17FC8
_invalid_parameter_noinfo.LIBCMT ref: 02B17FD4
_errno.LIBCMT ref: 02B17FFE
_errno.LIBCMT ref: 02B18060

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: ad50882e94ecf0e1b6f9d85136d38adbeace3bb9bfc4826b079521771091c6d8
Instruction ID: 21a0f0c61a57a1c6ce85f3aafe99dab4c06e1cc35ca6045d310b0465275c6af1
Opcode Fuzzy Hash: ad50882e94ecf0e1b6f9d85136d38adbeace3bb9bfc4826b079521771091c6d8
Instruction Fuzzy Hash: 71315C2061CECD4BE70D5A2C948C739BBC2FB66305FA842FED087C7693DE6188418751

Function 00007FF7F8E0289C Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DFABF8: _getptd.LIBCMT ref: 00007FF7F8DFAC0A

_errno.LIBCMT ref: 00007FF7F8E028DA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E028E4
_errno.LIBCMT ref: 00007FF7F8E02908
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8E02912

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 9ca92d5bb05e79156cbab85d98cd5049689c098bd46746ebc4bd1871a1c2f17d
Instruction ID: 2e6b017f658f760fc88b8a1aa7e186de073776bac68bb7f47c2c6926502c14a2
Opcode Fuzzy Hash: 9ca92d5bb05e79156cbab85d98cd5049689c098bd46746ebc4bd1871a1c2f17d
Instruction Fuzzy Hash: B0419122A0878586E752AB55C18426DFBA0EF44BD0F854131DB7E07BDACF3CE445E7A8

Function 02C58C6C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C57574: _getptd.LIBCMT ref: 02C57578

_getptd.LIBCMT ref: 02C58CAB

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_SetImageBase.LIBCMT ref: 02C58D7E
_getptd.LIBCMT ref: 02C58DAC
_getptd.LIBCMT ref: 02C58DBA

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: a02dd388b7b7f0f696520ad480e8c452745dcea769bd20a0fc531c877679dfad
Instruction ID: 3ed664e632e8590c95556f6708f0f8ac806e2e745cefd99f6c377a8b3b552c1b
Opcode Fuzzy Hash: a02dd388b7b7f0f696520ad480e8c452745dcea769bd20a0fc531c877679dfad
Instruction Fuzzy Hash: 2231E332600A6285CE21EB16D48423DA7A2FF90FD8F598321CE1A437B0DB38C1C6DB09

Function 00007FF7F8E031FC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F8E01A74: _getptd.LIBCMT ref: 00007FF7F8E01A78

_getptd.LIBCMT ref: 00007FF7F8E0323B

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_SetImageBase.LIBCMT ref: 00007FF7F8E0330E
_getptd.LIBCMT ref: 00007FF7F8E0333C
_getptd.LIBCMT ref: 00007FF7F8E0334A

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: b5c06598e24a17d2af3d260348e39d1b732e80aecbaef9a16b5b1eba258a06ea
Instruction ID: 5319200fc63eedec29ae806981f45c77b6f7bc19b5ad79bbf53ad09f36533606
Opcode Fuzzy Hash: b5c06598e24a17d2af3d260348e39d1b732e80aecbaef9a16b5b1eba258a06ea
Instruction Fuzzy Hash: 81411822E0C64381EB20B715D4811BDE6A0AF55B98F958931DA3F473E2DF3CE542E2A4

Function 02B0523D Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B05268
_invalid_parameter_noinfo.LIBCMT ref: 02B05273
_getptd.LIBCMT ref: 02B05299
free.LIBCMT ref: 02B05304

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 4053972703-0
Opcode ID: b646e29ab2c53f8803bcd8bcad2b692ff3ac37afc93ff11cc83c8059a5de3bdc
Instruction ID: 1f939f981bc05111ca474a402e74f79ae342935c925966680cd10a16133ee56e
Opcode Fuzzy Hash: b646e29ab2c53f8803bcd8bcad2b692ff3ac37afc93ff11cc83c8059a5de3bdc
Instruction Fuzzy Hash: BA219530608F098FDB55FBA9989563A7BD1FB98310F40467ED45EC36A1DF60D8418F92

Function 00007FF7F8DF72A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF7F8DF72CF
lstrlenW.KERNEL32 ref: 00007FF7F8DF72F0
lstrlenW.KERNEL32 ref: 00007FF7F8DF72FC

Strings

|p1:8.218.163.62|o1:6666|t1:1|p2:8.218.163.62|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 00007FF7F8DF72E6

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: lstrlen
String ID: |p1:8.218.163.62|o1:6666|t1:1|p2:8.218.163.62|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
API String ID: 1659193697-3768091544
Opcode ID: 32b2e33b096677a599e1476ba1b417f22cd16269792abd837077c77c15f759a6
Instruction ID: dcee9c3e238a06619cb6901e6d5821e036920b3a4f621ac1f1dfc4ad9d32a362
Opcode Fuzzy Hash: 32b2e33b096677a599e1476ba1b417f22cd16269792abd837077c77c15f759a6
Instruction Fuzzy Hash: 4C310625E0869695EB18EB11A8005FDF3E1FF8CB84B84C030DD3A063D9DE3CE545A398

Function 02C4A600 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 02C4A637
Process32FirstW.KERNEL32 ref: 02C4A6AF
Process32NextW.KERNEL32 ref: 02C4A6F0
CloseHandle.KERNEL32 ref: 02C4A70C

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9e68473edadeaf557d43ee5db64da582385d685932b15406e045d27e9c0fbed8
Instruction ID: 19f4b6d277d71687cd1fce8423552c401ceb5c6d32f47c8b4cdec109cd34366e
Opcode Fuzzy Hash: 9e68473edadeaf557d43ee5db64da582385d685932b15406e045d27e9c0fbed8
Instruction Fuzzy Hash: AC318336644B4082EF24CF2AE46836B77A1F7C9B98F558229DE5E43754DF39C145CB00

Function 02C684D8 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C684F7
_invalid_parameter_noinfo.LIBCMT ref: 02C68503
_errno.LIBCMT ref: 02C6852D
_errno.LIBCMT ref: 02C6858F

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: c5488cea8a7420608f6a60d82c2d4936388b921319a0c2fb7a5c91bb596e3c00
Instruction ID: 4524df15588d7e04d4e300d109bf7656a2ee5bee90726f0965352ab1c69965fc
Opcode Fuzzy Hash: c5488cea8a7420608f6a60d82c2d4936388b921319a0c2fb7a5c91bb596e3c00
Instruction Fuzzy Hash: E92168B27183D08AFB05CAB9D4E837D2B93D3A5384F488623DB4287742EB69C54DCB15

Function 02C447F0 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 02C4482E
WSAGetLastError.WS2_32 ref: 02C44839

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 956be7d5d60204c7e3c068f76d48fbfab2fb49e91de88ae288d2e3ac1e2e7a30
Instruction ID: 56260cc9cecf36b4b19fef922242a073cebd3da078ecfed29fb315253a67dea4
Opcode Fuzzy Hash: 956be7d5d60204c7e3c068f76d48fbfab2fb49e91de88ae288d2e3ac1e2e7a30
Instruction Fuzzy Hash: 4A218EB361068087E710CF7AE44875E37A2FB88B98F641119CB19C7A94DF7AC4C6DB10

Function 00007FF7F8DF4850 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 00007FF7F8DF488E
WSAGetLastError.WS2_32 ref: 00007FF7F8DF4899

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 0be878fb768bf08b0c5fb6e885e8fe2ab6ec24c45cef932c45ab1ad02d861857
Instruction ID: 9216afad0d6f0e86a2590e83c532ce50190344545728e9ad8b1bb057e7b736d2
Opcode Fuzzy Hash: 0be878fb768bf08b0c5fb6e885e8fe2ab6ec24c45cef932c45ab1ad02d861857
Instruction Fuzzy Hash: 7421D3B2A0054186E740EF35D44436CB3A1FF48B58F944134DA3D8B6D4DF79C88AEBA4

Function 02C45050 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 02C4506C
LeaveCriticalSection.KERNEL32 ref: 02C45085
LeaveCriticalSection.KERNEL32 ref: 02C45105
SetEvent.KERNEL32 ref: 02C45125

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 21dc35a79e7d153aa5f527a3c9f68bbfba85f83a73de9e7e0ee8fccda7220007
Instruction ID: 92b2d46f49d621d0ac8db3014df4026ad537fa902894e52f8ac83744884d0634
Opcode Fuzzy Hash: 21dc35a79e7d153aa5f527a3c9f68bbfba85f83a73de9e7e0ee8fccda7220007
Instruction Fuzzy Hash: E3211936314B8493D748CF26F5847AEB364F788B90F545129EBAA43B24DF38E9A1C740

Function 00007FF7F8DF50B0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F8DF50CC
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF50E5
LeaveCriticalSection.KERNEL32 ref: 00007FF7F8DF5165
SetEvent.KERNEL32 ref: 00007FF7F8DF5185

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 03f9e94784ee446fcc446a6b9a97075121abf68d5be1871662565671ac975166
Instruction ID: 3fcc654035f8de1bbd4a157d6dbfebf54fc7af61d827b7bd13ea4c5607d58a41
Opcode Fuzzy Hash: 03f9e94784ee446fcc446a6b9a97075121abf68d5be1871662565671ac975166
Instruction Fuzzy Hash: 47213932704B8592D758DB16E9802A9F3A4FB48B80F548135EB7E43364CF38E8A5D784

Function 02C62A04 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 02C62A18

Part of subcall function 02C62CBC: _amsg_exit.LIBCMT ref: 02C62CE6

fclose.LIBCMT ref: 02C62A48
DeleteCriticalSection.KERNEL32 ref: 02C62A6C
free.LIBCMT ref: 02C62A7D

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 1af19892bbc03468291f82b11de21fd6e6f481048af7f94286d8aedfc065ae7b
Instruction ID: 1a388a022254261aa938b6695e0082438e79c97055891ca8c4d41a1f38971d4f
Opcode Fuzzy Hash: 1af19892bbc03468291f82b11de21fd6e6f481048af7f94286d8aedfc065ae7b
Instruction Fuzzy Hash: 13119E3655074086E7208B19E4D876DB361F7C4B88F649216DE9E43B75DF36C482D705

Function 02C5EA2C Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5EA36

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_lock.LIBCMT ref: 02C5EA64
free.LIBCMT ref: 02C5EA9A
_amsg_exit.LIBCMT ref: 02C5EAD3

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 5d29ed1caa0daea5f5dbfe864c41203751b69c3e2a73dd0d7e20f9917cc7433e
Instruction ID: a4199736f210340dc1e22c97cf1a5b4a7ecdb61d81ef2d2d82ca0a382f0a2d3c
Opcode Fuzzy Hash: 5d29ed1caa0daea5f5dbfe864c41203751b69c3e2a73dd0d7e20f9917cc7433e
Instruction Fuzzy Hash: D5117C36226B9086EB949B21E480B6D7762F788B84F4C4026EF1E03359DF38C690CB05

Function 02C5DE2C Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 02C5DE3B
DeleteCriticalSection.KERNEL32 ref: 02C62B67
free.LIBCMT ref: 02C62B70
DeleteCriticalSection.KERNEL32 ref: 02C62B97

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 3824737ec1521a2d4d93bf8402f796ef870551e1c1bfc4249913134d5e986940
Instruction ID: dc977cefa27b31730dcad40f7e72cba90d2fa2a72d98cecafd9bdc4a2f7ce51a
Opcode Fuzzy Hash: 3824737ec1521a2d4d93bf8402f796ef870551e1c1bfc4249913134d5e986940
Instruction Fuzzy Hash: 88118232A05A41C6EB14DF25F88C72C7360F7C4BA4F585215DE9B06A64CB38C181CB02

Function 00007FF7F8E002E0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF7F8E002F4

Part of subcall function 00007FF7F8DFD9D8: _amsg_exit.LIBCMT ref: 00007FF7F8DFDA02

fclose.LIBCMT ref: 00007FF7F8E00324
DeleteCriticalSection.KERNEL32(?,?,?,?,?,00007FF7F8DFEBB3), ref: 00007FF7F8E00348
free.LIBCMT ref: 00007FF7F8E00359

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 78db43efc7c8f8b6f2111a7d5b2742e6ce96985b6946986547e2f26360c46e23
Instruction ID: a27a121a8089602908ae9b476793339cf1f3393b66c92756b77aa819c8c52877
Opcode Fuzzy Hash: 78db43efc7c8f8b6f2111a7d5b2742e6ce96985b6946986547e2f26360c46e23
Instruction Fuzzy Hash: FA116325908A4292EB10AB15E48037CF761FF84B54F904635DA7F473EACF3DE446E6A8

Function 00007FF7F8DFEF6C Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8DFEF76

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_lock.LIBCMT ref: 00007FF7F8DFEFA4
free.LIBCMT ref: 00007FF7F8DFEFDA
_amsg_exit.LIBCMT ref: 00007FF7F8DFF013

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 7d7c657d20a7dd2b4e75e9e7dc412b9cbf1c6d67fe2fb29e532279fb9e9c9193
Instruction ID: b91e08b791b0da4955c42083934ea560dbc8d0aaf20ef48d317920fc2875849b
Opcode Fuzzy Hash: 7d7c657d20a7dd2b4e75e9e7dc412b9cbf1c6d67fe2fb29e532279fb9e9c9193
Instruction Fuzzy Hash: 54111522A1968285EB94AB11D441779F360FF48744F884435DA7E073DACF3CE458F7A9

Function 00007FF7F8DFB8D0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF7F8DFBC45,?,?,00000000,00007FF7F8DF9984), ref: 00007FF7F8DFB8DF
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFBC45), ref: 00007FF7F8DFD883
free.LIBCMT ref: 00007FF7F8DFD88C
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F8DFBC45), ref: 00007FF7F8DFD8B3

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: c67542cc3d2d698b88e45379a5442c15c18af80ec950ad7c34deb963a0871383
Instruction ID: e3edb920aa119d229ca72e7c79dca8b36b1dca060a85f1ccd918e939e3fa32ec
Opcode Fuzzy Hash: c67542cc3d2d698b88e45379a5442c15c18af80ec950ad7c34deb963a0871383
Instruction Fuzzy Hash: E9112131E09542C6F755AF11A844278E360EF49B64F984A30D6BE062E9CF3CD895E6E8

Function 02C556EC Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02C55721
ExitThread.KERNEL32 ref: 02C55729
GetCurrentThreadId.KERNEL32 ref: 02C55730
_freefls.LIBCMT ref: 02C55761

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: cbffd315a96faa497177c600e0cbd82371ea40a3f718517a673364916740c137
Instruction ID: 702954451fd8d899362391b301607d2d3e136cf3fc2a12107b4e954526a4e6c6
Opcode Fuzzy Hash: cbffd315a96faa497177c600e0cbd82371ea40a3f718517a673364916740c137
Instruction Fuzzy Hash: 88F01721711BA585EF14AFB2A44C72C22A6BB18BC8F984438CE4E87711EE79C8949719

Function 02C50030 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02C41510: HeapFree.KERNEL32 ref: 02C41556
Part of subcall function 02C41510: free.LIBCMT ref: 02C41582

HeapDestroy.KERNEL32 ref: 02C5004E
HeapCreate.KERNEL32 ref: 02C5005F
free.LIBCMT ref: 02C50071
HeapDestroy.KERNEL32 ref: 02C50094

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$Destroyfree$CreateFree
String ID:
API String ID: 3907340440-0
Opcode ID: c96b4cbec601b2cff9b4cd5d9c6a714dd82caa753ffdd010ae51052e50cdef96
Instruction ID: cf9a82518c9c5bc82ae1b14e8092bb845ff2d386c70d0e235dad1fb49e8e5f24
Opcode Fuzzy Hash: c96b4cbec601b2cff9b4cd5d9c6a714dd82caa753ffdd010ae51052e50cdef96
Instruction Fuzzy Hash: 57F01476212A8097EB489FA2E69472D3360FB88B84F04A419DF2A03E10DF34D4B08744

Function 00007FF7F8DF86F0 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F8DF1540: HeapFree.KERNEL32 ref: 00007FF7F8DF1586
Part of subcall function 00007FF7F8DF1540: free.LIBCMT ref: 00007FF7F8DF15B2

HeapDestroy.KERNEL32 ref: 00007FF7F8DF870E
HeapCreate.KERNEL32 ref: 00007FF7F8DF871F
free.LIBCMT ref: 00007FF7F8DF8731
HeapDestroy.KERNEL32 ref: 00007FF7F8DF8754

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$Destroyfree$CreateFree
String ID:
API String ID: 3907340440-0
Opcode ID: fcaa257793e5fadcfc70eac2341b6a548630f635855dc52f12f0612825e35ef9
Instruction ID: e8626cbbe71246cf65fc6b15448751cb1a4abf95addb8e26ff9d440a2a6049e2
Opcode Fuzzy Hash: fcaa257793e5fadcfc70eac2341b6a548630f635855dc52f12f0612825e35ef9
Instruction Fuzzy Hash: 81014F36715A4196EB44AF62D690128F374FF48780B409435DF3E03A94CF38E4B4A764

Function 02C5F2FC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C5F302

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

_getptd.LIBCMT ref: 02C5F322
_lock.LIBCMT ref: 02C5F335
_amsg_exit.LIBCMT ref: 02C5F363

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 6302b35e9a68ce893cca802b5f5e7a01f98d2e1d4d6a3a5cf8f19790a7114949
Instruction ID: e1a74241fa86765506ff50e175cec23030868489db4e9e354bcc5c45cd3e60a5
Opcode Fuzzy Hash: 6302b35e9a68ce893cca802b5f5e7a01f98d2e1d4d6a3a5cf8f19790a7114949
Instruction Fuzzy Hash: C1F0F861612550C6FB1CAB61C894BBD2762EB89B48F0D027CDE4E0B794DF28C9C1EB19

Function 00007FF7F8DFF83C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8DFF842

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

_getptd.LIBCMT ref: 00007FF7F8DFF862
_lock.LIBCMT ref: 00007FF7F8DFF875
_amsg_exit.LIBCMT ref: 00007FF7F8DFF8A3

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 41071648471df9d3322a353edf5a3ab4de664c8de62a61506e4f03b2c3d18dde
Instruction ID: 58f7040378d86d0baa5f864c773e55200eb971c4a1b4247c3fe43c4960c989c6
Opcode Fuzzy Hash: 41071648471df9d3322a353edf5a3ab4de664c8de62a61506e4f03b2c3d18dde
Instruction Fuzzy Hash: 61F06251A0A04281FB54BB519841BB8D260EF4C740FC80135D93D473DACF2CA449F3B8

Function 02B096D9 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02B096FD

Strings

csm, xrefs: 02B09834
csm, xrefs: 02B0972A

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 0df6008082723f72913e9ff3e2182e95254e93b920ee907ecb979fe633f15503
Instruction ID: 2abf2996a3a2ce6fcfdd584cf8cfd3d4d3c11c48a960b9eea5d1ed4808b75484
Opcode Fuzzy Hash: 0df6008082723f72913e9ff3e2182e95254e93b920ee907ecb979fe633f15503
Instruction Fuzzy Hash: 75519231608F088FCB6ADE2884C47297BD5FB48B54F5446ADD49EC7396D730E881CB86

Function 02C59C08 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C59C2C

Part of subcall function 02C5DF90: _amsg_exit.LIBCMT ref: 02C5DFA6

Strings

csm, xrefs: 02C59D63
csm, xrefs: 02C59C59

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 0ebafe53c79dd1dc7c4b2410e29de92a4e8939059e6c475d33d2247252ee921c
Instruction ID: 8ec788857c981922b10e721aacdfbcc248110a41fdbb6aa40ff31b3593307252
Opcode Fuzzy Hash: 0ebafe53c79dd1dc7c4b2410e29de92a4e8939059e6c475d33d2247252ee921c
Instruction Fuzzy Hash: 9E5116322047A0CACB34CF26D58476DB7A0F785BC8F488165DE8A47B54CB38E5E0DB89

Function 00007FF7F8E0417C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8E041A0

Part of subcall function 00007FF7F8DFBA34: _amsg_exit.LIBCMT ref: 00007FF7F8DFBA4A

Strings

csm, xrefs: 00007FF7F8E042D7
csm, xrefs: 00007FF7F8E041CD

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction ID: 25e6c8e651eafd9d76fd3ab9ea94ea7d18245df2be897cbf1af53aa54921d0d4
Opcode Fuzzy Hash: 101f134f4e12a7d59dd54e5d86992c5274962396a685041d1e783f31e629751d
Instruction Fuzzy Hash: 2B51C432A0824186EB60AF61914037DF6A4FB45B8CF844535DA7E47BC5CF3CE494EB99

Function 02C4DA44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 02C55378: malloc.LIBCMT ref: 02C55392

wsprintfW.USER32 ref: 02C4DA98
CloseHandle.KERNEL32 ref: 02C4DC0B

Strings

%s_bin, xrefs: 02C4DA8E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandlemallocwsprintf
String ID: %s_bin
API String ID: 2399101171-2665034546
Opcode ID: 8cd04662d7078cabdf984b15f4d60648459fd27a36f456a8367ae7b316583ac3
Instruction ID: 2747c85db140a9b3532286a4668414b40db7695a575ef1ebb7e0ccfac7dee288
Opcode Fuzzy Hash: 8cd04662d7078cabdf984b15f4d60648459fd27a36f456a8367ae7b316583ac3
Instruction Fuzzy Hash: BF41AA26714A6481EB24EF62E418B6E7369FBC5F98F448126CE1E07744DF39C284C705

Function 02B05001 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B04F82
_invalid_parameter_noinfo.LIBCMT ref: 02B04F8D

Strings

B, xrefs: 02B04FB2

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 97277b288e6e1178be426116e7f1b01626121072449bb72ff7d68c702eebc816
Instruction ID: 31c75d4948f6f58edaf86a2aaec65b1d2c2d67712bc7e2dacd68679af606ac4b
Opcode Fuzzy Hash: 97277b288e6e1178be426116e7f1b01626121072449bb72ff7d68c702eebc816
Instruction Fuzzy Hash: 7621C330218B488FC755EF6D84C461ABBE1FB98324F5047AEA55EC7291DF74D940CB82

Function 02B05F51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02B05EFA
_invalid_parameter_noinfo.LIBCMT ref: 02B05F05

Strings

B, xrefs: 02B05F31

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: ec373591011a08efc2e4d5585c5127ff4a6d92287ffccaae23c44f6cffdad71c
Instruction ID: 81f4508c2c0d33e46f3a0c31da6faf4ceaeeedda3b6c07820c381cd29ee0f55a
Opcode Fuzzy Hash: ec373591011a08efc2e4d5585c5127ff4a6d92287ffccaae23c44f6cffdad71c
Instruction Fuzzy Hash: 0E118F30618B484FC754EF5CD485766BBD2FB98324F5047AEA059C32A0DF78D984CB82

Function 02C6D527 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 02C6D5EB

Strings

csm, xrefs: 02C6D5A7
csm, xrefs: 02C6D54E

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 008a1cef3fd956798f7d73ea4517d52a7d073b0e4720bf3f8ed94ca8c68e0db9
Instruction ID: 9bec07ae4eeff4319ebaa706d6b96bc5c37915bc62c213b4c1ec073f235a7a03
Opcode Fuzzy Hash: 008a1cef3fd956798f7d73ea4517d52a7d073b0e4720bf3f8ed94ca8c68e0db9
Instruction Fuzzy Hash: F92183B7600654CADB208F66C4887A83B75F398BADF8A1255EA4E0BF18CB75C5C1C784

Function 00007FF7F8E07323 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F8E073E7

Strings

csm, xrefs: 00007FF7F8E0734A
csm, xrefs: 00007FF7F8E073A3

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
Instruction ID: 2b64c55bd32b36ed08610236f3e378694ea6353b016b4b143a218318fc611932
Opcode Fuzzy Hash: 2390259f5c7b96c66dbe66369981e250b2529a0f82c8583acd2dcf66a4ceee86
Instruction Fuzzy Hash: 51314F33504704CAEB609F65C44026C7B71F758B9CF861234EA5E0BB94CB79D890D798

Function 02C55530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C554B1
_invalid_parameter_noinfo.LIBCMT ref: 02C554BC

Strings

B, xrefs: 02C554E1

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: d9f8633fb066bb926e08558761ed9d779cc0cbf5af2a47bf39fdd692a1c5aced
Instruction ID: 83871d50e681a6bd8fba8a4ddaa16446fc754b05f5fd356d711f0813c4bc2c03
Opcode Fuzzy Hash: d9f8633fb066bb926e08558761ed9d779cc0cbf5af2a47bf39fdd692a1c5aced
Instruction Fuzzy Hash: 3B11307221479086DB209F16E440259B7A2F798BE4F984225EF9D57B54CF38C685CF08

Function 00007FF7F8DF92C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F8DF9245
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F8DF9250

Strings

B, xrefs: 00007FF7F8DF9275

Memory Dump Source

Source File: 00000000.00000002.4145760930.00007FF7F8DF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DF0000, based on PE: true

Associated: 00000000.00000002.4145742589.00007FF7F8DF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145785140.00007FF7F8E08000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145805218.00007FF7F8E0E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145823094.00007FF7F8E15000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f8df0000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 9b4439fc7c8faf101ecdfea0264f82894208d5a38c9186357c889f9d5f545f4f
Instruction ID: 50624e4646f7a727880d5586871a4e636d2af4ce231038575c3da44364630590
Opcode Fuzzy Hash: 9b4439fc7c8faf101ecdfea0264f82894208d5a38c9186357c889f9d5f545f4f
Instruction Fuzzy Hash: 44119372A0874196EB20AB15944426DF6A0FF8CB98FD44231EBBC07BDDCE3CD544AA54

Function 02C56480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 02C56429
_invalid_parameter_noinfo.LIBCMT ref: 02C56434

Strings

B, xrefs: 02C56460

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 0ab59116831bbe62dcdadced444a5e6377d12d240e7c680d2d1bd855e87776a3
Instruction ID: 6dbd8fa32445c7cd4993e4c45439ade9b281aa7c9a04d0747ac2ed9ff2d590a9
Opcode Fuzzy Hash: 0ab59116831bbe62dcdadced444a5e6377d12d240e7c680d2d1bd855e87776a3
Instruction Fuzzy Hash: 6D0180B2614B5486DB10DF12E4447A9B665F798FE4FA88321EF5C07B98CF38C285CB08

Function 02C6D627 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 02C579AC: _getptd.LIBCMT ref: 02C579B9
Part of subcall function 02C579AC: _getptd.LIBCMT ref: 02C579CC

_getptd.LIBCMT ref: 02C6D688
_getptd.LIBCMT ref: 02C6D69B

Strings

csm, xrefs: 02C6D647

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 433e7348067b57c19063a6e5e3819906beb9ca32c691c09114a4435d6686f511
Instruction ID: 021c60415ad8fb51fc0c13a6d38c0d43a52d70a2244bf62721453f1fb4ddce8e
Opcode Fuzzy Hash: 433e7348067b57c19063a6e5e3819906beb9ca32c691c09114a4435d6686f511
Instruction Fuzzy Hash: 35014F72641741C9CF30AF32E8843BC2375E799B59F490625CE0E0B618CB31C6C5DB55

Function 02AFC1A1 Relevance: 5.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 02AFC1D4

Part of subcall function 02B04D91: _FF_MSGBANNER.LIBCMT ref: 02B04DC1
Part of subcall function 02B04D91: _callnewh.LIBCMT ref: 02B04DFF
Part of subcall function 02B04D91: _errno.LIBCMT ref: 02B04E0A
Part of subcall function 02B04D91: _errno.LIBCMT ref: 02B04E15

free.LIBCMT ref: 02AFC1FC
free.LIBCMT ref: 02AFC287
free.LIBCMT ref: 02AFC2C7

Memory Dump Source

Source File: 00000000.00000002.4145270202.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2af0000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 05004e69f0d03603166f5012c8d6d757e19186f86f24b119b2e0ef74532bd915
Instruction ID: 516f0b42b5f1fc57f0014cae323d0200636d737f57019266f1e68c93ea5af704
Opcode Fuzzy Hash: 05004e69f0d03603166f5012c8d6d757e19186f86f24b119b2e0ef74532bd915
Instruction Fuzzy Hash: 7341E870618B0E4FD799EF9E84D1336B7D6FB58720F00456EAA9AC3211DF74E8068B85

Function 02C52F0C Relevance: 5.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 02C52F31

Part of subcall function 02C55280: HeapFree.KERNEL32 ref: 02C55296
Part of subcall function 02C55280: _errno.LIBCMT ref: 02C552A0
Part of subcall function 02C55280: GetLastError.KERNEL32 ref: 02C552A8

free.LIBCMT ref: 02C52F44
free.LIBCMT ref: 02C52F57
free.LIBCMT ref: 02C52F6A

Memory Dump Source

Source File: 00000000.00000002.4145314646.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true

Associated: 00000000.00000002.4145314646.0000000002C89000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c40000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: f0a32442132290b978abf0824dadd0382e9fcad70a2f2925c0411fa04f225afc
Instruction ID: 5254d0b9fe37aaaa648c06c9cba7cde3b1adfaaa5fadc423c3c0dd154bc472ff
Opcode Fuzzy Hash: f0a32442132290b978abf0824dadd0382e9fcad70a2f2925c0411fa04f225afc
Instruction Fuzzy Hash: 2DF0681261272048DF64DFA0D0A47391360DB94FBCF580714CE6609184CF39C4C0D799

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EpCAySF1G6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EpCAySF1G6.exePID: 5480, Parent PID: 2580

Windows Analysis Report
EpCAySF1G6.exe

Function 02C46790 Relevance: 73.8, APIs: 29, Strings: 13, Instructions: 324
stringnetworklibraryCOMMON

Function 02C515C0 Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 301
sleepregistrysynchronizationCOMMON

Function 02C4EBE0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 302
windowCOMMON

Function 00007FF7F8DF6860 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 213
registrymemoryCOMMON

Function 02C43360 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
networkstringtimeCOMMON

Function 00007FF7F8DF3390 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
networkstringtimeCOMMON

Function 02C5FF94 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 292
timeCOMMONLIBRARYCODE

Function 02C474F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 199
stringregistrycomCOMMON

Function 02C47BF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102
memoryCOMMON

Function 02C48A70 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Function 02C4F080 Relevance: 34.7, APIs: 23, Instructions: 201
memorywindowCOMMON

Function 02C4CC50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225
windowCOMMON

Function 02C47F70 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 117
memoryCOMMON

Function 02C4C830 Relevance: 27.3, APIs: 18, Instructions: 283
windowCOMMON

Function 02C472D0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 67
synchronizationsleepstringCOMMON